Privacy activist Max Schrems shared details of his recent court case at the Court of Justice of the European Union (CJEU) at Last Thursday in Privacy on 30 July, and gave insight on how companies affected by the ruling can navigate data transfers to the US in the future. But, ultimately, Schrems said in the in depth interview that currently no instrument exists in law to overcome the clash between European fundamental rights and US surveillance laws.
On 16 July, the CJEU ruled the EU-US Privacy Shield invalid, and maintained the validity of Standard Contractual Clauses (SCCs) but made it clear that data transfers based on SCCs are not necessarily legal if the legislation of the recipient country falls under US surveillance law. In this case, SCCs will not provide adequate protection of EU citizens’ data.
Schrems stated that establishing the validity of SCCs for data transfers to the US will have to be done on a case-by-case basis. As it stands, he says no instrument exists to provide a clear solution to this problem, and no agreement could exist without the likelihood of further invalidation by the CJEU.
“We have a clash of law; we have a US law asking companies to disclose data and we have the European law saying we can’t do it. There is no way to overcome this clash right now, unless one of the two laws steps back in some way,” he told interviewer Vickie Guilloit from Privacy Culture.
“On the European side it’s fundamental rights, which unless we change the treaties of the European union, it is not going to go away. On the US side, it’s FISA, so that’s a surveillance law that could be changed – it is more realistic to get that changed than anything on the privacy side in Europe.”
Schrems said that there are, however, steps companies can take to ensure that they are appearing to be mitigating the problem at the organisational level. US companies especially will need to push for a change in law, which Max says could be on the basis of losing their place within the EU market.
Companies with partners in the US can request information on their business partner’s current legal basis through a questionnaire that Max uploaded to his website noyb. It can also be sent to EU companies and those abroad. Reassuring to many, he says under the SCCs, if your US partner has not informed you about the US surveillance laws they are impacted by, “they are actually liable for the cost of removing all the ship back to Europe”.
On the US side, he suggested that companies remain in contact with EU representatives.
For crucial data flows to the US, Article 49 can be a solution for many of these cases because it is a general waiver, but it is not a solution for outsourcing, he says.
However, if your recipient in the US is an electronic communications service provider, he said: “unless the US changes its law, there is not really any realistic scenario to overcome that because all these instruments that we have in the EU are basically there if there is a privacy vacuum in another country, if there is simply no privacy law, you can kind of opt-in to another level, or self-certify. If there is simply a clash of laws, there is too much law. There is no option to overcome that.”
Establishing a new agreement will not provide a solution but will likely complicate the situation further: “To try to overcome this clash of laws with another agreement is like having two trains collide and you put a third train in the middle.”
He says, “It’s a political problem that politics has to solve.”
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.