The impact of GDPR on data flows and national security
The Court of Justice of the European Union in Schrems II: The impact of GDPR on data flows and national security
Joshua P. Meltzer05 August 2020
The recent Court of Justice of the European Union (CJEU) decision in Schrems II finding that the EU-US Privacy Shield is invalid and its additional findings with respect to standard contractual clauses, closes off key mechanisms for transferring persona data from the EU to the US, with important impacts on trade and the development of technologies such as cloud computing and artificial intelligence (AI).
This is the second time the CJEU has found that the General Data Protection Regulation (GDPR) mechanisms for transferring personal data from the EU to the US is invalid.1 The earlier CJEU decision in Schrems I found that the European Commission adequacy decisions with respect to the EU-US Safe Harbor was invalid.2 An adequacy decision is a finding by the European Commission that a third countries privacy laws are essentially equivalent to the rights and obligations under the GDPR.3 The importance of data flows for transatlantic economic relations necessitates that the US and EU engage in a third attempt to develop a mechanism that can enable data flows and pass muster with the CJEU. However, whether this remains a fruitful path forward is uncertain in light of what we now know about the approach of the CJEU to adequacy under GDPR. In particular, the focus on how government agencies access data for national security purposes is becoming the key barrier to data flows between the EU and the US. More broadly, the CJEU decision makes clear that all the key GDPR mechanisms for transferring personal data from the EU to third countries are unstable, namely adequacy decisions, standard contractual clauses (SCCs) and binding corporate rules (BCRs).4 In this respect, the CJEU decision will have ramifications beyond its immediate impact on data flows between the EU and the US. The following addresses the explicit CJEU findings on adequacy and SCC as well as the broader issue of how to balance national security and privacy. The paper concludes with observations about the potential impact of the decisions for the US and beyond and suggests some ways forward.
In this column I focus on two key issues at play in this most recent Schrems case: (1) the disconnect between application of EU law to national security agencies in third countries compared with domestic security agencies; and (2) and the severe limits the decision places on existing GDPR mechanisms for transferring personal data from the EU to third countries. I also offer observations on what this will means for data flows, and in particular the implications for small and medium sized enterprises (SMEs).
Privacy and security in a world of global data flows
A core issue in both Schrems cases was how national security agencies operate to preserve security and also ensure sufficient levels of privacy, and whether this is consistent with GDPR. The attempt by GDPR to extend EU privacy rights and obligations to countries and entities receiving EU personal data reflects a broad dynamic, which is that as the global free flow of data increases the scope for national security agencies to access the personal data of everyone, national privacy standards need to be globalized as well to be effective. Yet, governments often provide different levels of privacy protection and redress depending on whether a person is a citizen and where they are located. Under the Fourth Amendment to the Constitution, the US provides different levels of legal redress to people in the US compared to those outside the US, including access to US courts. GDPR in effect seeks to extend the full suite of rights and obligations available in the EU under GDPR, to any country receiving EU personal data.
Underlying the CJEU decision in Schrems I and Schrems II that invalidated the EU-US Safe Harbor agreement and in this most recent case, has invalidated the EU-US Privacy Shield, is a disconnect between the GDPR’s international impacts, and its domestic application to member state national security agencies. In both Schrems cases, the issue was US government access to personal data for national security purposes and the rights of EU citizens in the US to judicial review and redress. In both cases the CJEU found that the US fell short in that the US was not according EU personal data the protection and rights of redress available in the EU. When it comes to access to data for national security purposes, under EU law, including GDPR, any limitation on EU rights to privacy must be “necessary and proportionate”.5 At the same time, national security is the sole responsibility of member states.6 In effect, each EU state is given the discretion to balance national security needs with data privacy rights. Yet, the EU is not according a similar discretion to third countries. In fact, GDPR uses the threat of withdrawing access to EU personal data as a tool to seek reform of other country’s security agencies to reflect the CJEU notion of proportionality, while exempting member state governments from similar expectations or threats. This effectively sets up the CJEU as the arbiter of whether other countries’ approaches to accessing data for national security purposes are proportional.7
This disconnect between GDPR’s international and domestic application when it comes to national security also risks EU demands becoming increasingly detached from the reality and practices of national security agencies. On the one hand, the outcome in the US between security and privacy reflects US constitutional constrains, national security needs and privacy concerns. In the EU, it does not appear that any such balancing took place, leaving the EU approach to privacy untouched in important ways by the equities and needs of member state national security agencies. The result is a set of demands on third country national security agencies that the EU does not, and could not, make of its own national security agencies. This dissonance between what the EU is expecting of other governments and what it is able to ask of its member states is compounded by various findings that EU data may in fact be safer and accorded better due process when in the US than in the EU.8
The inadequacy of adequacy decisions
The issue with how the US government accesses data for national security is what lead the CJEU in both Schrems cases to invalidate the European Commission’s adequacy finding with respect to the US. This Schrems decision also makes clear that not only adequacy decisions but also SCC and BCRs are much more limited than originally thought. Another consequence of the Schrems decision is to underscore the fragility of these GDPR data transfer mechanism. As the Irish High Court and CJEU overturns a second adequacy finding by the Commission, the CJEU has made clear that SCCs (and BCRs) may require data flows to be terminated at any point should the processor in the third country be unable to comply with GDPR, either due to requests from a third government for access to data or due to changes in legislation. These outcomes will inevitably increase risk for businesses that rely on cross-border transfers of personal data. This will affect not only the large tech companies but also those in manufacturing and services that are increasingly data driven.
