Certainty for EU cross-border data flows hinted at in Schrems II case may be short-lived

Those breathing a sigh of relief at the Advocate General’s opinion yesterday in the Schrems II case should hold their breath. Uncertainty clouds the horizon for the Privacy Shield and global data flows.

The Advocate General (AG) to the European Court of Justice delivered his opinion yesterday in a case known as Schrems II. After widespread speculation the AG would recommend the court invalidate standard contractual clauses (SCC), he surprised us – in many ways.

At first glance, his words gave solace to companies that rely on cross-border data flows (CBDFs) and the consumers that benefit from them, saying his analysis revealed nothing that would “affect the validity of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries.” But a closer reading of his 95-page opinion will create widespread uncertainty while we await the court’s verdict next year.

What’s at stake:

  1. Uncertainty regarding SCC will continue. While the decision establishing SCC is likely to be valid, it is up to companies using the SCC to determine whether they provide an adequate level of protection on a case-by-case basis. This leaves companies to determine extremely difficult questions about the compatibility of EU human rights and US surveillance law. Data protection authorities ultimately have a duty to step in determine the issue if complaints are made.
  2. Privacy Shield may yet fall. The AG declined to recommend a decision to the court regarding the Privacy Shield, as it had not been asked to. However, in an exhaustive analysis, he cast serious doubt on whether the Privacy Shield would pass the test of providing ‘essentially equivalent’ protection to EU citizens when taking into account US surveillance law and practice. While the current case may not decide the fate of the Privacy Shield, all eyes will be on the Quadrature du Net case (in the General Court of the CJEU) which was put on hold pending the outcome of this case.
  3. Essential equivalence test for SCC will be hard for companies to meet. The AG confirmed that ‘essential equivalence’ is also the test for SCC. Given the AG’s view on essential equivalence in relation to the Privacy Shield, this casts doubt on companies’ ability to argue the SCC they use provides an equivalent level of protection.
  4. Doubt about US data flows could disrupt global flows. If there are doubts over US surveillance law and practice, the same doubts should spread to a large number of countries. Given that SCC are widely used for transfers of EU data to most countries, this still leaves the future of these contracts in the balance. The same concerns could even apply to accountability mechanisms such as binding corporate rules or certifications under GDPR, and may inspire reciprocal decisions in non-EU countries.

Why it matters:

The mobile industry enables innovations such as 5G, IoT, connected cars, industrial automation and big data analytics for the benefit of ordinary people. Over the next five years, for example, global IoT connections are forecasted to more than double to 25 billion from 11 billion today. And the productivity boost of IoT could be $340 billion a year, according to GSMA Intelligence.

But it can only deliver these benefits effectively in an open world where data can flow across borders and privacy can be assured. Ensuring human rights and privacy standards are respected is essential for trust and scrutiny by data protection authorities and the courts is a necessity. The AG opinion yesterday validates one of the methods for data flows, but it also hints at further challenges down the line. Data protection authorities urgently need to come up with a clear framework that provides legal certainty and a range of mechanisms that mobile operators can rely on.