Schrems II: The Path Forward

Following the Court of Justice of the European Union’s (CJEU) decision in the “Schrems II” case, some wondered what it would mean for cross-border data transfers and whether they remained valid. Upon more analysis, they remain intact—with some caveats.

Now that several weeks have passed since the Court of Justice of the European Union’s (CJEU) decision in the “Schrems II” case—which struck down the EU-U.S. Privacy Shield—it’s worth taking a moment to reflect on what the decision means and the path forward. In the immediate aftermath of the decision, some wondered what this would mean for cross-border data transfers and whether they remained valid, but upon more analysis, they remain intact—with some caveats. At the same time, given the size and importance of the EU-U.S. trade relationship (over $700 billion in total volume), it is vital that we come together to achieve lasting solutions to help enable appropriate data transfers for the good of society and the economy.  

Here are three things that still remain true at this point:

  • Transfers to the U.S. remain permissible. Privacy Shield was struck down because of concerns about protections of personal data under U.S. law and how EU residents could raise potential complaints. But personal data still can be transferred to the United States. Privacy Shield was an adequacy decision: any transfers of personal data to the U.S. were valid, so long as the transfer was to a company that certified to Privacy Shield. By contrast, the Standard Contractual Clauses (SCCs) enable transfers between specified companies, while Binding Corporate Rules (BCRs) enable transfers to a corporate group. 

  • A case-by-case approach governs. Because SCCs and BCRs relate to transfers of specified types of personal data between particular companies or within a corporate group, their use must be analyzed on a case-by-case basis. U.S. government efforts to obtain data generally are directed at consumer-facing services. Other types of data, like human resources data, are far less likely to be sought by the government because they aren’t relevant. Indeed, many companies have received data transferred from the EU for years and have never received a government demand for data. Likewise, each company’s protection for data in transit (for example, use of strong end-to-end encryption) and their approach to how they would handle a government demand for data can be assessed to determine the protection they provide.

  • Regulators recognize not all transfers are the same. The recent guidance from the European Data Protection Board (EDPB) reflects the fact that different types of data transfers pose different risks. As the EDPB wrote in its FAQs on “Schrems II," companies must “tak[e] into account the circumstances of the transfers, and supplementary measures [they] could put in place” and determine if there is an adequate level of protection “following a case-by-case analysis of the circumstances surrounding the transfer.” The type of data transferred, the technical protections put in place, the recipient’s history (or lack thereof) of government demands for data, and its commitments around how it would handle any such demand are all relevant to that analysis.

It’s vital that policymakers on both sides of the Atlantic work together in good faith to come up with a framework that works for both.

Moving Forward

The key question is where do we go from here. The EU and the U.S. have pledged to work together on a successor to Privacy Shield. Workday strongly supports these efforts: it’s vital that policymakers on both sides of the Atlantic work together in good faith to come up with a framework that works for both. Attempts to put pressure on one side or the other, or to use trade enforcement mechanisms, will only lead to the hardening of positions and delays.

What a successor agreement looks like—in light of the CJEU’s concerns—is hard to say at this point. Ultimately, any new agreement will be the product of successful EU-U.S. negotiations. As part of that effort, a number of potential steps could be taken to narrow the gap between the CJEU decision and U.S. practice. For example, the ombudsperson established by Privacy Shield to hear complaints about unnecessary access to data could be given greater independence, just as we in the U.S. have independent agencies across the government. The ombudsperson’s findings regarding protection of individual’s rights similarly could be made binding. Existing administrative protections regarding use of data could be codified. Requirements around use of encryption for data in transit could be strengthened. Treating some categories of personal data differently—those that are unlikely to be of interest to the government—could be helpful. Ultimately, some combination of these or other measures and protections could provide a path forward to a lasting, sustainable mechanism for data transfers from the EU to the U.S. 

According to McKinsey, cross-border data flows accounted for $2.8 trillion in global GDP in 2014, and their importance has only increased since then. Likewise, as the European Commission notes, total U.S. investment in the EU is three times that of U.S. investment in Asia, and EU investment in the U.S. is eight times EU investment in India and China combined. In an increasingly digital world, continued cross-border data flows are essential to our close economic relationship. For this reason, a stable long-term solution is vital.

More Reading