The View from the EU: A Discussion with the International Data Transfers and Protection Unit’s Bruno Gencarelli
Bruno Gencarelli, Head of the EU’s International Data Flows and Protection Unit, delivered the closing remarks for the Spokes 2021 conference.
The conversation kicked off with a discussion about the Schrems II decision coming out of Europe, with wide-reaching implications for the transfer of data between Europe and the U.S. The Schrems II ruling invalidates the adequacy decision for the EU-U.S. Privacy Shield Framework, which had been the standard by which companies in the U.S. complied with EU data protection laws. The Schrems II ruling has ramifications for contractual clause transfers, binding corporate rule transfers, and more.
The Impact of Schrems II
Gencarelli began his remarks by characterizing his impressions of the Schrems II decision and describing some of the work that has gone on behind the scenes. “Developing a successor arrangement to the Privacy Shield following the Schrems II document is a priority on both sides of the Atlantic,” he said. “There has [recently] been an important visit by President Biden … we are meeting for the first time with our U.S. counterparts to explore a number of solutions that should bring us closer to an agreement.”
He continued: “This is a top priority for us, it’s a top priority for the U.S. administration, and there is a lot of eagerness and willingness on both sides. It is also an understanding of the complexity of the issues we have to deal with, which are, as you know, about the interplay between privacy on one hand and national security on the other, and that’s always a complex and essential question … what we want to develop is an arrangement that is sustainable which will deliver the legal certainty that stakeholders expect and deserve. And the only way to do that is to have an arrangement that is fully aligned with the judgments set by the Court of Justice in the Schrems II document”
He went on to point out the critical importance of Schrems II as it relates to “proportionality, necessity, and the limits of the interference of privacy in the area of national security as well as the redress mechanisms that should be available to individuals.” He did not set a timeline for further discussions but reiterated that coming to some sort of agreement was the highest priority for both the EU and the U.S.
“What we are aimed at is a new adequacy decision,” he said, “because we see enormous benefits of another decision, both for the protection of the data which is transferred and in terms of legal certainty – something companies can rely upon without having to think about the type of case-by-case assessment which is otherwise required by the Schrems II decision. What we are aiming at here is a new adequacy finding.”
The Fate of Privacy Shield
WireWheel founder and CEO Justin Antonipillai noted that companies certified under Privacy Shield cannot transfer data, while others still maintain their commitments to public declarations under Privacy Shield. He asked whether current discussions are centering on national security redress and accountability issues, while commercial questions will remain as they were under Privacy Shield.
“The short answer to that question is, essentially, yes, in the sense that—taken from a GDPR point of view—Privacy Shield, in its current form, can no longer be relied on to transfer data from the EU to the U.S.,” said Gencarelli. “Privacy Shield was squashed for reasons that concern access by public authorities and, in particular, national security authorities to data. The Schrems II judgment is our mandate in the negotiations. The discussions are, on the one hand, about redress, and on the other, the limitations and conditions under which data can be accessed for national security reasons.”
“Of course, I cannot pronounce the outcome of a negotiation before the negotiation has concluded,” he continued, “but I can confirm that, indeed, the focus of the negotiation is on issues that concern how public authorities can and should access data, rather than the behavior, the practices, and the compliance, of private entities, which have not been affected by the Schrems II judgment.”
Applying Standards Fairly
Next, Justin Antonipillai asked Gencarelli if the European commission subjected the UK to the same level of review and scrutiny as the U.S. for the recent adequacy decision that permits the transfer of data between the UK and the EU. “Of course,” said Gencarelli. “The requirements we have to fulfill and the requirements that have been set by the Court of Justice, which let’s not forget is the equivalent of the Supreme Court for the EU, are not U.S.-specific requirements. They have been applied to cases, in part, that concern a transfer mechanism to the U.S. through Privacy Shield.”
“But as you can see already in that judgment,” he continued, “with the SCCs [Standard Contractual Clauses], this is a judgment that has a much broader scope. And what the court said in Schrems II constitutes the checklist we have to go through to fulfill any adequacy decision. We did this recently with two decisions, the one concerning the UK … and one we are proposing with respect to South Korea. You will see [in those draft decisions] a very large part of the reasoning [behind them] is in assessing the safeguards that apply in case public authorities seek to access data.”
But Gencarelli cautioned that his agency’s work seeks to protect countries’ national security interests, but not at the expense of other factors. “This is not about shutting down national security agencies,” he said. “Fighting national security threats is important … for any modern country in the world … If you look at the UK decision, you’ll find a number of elements that are interesting in terms of a strong reliance on the principle of proportion and national security in terms of pre-authorization of surveillance measures by a judicial body, and in terms of access to a redress mechanism tribunal in the UK, dealing with individual claims on civilians and compliance with human rights, including privacy.”
