On February 23, 2016, the European American Chamber of Commerce (EACC) hosted an interesting EU-US Privacy Roundtable with Privacy Activist Max Schrems, founder of the group Europe v. Facebook.
The panel started by providing a brief overview of the developments in data privacy laws. It also explained the judiciary path that brought to the judgment of the European Court of Justice (ECJ) holding Safe Harbor decision invalid. See C-362/14, Maximilian Schrems v. Data Protection Commissioner.
When asked about his lawsuit, Schrems answered that all he did was to bring data protection issues to the table. He would like for European laws to be abided. However, Schrems clarified that with his intervention, he is not proposing a solution to the complex situation brought by Safe Harbor’s invalidation.
The panel agreed that there is currently no certain solution for safe international data transfers that comply with the CJEU decision in Schrems. It is true that WP29 suggested to businesses (see here) that “Standard Contractual Clauses and Binding Corporate Rules can still be used”. See here for more information on these alternatives. However, Schrems observed how the binding corporate rules do not address the real concern of the decision (which is that the US government does not provide equivalent protection) as they are a solution adopted by business while there is no political decision yet.
In his intervention, Schrems also noticed how – Interestingly -the CJEU did not grant any grace period to comply with the decision. This is quite unusual and puts a burden on businesses.
Looking ahead, the panel expressed concern about the agreement recently reached by the EU and the U.S., the s.c. “Privacy Shield”. It seems that the Privacy Shield might be a unilateral commitment by the EU, not binding the U.S. to any specific measure.
As for the GDPR, Schrems highlighted how some provisions should be considered as positive to businesses. For example, a one-stop-shop will allow businesses to deal with one (as opposed to many) supervisory authority (Article 54(a) and followings), saving time and money. In addition, the relevance of the new sanctions may start making a difference in how data privacy is implemented. Probably companies will change their service providers in search of more compliant entities. A brief overview of the key aspects of the General Data Protection Regulation is available here.
Schrems concluded his intervention on a positive note. Even though there is currently no legal certainty for controllers who transfer data from the EU to the U.S., businesses might transform this in an opportunity to step up their offer and provide services always more compliant with individuals’ privacy protection.
For more information, Federica Romanelli