To understand the implications of this decision for these GDPR transfer mechanisms, it is helpful to reflect on the institutional incentives and priorities driving the different finding by the European Commission on the one hand, and EU domestic courts and the CJEU on the other. The European Commission in making an adequacy decision weighs a range of goals that are in tension with each other. While focused on assessing whether US laws and practice are adequate under GDPR, the Commission also takes into account the impact of stopping flows of personal data on international trade, investment and diplomatic relations. In contrast, the process for challenging an adequacy finding rests upon findings by a National Data Commissioner, findings by domestic courts, and finally the CJEU. None of these bodies is expected to consider the range of issues at play for the Commission. Instead, the question is more narrowly whether the third country provides a level of privacy protection consistency with the Charter of Fundamental Rights of the European Union. It is these competing institutional incentives and focus that helps explain the different conclusions as to whether the US confers adequacy.
These internal institutional tensions raise several issues for the EU. First is the validity of other adequacy findings. For instance, what does the Commission really know as to how national security agencies in Israel, Japan or Argentina collect, use or share EU personal data. Second is the stability of any adequacy findings. The narrow focus of the CJEU on consistency with the EU Charter and demand for essential equivalence leads very little room for different approaches to privacy in other countries, reducing scope for adequacy findings and to using any transfer mechanism under GDPR. When it comes to determining whether the actions of other governments in collecting data for national security purposes are consistent with GDPR and the EU Charter, the vague standard of proportionality has led the Commission and CJEU to different conclusions regarding the adequacy of US limits and safeguards.9 Taken together, this suggests that all adequacy decisions by the Commission must be treated as potentially suspect and open to being declared invalid by the CJEU.
Another impact of this Schrems case is to limit the availability of SCC (and BCRs).10 The issue with SCC (and BCRs) is that it is a contractual obligation that does not bind other governments. Therefore, where practices by national security agencies for accessing personal data are inconsistent with GDPR, SCCs do not obviously remedy this problem. The CJEU nevertheless held that SCCs remain valid where the controller adduces additional safeguards that rectify these gaps.11 It is not clear what these safeguards are or how they could work in practice. Another wrinkle here is the finding by CJEU of the accountability for processors in the EU to ensure that the legislation in the third country allows the data processor to comply with the SCC, before transferring personal data.12 It is not clear whether this merely requires comparing third party laws with GDPR or also the practice of national security agencies, which is harder to assess but arguably what should matter the most.
The result is that after Schrems II, all GDPR mechanisms for transferring personal data to third countries are much more limited in scope, durability and stability.
Some implications of Schrems II for cross-border data flows, trade, privacy and security
The first thing this Schrems case makes clear is the extent of the tension created by GDPR between balancing access to and use of data, and the privacy rights and obligations in GDPR (Mattoo and Joshua Meltzer 2018). The EU view is that they can have strong privacy and a strong digital economy, including cross-border data flows, and this is likely correct at a certain level of abstraction. However, the details of GDPR now make clear how GDPR sets up real tensions and trade-offs in terms of getting what the EU wants under GDPR in terms of privacy, and access to and use of data consistent with a robust engagement in the digital economy and digital trade (Jia et al. 2019).