The Burden of Balancing Commerce with Security in Data Privacy
Antonipillai expressed concern about a recent adequacy finding with respect to the U.S. with contractual clause guidance that “puts burdens on a company … when transferring data to a third-party country.” He then asked, “For the purposes of adequacy, how do you … balance the level of collection with the democratic scheme of a country when you’re looking at these other mechanisms?
“Let’s not forget what we’re talking about—whether you call it privacy, data protection—what we’re talking about … is a human right, call it a fundamental right, and of course for the rights to not only exist but to be effectively protected,” Gencarelli said. “And [for that], you need a certain type of legal structure, which can only come from democratic societies.”
“We see, more and more, that like-minded countries have identified this challenge of data being a strategic asset, which in certain circumstances, can fall into the wrong hands,” he continued. “Let’s not forget that it’s not the EU but Japan that has launched the Data Free Flow with Trust initiative, where ‘trust’ means essentially ‘trust’ in the ways government can access data. Last week, [there was] a new executive order adopted by the US administration, which tries to address … the risks that are being associated with data being transferred or in any case falling under the control of companies that are associated with authoritarian regimes.”
He went on to praise the cooperation of countries under the OECD to grapple with the question of keeping data flowing, while also remaining cognizant of security risks. “That’s the first time that there is work done at the international level in trying to identify common principles when it comes to access by government to data held by private companies,” he said.
The Question of SCCs
Antonipillai asked Gencarelli about the burden of companies to meet standards under Standard Contractual Clauses (SCCs). “It puts a very difficult challenge on companies to make a determination of how you do a data transfer appropriately,” said Antonipillai. “And we do hear about certain regulators in Europe that are calling for detailed documentation of assessments of countries under those kinds of frameworks that are just difficult to do. What is your reaction to that?”
“We don’t want to underestimate or minimize those complexities and that’s one of the reasons why we are working so hard and so intensively on this negotiation,” said Gencarelli. “Stakeholders, including the business community, significantly modernized the Standard Contracting Clauses. We have provided companies with a checklist of criteria, factors, and parameters that need to be taken into account when carrying out that assessment of their transfers…. compared with a few months ago, a company that needs to carry out that assessment has a number of useful tools.”
Gencarelli emphasized that the issue is a priority in negotiations, but there are a number of factors at play. “But this question of government access will not go away,” he said. “We are trying to develop a common understanding of this so that companies will be able to rely on them for a certain transfer with a certain country. We have tried to stick as much as possible to our understanding of the court’s ruling in Schrems II, [which says] that you can have transfers to a certain country [under] a number of factors, such as the nature of the data with a number of caveats and conditions, or the experience of the importer in the system … the outcome of the assessment of the risk associated with the transfer may vary. I think that’s an important element that needs to be taken into account. The court very much insists on the circumstances of the transfer, and there are a number of variables that may distinguish one transfer from the other.”
He went on to state that International Data Transfers and Protection Unit would soon be developing a set of Q&As and other tools to address a number of practical questions around SCCs. “I think that you have seen that there have been a lot of changes that reflect what we have heard [from feedback around SCCs], and we have now entered into another phase, which is one of implementation, where many companies have to use these SCCs to negotiate or renegotiate certain contracts,” he said. “We’re very much looking forward to a deeper discussion and detailed feedback.”
California and European Approaches to Privacy: A Shared Foundation
To wrap up the discussion, Gencarelli addressed comparisons between California’s privacy laws and the GDPR, and the possibility of building robust privacy laws that work for everyone. “If I compare the nature of the transatlantic conversation around privacy to where it was only a few years ago, I am, certainly, very optimistic,” he said. “I think it has become a much less ideological conversation—we all agree on both sides of the Atlantic on the need to have credible, serious privacy rules in place. I think that in the U.S. you are now facing—and I hope one day addressing—the same challenge that led to the adoption of a privacy law at the European level … We were there ten years ago, and one of the main reasons for the adoption of the GDPR was too much fragmentation [among countries], too many divergences, and therefore, [higher] compliance costs among—at the time—28 member states. We are of course very interested in and observing what happens at the state level [in the U.S].”
He went on to state that California’s laws could, at the very least, lead to more cooperation among states and could lead to the development of privacy laws that benefit all stakeholders. “We see that those rules [in U.S. states] are developed reflecting some choices that are specific to the legislatures that adopt those laws,” he said. “Those laws, indeed, seem to be based on convergent principles, rules, and converging mechanisms. If you see what is happening in California, this should lead to more cooperation on the ground … if you want more legal certainty, we need to work more on cooperation, not only in enforcement but in terms of developing common guidance [and] some common understanding of clear or basic privacy principles.”