Statement by Max Schrems a year after the "Schrems II" decision by the Court of Justice of the European Union
A year ago the so-called "Schrems II" decison was referred to as ground breaking, despite it being the second time that the CJEU has declared EU-US data transfers unlawful - based on EU law that has effectively existed since 1995. Over the last year, it seems that the relevant stakeholders have mainly engaged in deflection and finger pointing, each passing on responsiblity to the next.
Only a fraction of European businesses have realised that the underlying conflict between EU data protection and US survillance law will not be solved in the short-term, and have moved towards hosting personal data in Europe, or other safe regions, instead of engaging in an endless compliance nightmare over US law. Other European companies regularly complain about a lack of "guidance" despite two clear judgments. When guidance is given, such as the recent EDPB guidelines, many argue that it is "unrealistic" to follow the requirements of the law.
A hoard of industry lawyers and US cloud providers tried to fill this gap with "keep calm and carry on" pseuo-guidance and developed inreasingly crude legal theories over the past year. These span from the existence of a "risk based approach" (which is not present in the relevant part of the GDPR) to the suggestion of non-functional "supplementary measures" (like having fences around data centers). Instead of investing in secure IT systems, these private sector stakeholders invest in PR efforts that fake compliance. It will be interesting to see whether EU businesses and customers will demand compensation if these promises turn out to be nothing but thin air.
Data Protection Authorities have largely engaged in a wait-and-see approach. With few exceptions, there were no investigations or decisions by DPAs so far. Of the 101 model complaints noyb filed following the judgment, none have been decided, despite the creation of a task force by DPAs. The original complaint on Facebook, filed in 2013, was delayed by an unnecessary second investigation by the Irish Data Protection Commission, which required noyb to issue another lawsuit against the DPC, which it settled in January 2021. We are right now expecting decisions soon.
The European Commission is muddying the waters by issuing new transfer tools, like "Standard Contractual Clauses", that carefully bypass a clear say on EU-US transfers and allow industry lawyers to keep spinning new compliance theories and avoid long-term solutions. At the same time, the Commission does not seem to believe in a timely solution with the US.
Contrary to its European counterpart, the US Government is happy to regularly announce alleged "progress" in negotiations for a new deal. However, there seems to be little to no appetite to change the root of the problem: overreaching US surveillance laws. Unless the US industry heavily lobbies Washington to improve protections for foreign customers, it is unlikely that US surveillance laws will change. In conversations I had, US industry was rather clear: without the threat of serious enforcement in the EU or a mass exodus of EU customers, the US industry will not spend its political capital in Washington on fighting for privacy protections for foreigners.
The situation undeniably amounts to a circle of players that largely stand still. On the bright side, if any one of these players starts moving, it may quickly provoke a domino effect towards a long-term solution.
In my personal view a long-term solution can only be some form of "no spy" agreement among democratic nations that protects users' human right to privacy independent of location and citizenship. We may not get there within a matter of months, but potentially within a decade, as a global internet needs global protections to function as users and companies wish for it to.
The noyb team and many others will continue to work on such a long-term solution.
Max Schrems
