The CJEU passed up on the opportunity to implement harmonisation measures during the Schrems II case, according to privacy experts speaking at Last Thursday in Privacy.
After the Schrems II ruling, the onus of ensuring that the legality of Standard Contractual Clauses (SCCs) is validated was placed on controllers within member states, which privacy experts speaking during a panel discussion said is a significant step and could have been avoided if the CJEU had implemented harmonisation measures in EU and US law.
This intermediate phase, “an era of sophisticated legal engagement with regulatory systems” is the current situation facing regulators, said Stewart Room, partner at DWF Law.
Raj Roy, General Counsel for Centrica’s UK and Ireland operations, added: “What we are worried about here is different countries taking different approaches to governing data outside of the EU. The Court passed up an opportunity to be really clear. But what they’re really saying is that member states must do this.” He added: “Controllers must now be equipped in both a technical and legal sense.”
The panel (organised by Data Protection World Forum) also addressed the topic of surveillance outside of the EU, dissecting the difference between surveillance laws, specifically in Germany, and US surveillance laws such as FISA. Referring to the court case in Germany earlier this year that ruled mass surveillance of telecommunications outside of Germany conducted on foreign nationals as unconstitutional, German Magister of Law and Privacy activist Christopher Schmidt provided clarification.
“[Germany’s] Federal Constitutional Court made it clear for the first time, German fundamental rights offer protection against German state authorities to foreign, so non-German, individuals abroad. Since the Constitution of Fundamental Rights binds all state authority in its entirety, and without any restrictions to either the German people, or the German territory.”
The German Court assumes an “extraterritorial effect” of a number of German fundamental rights which provides protection against intrusive surveillance measures in telecommunications services.
Though the situation looks bleak for companies who have relied on SCCs to transfer data to and from the US, DPO at Virgin Media Naureen Hussain spoke about the positive outcomes that businesses can take from the Schrems II result. “It is good for the profession and good for keeping data protection on the agenda in organisations,” she says. “Businesses are now in a good position to enhance their relationships with their critical suppliers” and should take the opportunity to develop collaboration.
She urged businesses not to panic but to put their plans into the business, for “where data protection really needs to reside and live must be beyond paper”.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.