The European Court of Justice’s ruling in Schrems II, invalidating the EU-U.S. Privacy Shield framework as a means of transmitting personal data from the EU to the U.S., has drawn swift reaction from data protection authorities and other entities across Europe. Here are a few of the responses:

Vera Jourova, Vice President, European Commission

“I know citizens and businesses are seeking reassurance today on both sides of the Atlantic. So let me be clear: we will continue our work to ensure the continuity of safe data flows.

We will do this:

  • in line with today’s judgment
  • in full respect of EU law
  • and in line with the fundamental rights of citizens.”

” The Commission has already been working intensively to ensure that the toolbox [for cross border transfer tools] is fit for purpose, including the modernization of the Standard Contractual Clauses … We will now swiftly finalize it. Today’s ruling provides further valuable guidance for us and we will make sure that the updated tool will be fully in line with it.”

Didier Reynders, Commissioner for Justice, European Commission

“It will be very important to start the process to have a formal approval to modernize the Standard Contractual Clauses as soon as possible.”

We will be in contact [with our U.S. counterparts] also in the coming days and look forward to working constructively with them to develop a strengthened and durable transfer mechanism.”

European Data Protection Supervisor

“The EDPS welcomes that the Court of Justice of the European Union reaffirmed the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries.”

“The protection of personal data requires actionable rights for everyone, including before independent courts. It is more than a “European” fundamental right – it is a fundamental right widely recognized around the globe. Against this background, the EDPS trusts that the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court.”

“As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analyzing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies”

Read the full EDPS statement.

UK Government

“Coronaviris (Covid-19) has demonstrated the importance of international data transfers. The recent crisis has shown how data transfers keep economies moving and societies functioning, being crucial to working from home, supporting a marked shift to communications and commerce moving online and underpinning the health care response.”

“The UK government is committed to ensuring high data protection standards and supporting UK organisations on international data transfer issues.”

“It is disappointed that the EU’s adequacy decision for U.S. Privacy Shield has been invalidated by the court in its judgment of 16th July 2020” .

“The UK Government is working with the Information Commissioner’s Office and international counterparts to address the impacts of the judgment and ensure that updated guidance on international data transfers will be available as soon as possible.”

Read the full UK Government response.

European Data Protection Board
  • “The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits European Economic Area (EEA) citizens and organizations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law”
  • For Standard Contract Clauses (SCCs):  “The exporter needs to assess whether the countries to which data are sent offer adequate protection. If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.”
  • The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment.

Read the full EDPB statement.

BEUC: The European Consumer Organization

“Without the US adopting a strong and comprehensive data protection framework, including a privacy law at federal level, no future EU-US data flow agreement will stand its ground in court.”

“In the context of ongoing trade negotiations with various partners this ruling is also a reminder that the GDPR and citizens’ fundamental rights cannot become a bargaining chip.”

Read the full statement from the BEUC.

Hamburg Data Protection Authority

“If the invalidity of the Privacy Shield is primarily due to the escalating secret service activities in the USA, the same must also apply to the standard contractual clauses. Contractual agreements between data exporter and importer are equally unsuitable to protect those affected from state access.”

“The ECJ is passing the ball to the European supervisory authorities…In particular, they must now pay particular attention to the level of data protection in the recipient country. On request, the exporter has to prove…that the accessibility of the authorities is proportionate and that legal protection is guaranteed.”

“This does not only apply to states that, like the United States, have at least tried to give the impression of creating adequate data protection structures, but also to countries like China…and with a view to Brexit. Difficult times are looming for international data traffic … The impact of this judgment affects international data transfer as a whole,” said Johannes Caspar, Hamburg representative for data protection and freedom of information.

Read the full statement from the Hamburg Data Protection Authority.

Irish Data Protection Commission

“The Data Protection Commission (DPC) strongly welcomes today’s judgment from the Court of Justice of the European Union (CJEU)”

“Today’s judgment [firmly endorses the] substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States.

In that regard, while the judgment most obviously captures Facebook’s transfers of data relating to Mr. Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally.”

“The court … has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case-by-case basis.”

“We are not making a definitive statement at this time but wanted to put our cards on the table that the suggestion by some that SCCs are the automatic solution for the 5.5k companies that had used Privacy Shield to transfer personal data to the United States…well, we haven’t swiftly come to this conclusion,” said Ireland Data Protection Commissioner Helen Dixon at the IAPP – International Association of Privacy Professionals LinkedIn-live event on SchremsII.

Additional key takeaways:

  • CJEU has clarified that SCCs are not a tick the box exercise. The onus is on the companies to conduct the assessment of the sufficiency of protection in the destination country and, in view of the GDPR requirement for accountability, to document this analysis.
  • The DPC isn’t guiding companies to do this until the conclusion of its analysis but acknowledges that SCCs with supplemental protections are presently the only viable option for companies wanting to transfer data to the United States.
  • Binding Corporate Rules (BCRs) are subject to same issue when dealing with transfers to the U.S.
  • DPC understands that that the burden this assessment imposes on Small and Medium-sized Entities (SMEs) is enormous. Commissioner Dixon hopes and expects EDPB guidance on this to come in a matter of weeks.

Read the full statement from the Irish Data Protection Commission