Since judgment C-311/18 – popularly known as Schrems II – the risks of third-country transfers of personal data have been high on the agenda. Work is currently underway on a new agreement in principle to enable transatlantic transactions linked to data.
The risks of third-country transfers have become something of an elephant in the room when it comes to GDPR compliance. Since the European Court of Justice in the famous judgment C-311/18 (Schrems II) rejected the Privacy Shield agreement regarding transfers of personal data from the EU to the US, it became more difficult to conduct business overnight.
Difficult to guarantee protection of sensitive personal data at present
The lack of legal certainty regarding how US intelligence collected bulk data from EU citizens’ personal data, without som much as a court order on reasonable suspicion, can be compared to bottom trawling. So it wasn’t just the ugly fishes that were caught, but also honest people’s digital traces got caught in the net.
Following the vacuum caused by Schrems II, the European Data Protection Board (EDPB) has issued recommendations (1/2020) for companies wishing to take measures to ensure compliance with third country transfers. It is a 48-page document that describes a rigorous six-step process which, to say the least, places high demands on due diligence and resources, including for investigating legal conditions in third countries. This burden appears to be almost unduly burdensome for companies, especially in the SME segment.
Since US companies are market leaders in cloud services, information retrieval services and communication services, this naturally has enormous consequences. In 2022, for example, the City of Stockholm has refrained from introducing Microsoft 365 because an investigation has assessed that US intelligence legislation means that cloud service providers cannot provide sufficient guarantees for the protection of sensitive personal data. In addition, the popular analysis tool Google Analytics has been banned in several EU Member States, including Austria. A Swedish decision is likely to be expected shortly.
Work underway on new agreement in principle
Running a business without Microsoft’s, Google’s or Amazon’s services seems almost impossible in today’s global and digitized business climate. Therefore, the flame of hope has been lit considerably since the European Commission and the US recently announced that an agreement in principle has been reached on a new framework for the protection of personal data when transferring from the EU to the US.
It is clear that, at least according to the parties, the agreement should limit the scope of the intelligence activities on the basis of the principle of proportionality, and that the intelligence should be reviewable, and rejected, by judicial review with binding authority. However, the content of the agreement has not been made public, and the European Commission has flagged that negotiations will continue. At present, work on translating the agreement in principle into a de facto binding agreement between the parties is in full swing.
Thus, if the parties want to avoid a disappointing Schrems III ruling, substantial sacrifices will have to be made on the American side regarding the scope of its intelligence activities. Both the EU and the US have several reasons for securing this agreement, namely about 9 500 billion reasons, since that is how many SEK transatlantic commerce turns over annually.
