Following yesterday’s landmark ruling by Europe’s highest court – tearing down an iconic transatlantic data transfer framework called the Privacy Shield, and increasing legal uncertainty about the processing of data for EU citizens in the United States in the process – Europe’s leading data protection regulator has fired its own warning shot at the region’s data protection authorities (DPA), essentially telling them to step in and do the job of stepping in to stop the flow of data from people to third countries where you are at risk.

Countries like the USA

The original complaint that led to the decision of the EU Court of Justice (CJEU) focused on Facebook’s decision use of a data transfer mechanism called Standard Contractual Clauses (SCC) to authorize the transfer of user data from the EU to the US for processing.

Claimant Max Schrems requested the Irish Data Protection Commission (DPC) to suspend SCC data transfers from Facebook in light of US government mass surveillance programs Instead, the regulator went to court to raise concerns broader on the legality of the transfer mechanism.

That in turn led Europe’s top judges to bombard the Commission’s adequacy decision, which supported the EU-EE. Privacy Shield: Which means the US no longer has a special agreement that greases the flow of personal data from the EU. However, as of this writing, Facebook is still using SCC to process data for EU users in the US Much has changed, but the data has not stopped flowing yet.

Yesterday, the tech giant said it would “carefully consider” the findings and implications of the CJEU’s decision on the Privacy Shield, adding that it eagerly awaited the “regulatory guidance.” It certainly didn’t offer to proactively activate a shutdown switch and stop the processing itself.

Meanwhile, Ireland’s DPA, which is Facebook’s top data regulator in the region, sidestepped questions about what action it would take in the wake of yesterday’s ruling, saying it (also) needed (more) time to study the legal nuances .

The DPC statement also went so far as to say that using SCC to bring data to the US for processing is “questionable”; adding that case-by-case analysis would be key.

The regulator remains the focus of sustained criticism in Europe over its record of compliance with the main cross-border data protection complaints, with zero decisions issued more than two years after the entry into force of the General Data Protection Regulation (GDPR) from the EU, and a growing backlog of open investigations into the data processing activities of platform giants.

In May, the DPC finally underwent other DPAs to review its first draft decision on a cross-border case (an investigation into a Twitter security breach), saying it expected the decision to be finalized in July. At the time of writing, we are still waiting for the bloc’s regulators to reach a consensus on this.

The painstaking pace of law enforcement across Europe’s flagship data protection framework remains a problem for EU lawmakers, whose two-year review last month called for “vigorous” uniform application by EU lawmakers. regulators.

The European Data Protection Supervisor (EDPS) made a similar call today, following Schrems II’s decision, which seems to further complicate the process of regulating data streams by piling up even more work on DPA desks with insufficient funds.

“European supervisory authorities have a duty to diligently enforce applicable data protection legislation and, where appropriate, suspend or prohibit data transfers to a third country,” writes EDPS Wojciech Wiewiórowski, in a statement, warning about the possibility of further hesitation or kicking on the intervention front.

“The EDPS will continue to strive, as a member of the European Data Protection Board (EDPB), to achieve the necessary coherent approach among European supervisory authorities in implementing the EU framework for international transfers of personal data,” he continues. , asking for more joint work by the block’s DPAs.

Wiewiórowski’s statement also highlights what he calls “welcome clarifications” regarding the responsibilities of data controllers and European DPAs: “take into account the risks linked to access to personal data by public authorities in third countries”.

“As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analyzing the consequences of the judgment on contracts concluded by the EU institutions, bodies, offices and agencies. The example of the recent EDPS own-initiative research into the European institutions’ use of Microsoft products and services confirms the importance of this challenge, “he adds.

Part of the complexity of applying Europe’s data protection rules is the lack of a single authority; A diverse mosaic of supervisory authorities responsible for investigating complaints and issuing decisions.

Now, with a CJEU decision requiring regulators to evaluate third countries, to determine if the use of SCC is valid in a particular use case and country, there is a risk of further fragmentation in case different DPAs arrive to different conclusions.

Yesterday, in its response to the CJEU decision, the Hamburg DPA criticized the judges for not also removing the SCCs, saying it was “inconsistent” for them to invalidate the Privacy Shield and allow this other mechanism for international transfers. Supervisory authorities in Germany and Europe must now quickly agree on how to deal with companies that continue to illegally rely on the Privacy Shield, the DPA warned.

In the statement, Hamburg data commissioner Johannes Caspar added: “Difficult times are ahead for international data traffic.”

