Finally Solving for Schrems II?
A conversation with the European Commission’s Bruno Gencarelli
The world of data flows is a diversified world that doesn’t stop at the transatlantic dimension, although that is, of course, a core component of that issue.
A successful arrangement to the privacy shield is clearly a priority on both sides of the Atlantic. We want a solid, durable, sustainable, framework. What’s the secret recipe to get there? A framework that fulfills the requirements of the Schrems II judgment.
European Commission Head of International Data Flows and Protection, Bruno Gencarelli joined WireWheel CEO Justin Antonipillai for the plenary session of the Fall Spokes Privacy Technology Conference. And while always top-of-mind, the recent guidance issued by the European Data Protection Board (EDPB) makes this conversation particularly timely.
WireWheel’s Antonipillai was a lead author of the Privacy Shield agreement that was subsequently invalidated by Schrems II, and Bruno Gencarelli is the lead negotiator for the EU-U.S. current attempts to design the “secret recipe” that will solve for Schrems II and allow cross-border commercial data flows to proceed without the burden of case-by-case justifications. The Q&A, which can be accessed here, is well worth a listen.
A complex balancing act
“The evolution between Schrems I and II is the level of detail regarding what is expected in terms of safeguards. And those are the aspects on which we’re working. Namely: government access to data for national security purposes,” says Gencarelli. “That’s not an easy issue. It’s a complex balancing act in the U.S. as it is in any modern system around the world.”
Bruno notes that while “we are not there yet,” good progress has been made on a number of issues. Beyond the exploratory phase, his team and their counterparts in Washington, D.C., are now “exchanging text, ideas, and possible solutions.
“We, and our counterparts in Washington, share a sense of urgency, but we also share [the view] that the ‘what’ is more important than the ‘when:’ That this is an arrangement that will pass all the necessary test, including potential litigation.”
Still, for businesses trying to do the right thing, it’s a long time coming:
The Schrems II decision was July 2020. And Privacy shield is used by a lot of small and medium-sized companies to comply. To do more than might be relied on under U.S. law in order to avail themselves of a special transfer benefit from Europe. That’s a long time for small and medium-sized companies [who are looking for resolution].
Simplicity and Adequacy
- Do you have any sense of timing on when at least a framework agreement might be reached (understanding that even after there’s a framework agreement there’s a pretty long tail)?
- With a new “Privacy Shield” will there still be the need to do transfer impact assessments?
- Other discussions and negotiations still focus on redress for national security purposes. Is that the exclusive area of negotiation at this point, or is it broader than that?
On timing, Bruno answers, not unexpectedly, “We hope we can get there as soon as possible, but I am not in a position today to tell you, when.”
What is important is the nature of the instrument. It will be an adequacy decision. And if we succeed, this will have a major, major benefit. Particularly in the post-Schrems II environment. It means that – based on certification with the Department of Commerce – companies will be able to rely on the new arrangement to export data from the EU to the U.S without having to enter into a case-by-case assessment that the Schrems II judgment requires.
This, as Bruno notes, has a significant benefit in terms of stability, cost, and simplicity. The intention is to come to an arrangement that is straightforward in nature. “That’s why we are developing adequacy,” opines Bruno.
“So, the short answer to your question regarding transfer impact assessments is no. But yes, because in any case, as regardless of Schrems II, regardless of transfers, you need to know what you’re doing with that data. That’s key to the compliance and accountability aspect [of data handling] that will always remain.”
Justin reiterating: “That means the technical transfer impact assessment portion in which you have to evaluate the sort of regime that you’re transferring it to with respect to the U.S. companies would no longer have to conduct. They still would have to do an assessment of processing activities, just as normal.”
“Correct. Because an adequacy decision is a legal measure adopted by the EU, by which the EU says, “we have done that assessment and you have a green light for transfer.”
Redress and Resurrection
Redress is a central issue under discussion, says Gencarelli. “There are essentially two issues in Schrems II.
One is what are the conditions, limitations, and safeguards that are the basis by which data can be accessed by intelligence agencies when, for instance, it has been transferred for commercial purpose. “This is an issue for which we have made good progress around principles of necessity and proportionality: the nexus between the data which is being accessed and the national security threat is being addressed.
