EU-US Data Flows & GDPR: European Parliament Increases Pressure

EU Lawmakers Increase Pressure on Data Protection Enforcement

Legislators within the European Union are intensifying their demands for action regarding the inconsistent application of the bloc’s primary data protection regulation. This follows a recent vote in the European Parliament supporting a request for the European Commission to initiate infringement proceedings against Ireland’s Data Protection Commission (DPC) due to perceived failures in “properly enforcing” the regulation.

Requests for comment have been directed to both the Commission and the DPC regarding the parliament’s call for action.

GDPR Enforcement Review Highlights Inconsistencies

A two-year review of the General Data Protection Regulation (GDPR), conducted by the Commission last summer, revealed a lack of consistent and robust enforcement across member states. However, commissioners emphasized the regulation’s positive aspects, recognizing it as a “global reference point”.

Despite this positive assessment, nearly three years have passed since the regulation’s implementation, and criticism regarding weak enforcement is becoming increasingly difficult for the EU’s executive branch to disregard.

Focus on the Irish DPC

The parliament’s resolution, while not legally binding, delivers a strong political message to the Commission. It specifically criticizes the DPC, given its significant role in enforcing the GDPR. The DPC serves as the lead supervisory authority for complaints against numerous large technology companies that have established their regional headquarters in Ireland, attracted by its favorable corporate tax environment.

The resolution expresses “deep concern” over the DPC’s prolonged delays in reaching decisions on complaints filed on May 25, 2018 – the day the GDPR came into effect – including those against prominent companies like Facebook and Google.

Interpretation of GDPR Timelines

The Irish data watchdog is also criticized for interpreting the “without delay” provision in Article 60(3) of the GDPR as extending beyond a reasonable timeframe of months, a deviation from the legislators’ original intent.

To date, the DPC has only issued a final decision in one cross-border GDPR case, involving Twitter.

Concerns Regarding Resources and Past Complaints

The parliament also voiced concerns about the limited number of technical specialists employed by the DPC and the use of outdated systems – issues previously highlighted by Brave last year. Furthermore, criticism was directed at the watchdog’s handling of a complaint initially submitted by privacy advocate Max Schrems prior to the GDPR’s implementation, concerning the conflict between EU privacy rights and U.S. surveillance laws, which remains unresolved.

Schrems II Judgement and Data Transfers

The DPC’s handling of Schrems’ 2013 complaint led to a 2018 referral to the Court of Justice of the European Union (CJEU). This ultimately resulted in the landmark Schrems II judgement last summer, which invalidated the EU-U.S. data transfer arrangement known as Privacy Shield.

While the ruling did not prohibit alternative data transfer mechanisms, it clarified that EU DPAs are obligated to suspend data transfers if European citizens’ information is transferred to a third country lacking equivalent data protection standards to those within the EU, thereby returning the focus to the Schrems complaint.

Recent Developments in the Facebook Case

The Irish regulator subsequently issued a preliminary order to Facebook, requesting a suspension of its data transfers. Facebook responded by seeking a judicial review of the DPC’s procedures. However, the Irish High Court dismissed Facebook’s petition last week. The stay on the DPC’s investigation was lifted yesterday, allowing the process of reaching a decision on the Facebook data flows complaint to resume.

A final decision may still take several months, as the DPC’s draft decision will require review and potential objection from other EU DPAs.

Update on DPC Action

Update: The DPC announced today that it has formally written to Facebook following the lifting of the stay, requesting the company to submit its responses to the preliminary order within six weeks.

Broader Concerns About Enforcement

The parliament’s resolution expresses worry that supervisory authorities have not proactively taken steps under Articles 61 and 66 of the GDPR to compel the DPC to fulfill its obligations under the regulation. Regarding international data transfers, the resolution states that:

The complex, multi-year case involving Schrems’ Facebook data-flows complaint, and the procedural maneuvers employed by the DPC and Facebook’s legal team, illustrates the intricate legal, political, and commercial challenges associated with data flows originating from the EU – particularly in light of Snowden’s 2013 revelations regarding U.S. mass surveillance programs. It also highlights the significant difficulty for EU data subjects to effectively exercise their rights.

However, these intersecting issues surrounding international data flows appear to be reaching a critical point following the Schrems II CJEU ruling.

Potential for Data Suspension Orders

The clock is now ticking for EU data protection agencies to issue significant data suspension orders, with Facebook’s operations potentially being the first to be affected.

Other U.S.-based services subject to the U.S.’ FISA regime, which also transfer EU user data for processing and lack “zero access” encryption, are equally at risk of receiving orders to halt EU-U.S. data transfers or relocate data processing within the EU.

UK Adequacy Agreement Under Scrutiny

U.S.-based services are not the only entities facing increased legal uncertainty. The U.K., post-Brexit, is also considered a third country under EU law. In a separate resolution, the parliament adopted a text concerning the U.K. adequacy agreement granted earlier this year by the Commission, raising objections to the arrangement, including concerns about a lack of GDPR enforcement within the U.K.

The parliament highlighted the failure of the Information Commissioner’s Office (ICO) to issue decisions on adtech complaints, suggesting that “non-enforcement is a structural problem” in the U.K., leaving “a large number of data protection law breaches… [un]remedied”.