It also triggered a forceful warning that: “The transmission of data to countries without an adequate level of data protection … will no longer be allowed in the future.”

Compare and contrast that with the Irish DPC speaking that the use of SCC is “questionable”, case by case. (Or the UK ICO offering this minimum).

Caspar also emphasized the challenge facing the bloc’s DPA mosaic to develop and implement a “common strategy” for dealing with SCCs following the CJEU decision.

In a press release today, the Berlin DPA also adopted a hard line, warning that data transfers to third countries would only be allowed if they have a level of data protection essentially equivalent to that offered within the EU.

In the case of the US, Home of the largest and most widely used cloud services, Europe’s top judges yesterday reiterated very clearly that this is not the case.

“The CJEU has made it clear that data export is not just about the economy, but that people’s fundamental rights must be paramount,” Berlin Data Commissioner Maja Smoltczyk said in a statement.[wehavetranslatedusingGoogle[whichwe’vetranslatedusingGoogle[quehemostraducidousandoGoogle[whichwe’vetranslatedusingGoogle Translate].

“The times when personal data could be transferred to the US for convenience or cost savings have ended after this trial,” he added.

Both DPAs warned that the ruling has implications for the use of cloud services where data is processed in other third countries where the protection of data of EU citizens cannot be guaranteed either, i.e. not only in the US USA

On this front, Smoltczyk verified the name of China, Russia, and India as countries that EU DPAs will have to assess similar problems.

“Now is the time for Europe’s digital independence,” he added.

Some commenters (including Schrems himself) have also suggested that the flaw could cause companies to switch to local processing of EU user data. Although it is also interesting to note that the judges chose not to invalidate the CEC, thus offering a path to legal international data transfers, but only if the necessary protections are available in that third country.

The European Data Protection Board (EDPB) also issued a response to the CJEU decision today. Also known as the body made up of DPA representatives across the block. President Andrea Jelinek issued an emollient statement, writing that: “EDPB intends to continue to play a constructive role in ensuring a transatlantic transfer of personal data that benefits EEA citizens and organizations and is ready to provide assistance and guidance to the European Commission. builds, together with the US, a new framework that fully complies with EU data protection law. “

However, in the absence of radical changes to the U.S. surveillance law, it is difficult to see how any new framework can be made to legally adhere. Privacy Shield’s predecessor agreement, Safe Harbor, lasted around 15 years. Its brilliant “new and improved” replacement didn’t even last five.

Following the CJEU decision, data exporters and importers must conduct an assessment of a country’s data regime to assess compliance with EU legal standards. before using SCC to transfer data there.

“In carrying out such prior assessment, the exporter (if necessary, with the assistance of the importer) will take into account the content of the CEC, the specific circumstances of the transfer, as well as the legal regime applicable in the country of the importer. The examination of the latter will be carried out in light of the non-exhaustive factors established in article 45 (2) of the RGPD ”, writes Jelinek.

“If the result of this evaluation is that the importer’s country does not provide an essentially equivalent level of protection, the exporter may have to consider implementing additional measures to those included in the CEC. The EDPB is studying what these additional measures consist of. ”

Once again, it is unclear what “additional measures” could plausibly deploy a platform to “fix” the huge lack of redress that the US surveillance law provides to foreigners. It appears that major legal surgery is required to square this circle.

Jelinek said the EDPB would be studying the trial with the goal of presenting a more granular orientation in the future. But your statement warns data exporters that they have an obligation to suspend data transfers or terminate SCCs if contractual obligations are not being met or cannot be met, or notify a relevant supervisory authority if they intend to continue transferring data.

In its indirect form, it also warns that DPAs now have a clear obligation to terminate SCCs where data security cannot be guaranteed in a third country.

“The EDPB takes note of the obligations of the competent supervisory authorities (SA) to suspend or prohibit the transfer of data to a third country in accordance with the CEC, if, in the opinion of the competent SA and in light of all the circumstances of such transfer, those clauses are not or cannot be complied with in that third country, and the protection of the transferred data cannot be guaranteed by other means, particularly when the controller or processor has not yet been suspended or terminated. the transfer, “writes Jelinek.

One thing is clear: any sense of legal security for US cloud services stemmed from the existence of the EU-EE. The Privacy Shield, with its flawed claim for adequate data protection, has vanished like the summer rain.

Instead, a sense of déjà vu and much more work for lawyers.