It is important therefore to uncover some truths about the Court of Justice of the European Union’s (CJEU) decision which seem lost amid all this noise. First of all, this decision has exposed once again the natural and constant tension between the protection of privacy and the need for the state to access personal data to perform its functions. Law enforcement, taxation, public health and national security are all dependent on the access to and use of personal data. In Europe and many other parts of the world, it is paramount that any such data activities by the state do not breach democratic principles and individuals’ rights. Every instance of government access to data creates a risk, so what the CJEU is saying is that when European data becomes available to foreign states, we must remain vigilant about this risk and take steps to ensure that the democratic balance is not lost. This is not radical political grandstanding, but a court doing its job.
At a more mundane, data protection-specific level, the CJEU also reminds us that the limitations on international data transfers are simply intended to ensure the continuity of the level of protection established by the European framework. This raises the issue of whether those limitations are even relevant given the powerful extraterritorial reach of the GDPR. In other words, the applicability of the GDPR far beyond the boundaries of the EU means that, at least in principle, the level of protection provided by this framework will be extended to data processing activities taking place in other jurisdictions. However, in judging what an ‘adequate level of protection’ means, the CJEU goes much further and essentially gives extraterritorial application to the Charter of Fundamental Rights of the European Union. This sets a very high bar for other jurisdictions to reach.
Understandably, some have seen this as an impossible task for them to undertake. How can anyone make an assessment of the world’s public authorities’ powers and take a view on their level of interference with the rights to privacy and data protection? Is it even possible to identify the additional safeguards that could compensate for an excessive degree of interference? More specifically, how can two parties to a data transfer agreement possibly question a government’s binding request for access to data? These are difficult questions that the CJEU has thrown to those involved in global data flows, but their answers may not be as problematic as we think. Disproportionate access to data by governments is not just a European concern. It is a universal challenge and the measures to tackle this challenge are also universal. Contractual provisions that restrict the way in which access to personal data may be granted and measures that render personal data transferred inaccessible in practice or that apply when disclosing that data to third parties are commonly used throughout the world.
So next time you hear that Schrems II is too radical, and too difficult to implement or comply with, think about what is possible. What can you possibly do to make something that sounds disproportionate, proportionate? What steps would you take to challenge someone who may be overstepping their powers? The CJEU is not looking for heroic actions. The same is true of the European data protection authorities. They are looking for a balanced approach to doing business globally that is mindful of democratic principles, questions possible abuses of power and respects the right to data protection.
This article was first published in Data Protection Leader in September 2020.
Authored by Eduardo Ustaran.