Schrems II Update – EU-US to intensify new Privacy Shield talks, US Congressional Research Service issues new report and German DPA applies Schrems II

Nigel Parker

In the past weeks, there have been a number of developments related to the consequences of the European Union Court of Justice (CJEU) decision in Schrems II. The most noteworthy developments are summarised below.

Intensified talks on enhanced EU-US Privacy Shield framework

On 25 March 2021, the EU Commissioner for Justice Didier Reynders and the U.S. Secretary of Commerce Gina Raimondo announced that EU and US have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework that would be compliant Schrems II. The brief joint statement points out shared commitments to privacy, data protection and the rule of law, as well as the mutual recognition of the importance of transatlantic data flows to citizens, economies, and societies. The statement also refers to the intended “partnership” on facilitating trusted data flows that would benefit economic recovery after the Covid-19 global pandemic. (The statement is available here)

US report on the assessment of Schrems II for Privacy Shield

On 17 March 2021, the US Congressional Research Service (CRS) published a report on the Schrems II decision and its impact on cross-border data transfers between EU and US, with an objective to inform the US Congress on possible follow-up steps. The report discusses in detail the Schrems II decision, the underlying EU data protection law, and the US surveillance laws relevant in this context. The report concludes that, whilst the Schrems II decision does not definitively prohibit all transfers between the two jurisdictions (for example, companies can still put standard contractual clauses in place); it does considerably limit the available options. (The CRS’ report is available here.)

The CRS report also suggests potential steps for governmental and legislative actions, including:

  • issuing an executive Presidential order to further limit bulk intelligence collections or provide additional redress mechanisms for individuals, or to establish an executive office or tribunal with the power to adjudicate complaints and issue binding decisions on the intelligence community;
  • seeking diplomatic solutions between the US Department of State and the European Commission, which could include establishing a new framework to replace Privacy Shield and result in a new adequacy determination by the European Commission (the report notes that the US Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework, which would comply with Schrems II);
  • the possibility of US Congress adopting statutory requirements to address the CJEU’s concerns in Schrems II, such as by amending the Foreign Intelligence Surveillance Act to prohibit bulk data collections by intelligence agencies, creating a novel cause of action to allow foreign subjects to bring complaints before a tribunal if they believe intelligence agencies have collected or used their data in an unlawful way; and
  • considering the adoption of a comprehensive federal level data protection law applicable to commercial entities, which would address the EU’s surveillance concerns, noting that this option could result in a determination of adequacy status for the US and eliminate the need to rely on Privacy Shield, European Commission’s standard contractual clauses (SCCs) or other transfer mechanisms.

European Parliament’s Resolution on GDPR addresses adequacy decisions and Schrems II

In a resolution on the evaluation of the implementation and enforcement of GDPR, adopted on 25 March 2021, the European Parliament reiterated its position that mass surveillance programmes encompassing bulk data collection should prevent adequacy findings for third countries. The European Parliament urges the European Commission to apply the conclusions of the CJEU decisions in Schrems I, Schrems II and Privacy International to all reviews of adequacy decisions and to ongoing and future negotiations.

Bavarian DPA decision on the use of US email marketing platform

The supervisory authority of the German state of Bavaria (Bavarian DPA) was reported to have issued a decision that found the transfers of email addresses of EU subscribers by a German publisher to the US-based email marketing platform Mailchimp to be unlawful. The publisher relied on the European Commission’s SCCs for its data transfers to the US provider. In the unpublished decision summarised by the German DPA in the letter of 15 March 2021 to the individual who filed a complaint against the publisher, the Bavarian DPA noted that the marketing platform provider could qualify as an electronic communication service provider under the FISA702 (50 U.S.C. § 1881) and therefore be under an obligation to provide US authorities with access to the data of its clients.

The Bavarian DPA explained that in the light of Schrems II, the publisher should have assessed whether any supplementary measures needed to be put in place in addition to the SCCs to ensure that the transferred data were protected from US surveillance, but the publisher did not do so. The Bavarian DPA did not impose a fine in this case because (i) the publisher had stopped using Mailchimp immediately, (ii) the unlawful transfers were incidental and (iii) concerned only non-sensitive data (email addresses). In addition, the Bavarian DPA noted that the EDPB Recommendations on supplementary measures following Schrems II with guidance on which steps would be appropriate in this case, were only available in draft form, therefore it considered the nature and gravity of the infringement as minor. (The report on the decision is available here)