International data transfers, on a tightrope. The EU must stand firm


On November 11, the European Data Protection Board (EDPB) published some “Recommendations” – in two parts – in response to the Schrems II ruling of July 16, 2020. This extremely important decision from the Court of Justice of the European Union invalidates the current international data transfers framework in the European Union and United States, considering that the rights of EU citizens are unprotected. 

The two Recommendations are open for public consultation until November 30.

The EDPB texts make interesting reading, and imply a new shock to the international data transfer system. Not only do they confirm the decision, but they ratify it even more. What the Board proposes is that the only way to allow the export of data is to encode or encrypt it so that it cannot be read by anyone in the receiving country, not even by the intended recipient. 

That is to say, something very difficult or impossible to accept for companies that trade internationally in data. This contrasts with the enormous pressure exerted by some European and US companies, in addition to data processors and controllers. 

For example, the Centre for Information Policy Leadership (CIPL), a think tank of 85 multinationals in the EU, United States and other regions, published in September the White Paper “A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision” recommending that future EDPB guidelines contain a set of measures that can be applied based on context and risk, and not prescribing strict technical or procedural requirements. The opposite of what the EDPB has done. 

The US administration also published a White Paper in September 2020, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II”, adopting a practical approach, minimizing the risk of access to national security data which, according to this agency, had highly concerned the European Court in the Schrems II decision. It cynically claimed that the “vast majority” of companies have never received orders to disclose data under FISA 702 legislation, which allows the National Security Agency to unilaterally collect such data from companies for United States intelligence agencies. And that this door for US intelligence authorities was also open to their European counterparts. In practice, the White Paper said, “For many companies, data access problems are unlikely to arise because the data – usually ordinary business information, records on employees, customers or sales – are not of interest to United States intelligence”.

Beyond a legal analysis of the decision and on its application in an area as crucial as security and cyber-espionage, it is key to emphasise how it points to a fundamental question in our societies: the control of data. As our founding manifesto says, only by controlling technology and data can a territory own its future. If you lose the reins over data, you lose your sovereignty; political, economic, and of the citizenry. 

That is why, pending EU institutions ultimately deciding how to implement the ruling, we at the EADT will continue to stress the importance of Europe not allowing its citizens’ rights to be unprotected when it comes to data. Unfortunately, that is what is happening and will continue to happen until the sentence becomes effective once and for all.