Concerns About UK Surveillance Regime

The parliament also questioned the compatibility of the U.K.’s surveillance regime with the CJEU’s requirements for essential equivalence, and raised concerns about the potential for the U.K. to undermine EU citizens’ data protections through onward transfers to jurisdictions without EU adequacy agreements.

The Commission has set a four-year lifespan for the U.K.’s adequacy deal, necessitating a major review before any continuation of the arrangement in 2025.

A Shift in Approach to Data Transfer Agreements

This contrasts sharply with the 15-year duration of the EU-U.S. “Safe Harbor” agreement, which was ultimately struck down by the CJEU in 2015 following a challenge from Schrems. The key takeaway is that data deals permitting the transfer of personal information outside of Europe will not be allowed to remain unchallenged for extended periods; close scrutiny and legal accountability are now paramount.

The Interplay of Legal Regimes and Data Flows

The global nature of the internet and the ease of digital data transfer offer significant benefits to businesses. However, the resulting interaction between different legal frameworks is creating increasing legal uncertainty for companies seeking to transfer data across borders.

In the EU, data protection is regulated within the bloc, and these laws require that protection remains with personal information, regardless of its location. Therefore, if data is transferred to countries lacking equivalent safeguards – such as the U.S., China, India, or even the U.K. – there is a legal risk that such transfers cannot occur.

Resolving the Clash Between Privacy and Security

Finding a resolution to the conflict between data protection laws prioritizing individual privacy rights and data access mandates driven by national security concerns presents a complex challenge.

For the U.S. and transatlantic data flows, the Commission has cautioned that a quick fix is unlikely, unlike the previous attempt to address the invalidated Safe Harbor with the “Privacy Shield” regime, which was subsequently invalidated by the CJEU for similar reasons. The parliament’s resolution is particularly critical of the Commission’s past missteps.

Need for U.S. Surveillance Law Reform

A lasting solution requires substantial reform of U.S. surveillance laws. The Commission appears to have accepted that this will not happen quickly and is preparing businesses for potential disruptions.

DPAs Expected to Intervene

The parliament’s resolution on Schrems II also emphasizes the expectation that DPAs will intervene to halt risky data flows, with MEPs stating that “if no arrangement with the U.S. is swiftly found which guarantees an essentially equivalent and therefore adequate level of protection to that provided by the GDPR and the Charter, that these transfers will be suspended until the situation is resolved”.

Therefore, if DPAs fail to act, and Ireland continues to delay resolving the Schrems complaint, further resolutions criticizing them from the parliament are anticipated.

Requirements for Future Data Transfer Agreements

MEPs stress that any future EU-U.S. data transfer agreement must address the issues identified by the Court ruling in a sustainable manner, noting that “no contract between companies can provide protection from indiscriminate access by intelligence authorities to the content of electronic communications, nor can any contract between companies provide sufficient legal remedies against mass surveillance”.

“This requires a reform of US surveillance laws and practices with a view to ensuring that access of US security authorities to data transferred from the EU is limited to what is necessary and proportionate, and that European data subjects have access to effective judicial redress before US courts,” the parliament adds.

Legal Pathways for Data Transfers Remain

Despite these challenges, businesses may still be able to legally transfer EU personal data outside the bloc, potentially even to the U.S., depending on the nature of the business, the data itself, and the implementation of additional safeguards.

Implications for Data-Driven Companies

However, for data-mining companies like Facebook, which are subject to FISA and rely on accessing people’s data, achieving essential equivalence with EU privacy protections appears fundamentally impossible.

While the parliament has not explicitly called for a halt to Facebook’s EU data flows in the resolution, this is the clear implication of urging infringement proceedings against the DPC and criticizing the “absence of meaningful decisions and corrective measures” in the area of international transfers.

Support for Standard Contractual Clauses and Supplementary Measures

The parliament also calls for “solid mechanisms compliant with the CJEU judgement” to be established, providing businesses with a legal pathway to transfer data out of the EU. It suggests that the Commission’s proposal for a template for Standard Contractual Clauses (SCCs) should “duly take into account all the relevant recommendations of the EDPB”.

It also supports the creation of a toolbox of supplementary measures for businesses, including security and data protection certification, encryption safeguards, and pseudonymization, provided these measures are accepted by regulators.

Furthermore, it advocates for publicly available resources on the legislation of the EU’s main trading partners to guide businesses in complying with data transfer regulations.

Preparing for Disruption and Compliance

The overarching message is that businesses should prepare for disruptions to cross-border data flows and prioritize compliance efforts.

Digital Sovereignty and Alternative Cloud Providers

In another part of the resolution, the parliament urges the Commission to “analyse the situation of cloud providers falling under section 702 of the FISA who transfers data using SCCs”. It suggests that support for European alternatives to U.S. cloud providers may be necessary to address “gaps in the protection of data of European citizens transferred to the United States” and, more broadly, to “reduce the dependence of the Union in storage capacities vis-à-vis third countries and to strengthen the Union’s strategic autonomy in terms of data management and protection”.