“And then there is the question – not an easy question, but a fundamental one – where the Court of Justice has been the clearest and most detailed: the possibility for individuals to allege a violation of the safeguards in a court or Tribunal. These are the two questions with which we are dealing.
Companies are maintaining their compliance with the Privacy Shield principles without getting the benefit of a means of transfer. Is the expectation that if there’s a new privacy shield, that companies if they continue to do what they’ve already certified to, will get the benefit of the means of transfer? Or do you anticipate there’s going to be new requirements from a commercial perspective?
“I know that certifications continue and are renewed on the U.S. side,” offers Bruno, but he cautions: “it’s very important to say that in terms of compliance with the GDPR requirements that those certifications are of no value for the moment. From the European side, the privacy shield is dead.
“But we believe also in resurrection. And that’s what we’re working on.”
Gencarelli emphasizes that the EU team is focused on the government access part of the deal because that is the grounds on which the Court of Justice invalidated the Privacy Shield.
It is noteworthy that this is exactly what the recent EDPB guidance failed to address. As legal scholar Daniel Solove opined in a recent conversation with Justin: “Right now, my reading of it, is it doesn’t add up, says Solove. “This is still a mess and no one’s addressing the elephant in the room.” I.e., government access to data is the central thrust of Schrems II.
Of course, notes Bruno,” the commercial aspect – which is what matters in daily life or businesses – do have additional compliance requirements” but they are not the focus of the negotiations. “If there are any changes, they would be quite minimal.”
There have been widely reported discussions on the proposals that have been coming from the U.S., the Justice Department, and judicial panels on redress. And while I don’t mean to suggest the redress element of it is any more or less difficult than necessity and proportionality, redress has some very difficult aspects when you try to reconcile it with the elements of standing and judicial ability under U.S. law. So, there are some tricky elements to that.
“What I can tell you” offers Bruno – understandably constrained by the sensitivities of ongoing negotiations – “is that we want a solution that works in both systems
“The question of standing, is of course, very important. And recently, the Supreme Court said to the legislature that there are things you cannot do in this area, there are limits. We are also seen that there are redress mechanisms that exist in the judiciary branch as well as the executive branch.
“Redress in an area such as national security is, of course, is subject to legitimate limitations to fully take into account the sensitivity and confidentiality of issues that might be involved. Those constraints exist on both sides of the Atlantic.”
Around the world in four minutes
There are many more opportunities as countries are converging on the idea that it’s not about identity. It’s about converging on common safeguards.
Given the immediacy (and complexity) of the issues, this is a conversation that could easily last well into the night. Unfortunately, though understandably, Bruno’s schedule is constrained. In the remaining minutes of the keynote Q&A, Bruno reminds us that while the EU-U.S. data transfers are at the forefront, there is much going on throughout the world in this regard, and he provides some insight.
As a scoop for your audience, we have completed negotiations with Korea, and if everything goes well, it will be adopted by the EU next week. By the end of the year, there will be a free flow of data between the EU and South Korea.
Bruno also notes that “the adequacy decisions we adopted with the UK (one for the GDPR, the other for law enforcement cooperation, are a very important part of the post-Brexit relationship.”
Other initiatives highlighted by Bruno include:
- Work on a number of tools that can cover regions creating an amplifying network effect. Model clauses are now adopted and used as part of that convergence by a number of jurisdictions around the world. Switzerland has adopted the same model clauses as the EU, and the UK has a proposed version as well.
- New Zealand, while not exactly the same model, has presented some important commentaries.
- Regional organizations such as Southeast Asia countries –Singapore, Indonesia, Malaysia, and others – have adopted a set of model clauses to facilitate transfers within the region. This is seen as useful to facilitate transfers between that region and the rest of the world. Work is being done to build on this common practice and capture many jurisdictions.
- The same is happening with Latin America.
Bruno closes the conversation with a missive regarding the recent trend in data localization:
There are obstacles to data flows, which have nothing to do with the protection of privacy, though they might sometimes use the protection of privacy as a pretext. I’m thinking about a number of data localization requirements we increasingly see.
We are negotiating a lot of trade agreements with countries such as New Zealand, Australia, Indonesia, Tunisia, Chili, and others. At the multilateral level, we are proposing an approach based on a straightforward prohibition of data localization requirements.