The European Parliament adopted by 541 votes to 1, with 151 abstentions, a resolution on the ruling of the CJEU of 16 July 2020 - Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (‘Schrems II’), Case C-311/18.

As a reminder, since 2016, the EU-U.S. Privacy Shield has facilitated EU-US data transfers by establishing data privacy safeguards and protections for EU data subjects.

The Court of Justice of the European Union (CJEU), in the Schrems II judgment of 16 July 2020, invalidated the EU-U.S. Privacy Shield , finding that U.S. surveillance laws do not afford EU data subjects adequate levels of protection under the European Union’s Charter of Fundamental Rights and General Data Protection Regulation (GDPR).

In the same judgment, the Court confirmed the validity of Decision 2010/87/EU on standard contractual clauses (SCCs), which are the most widely used mechanism for international data transfers.

As a result, the Court invalidated Commission Decision (EU) 2016/1250 on the adequacy of the protection offered by the EU-US Privacy Shield.

Consequences of the Court's ruling

Parliament took note of the fact that the Court found that standard contractual clauses (SCCs) are an effective mechanism to ensure that the level of protection provided in the EU is respected but required that a controller/processor established in the European Union and the recipient of personal data are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned. The resolution emphasised that many companies, especially SMEs, do not possess the necessary knowledge or capacity to conduct such verification, which can lead to result business disruptions.

Parliament considered that the CJEU ruling also has implications for adequacy decisions concerning other third countries, including the United Kingdom. It reaffirmed the need for legal clarity and certainty, as the ability to safely transfer personal data across borders has become increasingly important for individuals for their personal data protection and rights. It underlined, however, that until revoked, replaced or declared invalid by the CJEU, existing adequacy decisions remain in force.

Members expressed disappointment that the Irish Data Protection Commissioner (DPC) brought proceedings against Maximilian Schrems and Facebook at the Irish High Court, rather than taking a decision within its powers pursuant to Article 4 of Decision 2010/87/EU and Article 58 of the General Data Protection Rights (GDPR). Parliament recalled, however, that the DPC made use of the legal avenue that allows data protection authorities (DPAs) to bring concerns about the validity of a Commission implementing decision to the attention of a national judge in view of triggering a reference for preliminary ruling to the CJEU.

Parliament expressed concern that the Irish Data Protection Commissioner has not yet ruled on a number of complaints about breaches of the GDPR lodged on 25 May 2018, when the GDPR came into force, nor on other complaints from consumer groups and others, despite being the primary competent authority for these cases.

Standard contractual clauses

Parliament took note of the Commission's draft implementing decision and the draft standard contractual clauses. It welcomed the fact that the Commission is currently consulting stakeholders in a public consultation on the draft. It considered that the Commission's proposal for model standard contractual clauses should take due account of all relevant recommendations of the European Data Protection Committee

Privacy shield

The resolution notes that the European Court of Justice has found that the EU-US data protection shield does not provide sufficient safeguards, in particular because of the bulk access by the US authorities to the personal data transferred, which fails to comply with the principles of necessity and proportionality, as well as the lack of rights for EU individuals whose data are processed to challenge the US authorities before the US courts.

Parliament expects the current US administration to be more diligent in meeting its obligations under any future transfer mechanisms than previous administrations.

Members regretted that, despite Parliament's numerous calls, the Commission has not acted to ensure that the data privacy shield fully complies with the GDPR and the Charter. They also regretted that the Commission had ignored Parliament's request to suspend the data protection shield until the US authorities comply with the framework, thereby putting put the relations with the US before the interests of EU citizens, and that the Commission thereby left the task of defending EU law to individual citizens.

Mass surveillance and the legal framework

Parliament encouraged the Commission to proactively monitor the use of mass surveillance technologies in the United States as well as in other third countries that are or could be the subject of an adequacy finding, such as the United Kingdom. The Commission is urged not to adopt adequacy decisions concerning countries where mass surveillance laws and programmes do not meet the criteria of the CJEU, either in letter or spirit.

Parliament deemed it necessary, in view of the marked gaps in the protection of data of European citizens transferred to the United States, to support investment in European data storage tools (e.g. cloud service) to reduce the dependence of the Union in storage capacities vis-à-vis third countries and to strengthen the Union’s strategic autonomy in terms of data management and protection.

Adequacy decisions

Lastly, Parliament called on the Commission to take all the measures necessary to ensure that any new adequacy decision with regard to the US fully complies with Regulation (EU) 2016/679, with the Charter, and every aspect of the CJEU judgements. It called on the Commission to use its contacts with its US counterparts to convey the message that, if there is no modification of US surveillance laws and practices, the only feasible option to facilitate a future adequacy decision would be the conclusion of no-spying agreements with the Member States. The Commission should seriously consider the European Parliament’s position on any new adequacy decision in relation to the US.