In practical terms, Schrems II calls into question the availability of adequacy findings, SCCs (and BCRs) as reliable and stable mechanisms for cross-border data transfers. If the US is still not adequate, then it must be the case that other countries, including China will never be adequate and not only that, but it is hard to see how any Chinese company collecting EU personal data can transfer it back to China consistently with GDPR. Large companies may have to localise data storage and process in the EU.
Yet for small companies, the impacts are most pronounced. For many, setting up in the EU is not an option. There are SCCs, but depending on the government, additional safeguards may be needed for SCCs to be viable. Again, it is unclear what such safeguards may be or whether SMEs could implement them even if they exist. The CJEU decision also establishes an obligation on processors in third country to notify controllers in the EU of changes in legislation that prevent compliance with a SCC. This is an additional monitoring burden on SMEs in third countries and failure here can expose these companies to liability for harm caused to EU data subjects. The difficulties with SCCs also create additional costs and disincentives for EU companies to develop digital supply chains with SMEs in third countries.
As discussed, another issue at play is the balance between how security agencies use data for security, and also protect personal privacy in a globalized world. It is likely that GDPR is too unilateral and too EU-specific, and that national security is too important, for GDPR to lead to the types of changes the EU needs for an adequacy finding to work. The EU bet with GDPR has been that the economic importance to US companies of allowing cross-border data flows of EU personal data will be enough to force the US to reform how its national security agencies collect and use data. This has been a somewhat reasonable bet so far in that the US has shown a willingness to negotiate and engage in some reform. But even here, US reforms in order to obtain an adequacy decision have been limited and as we now know, not enough. It is also the case that the trend is not in the EU’s favour. For while the economic importance of data grows, so do the security issues related to data flows. In fact, the trend is arguably towards security becoming a more important organising principle for how digital economies develop and where data flows. Given this, the risk is that GDPR fails to lead to enough US reform that can justify another adequacy finding, forcing the EU into self-imposed data isolation. In such an outcome, large US and other companies will still service the EU market but the EU will become increasingly closed, reducing access to large global data pools and the opportunities for insights and the machine learning that underpin AI developments that the EU seeks to develop (European Commission 2020).
Given these risks and developments, what is needed is an international agreement on how to balance national security and access to data, with other key goals such as privacy. Such an outcome could be deemed an international agreement under GDPR article 45(2(c) that would support an adequacy finding and by extension, short up access to SCC and BCRs.
Author’s note: The author was an expert witness for Facebook in the latest proceedings before the Irish High Court.
European Commission (2020), “White Paper on Artificial Intelligence – A European Approach to excellence and trust”, COM(2020) 65 final.
1 Schrems and Facebook Ireland v Data Protection Commissioner (hereinafter “Schrems II”)(2020) CJEU Case C-311/18
2 Schrems v Data Protection Commissioner (hereinafter “Schrems I”) (2015) CJEU Case C-362/14
3 EU General Data Protection Regulation, 27 April 2016, L119/1 (hereinafter ‘GDPR’), art. 45(3)
4 SCCs are included in contracts that bind entities in a third country to processing personal data consistent with GDPR; BCRs are commitment international conglomerates make to treat personal data consistent with GDPR when transferring data overseas within other units, to treating personal data consistent with GDPR,
5 Charter of Fundamental Rights of the European Union, article 52(1); GDPR art. 23
6 Treaty of the European Union, article 4(2) provides that “national security remains the sole responsibility of each EU Member State.”
7 Schrems II, paragraph 178
8 European Agency for Fundamental Rights 2015. “Surveillance by Intelligence Services: fundamental rights, safeguards and remedies in the EU”; Sidley Austin 2016. “Essentially Equivalent -A comparison of the legal orders for privacy and data protection in the European Union and the United States”, January 2016; Opinion of Geoffrey Robertson QC, 14th January 2016,
9 Schrems II, paragraph 176
10 Commission Decision of 16 December 2016 amending Decisions [2001/497] and [2010/87] on standard contractual clauses for the transfer of personal data to third countries and to processors established in such countries, under Directive [95/46] (OJ 2016 L 344