Unspoken truths about Schrems II

One of the most remarkable things about the Schrems II decision has been the truly deafening amount of noise it has generated. Some have boldly claimed that transfers of data from the EU to the US are now illegal. This has led to further claims that the only solution is for the US radically to change its legal framework or that all European personal data should just be kept in Europe. Others have responded that such an approach only reveals the hypocrisy of ignoring the extent of government access to data in Europe. Many more have said that since this is a political problem, it is unfeasible for any organisation involved in data transfers to come up with a solution and therefore, it is outside their control. Meantime, vociferous legal complaints have contributed to a climate of anxiety that threatens to cripple data globalisation as we know it.

It is important therefore to uncover some truths about the Court of Justice of the European Union’s (CJEU) decision which seem lost amid all this noise. First of all, this decision has exposed once again the natural and constant tension between the protection of privacy and the need for the state to access personal data to perform its functions. Law enforcement, taxation, public health and national security are all dependent on the access to and use of personal data. In Europe and many other parts of the world, it is paramount that any such data activities by the state do not breach democratic principles and individuals’ rights. Every instance of government access to data creates a risk, so what the CJEU is saying is that when European data becomes available to foreign states, we must remain vigilant about this risk and take steps to ensure that the democratic balance is not lost. This is not radical political grandstanding, but a court doing its job.

At a more mundane, data protection-specific level, the CJEU also reminds us that the limitations on international data transfers are simply intended to ensure the continuity of the level of protection established by the European framework. This raises the issue of whether those limitations are even relevant given the powerful extraterritorial reach of the GDPR. In other words, the applicability of the GDPR far beyond the boundaries of the EU means that, at least in principle, the level of protection provided by this framework will be extended to data processing activities taking place in other jurisdictions. However, in judging what an ‘adequate level of protection’ means, the CJEU goes much further and essentially gives extraterritorial application to the Charter of Fundamental Rights of the European Union. This sets a very high bar for other jurisdictions to reach.   

Understandably, some have seen this as an impossible task for them to undertake. How can anyone make an assessment of the world’s public authorities’ powers and take a view on their level of interference with the rights to privacy and data protection? Is it even possible to identify the additional safeguards that could compensate for an excessive degree of interference? More specifically, how can two parties to a data transfer agreement possibly question a government’s binding request for access to data? These are difficult questions that the CJEU has thrown to those involved in global data flows, but their answers may not be as problematic as we think. Disproportionate access to data by governments is not just a European concern. It is a universal challenge and the measures to tackle this challenge are also universal. Contractual provisions that restrict the way in which access to personal data may be granted and measures that render personal data transferred inaccessible in practice or that apply when disclosing that data to third parties are commonly used throughout the world.

So next time you hear that Schrems II is too radical, and too difficult to implement or comply with, think about what is possible. What can you possibly do to make something that sounds disproportionate, proportionate? What steps would you take to challenge someone who may be overstepping their powers? The CJEU is not looking for heroic actions. The same is true of the European data protection authorities. They are looking for a balanced approach to doing business globally that is mindful of democratic principles, questions possible abuses of power and respects the right to data protection. 

This article was first published in Data Protection Leader in September 2020.


Authored by Eduardo Ustaran.

Eduardo Ustaran


This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2020 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.