By: Guillermo Ferrer Hernáez, Junior Research Associate, PILPG-NL

In its mission to protect the rights of its citizens, the European Union (EU) adopted a far-reaching piece of data legislation, the General Data Protection Regulation (GDPR), which sets new standards for protecting the data of EU citizens. This piece of legislation, claimed to be the most robust privacy policy globally, allows EU citizens and individuals living in the EU and the European Economic Area territory to limit the collection of their personal information and control which information is shared with companies. GDPR guidelines require that the state receiving the data offers the same level of protection as the state from which the data is collected. Since the GDPR’s adoption, the Court of Justice of the European Union (CJEU) has ruled on the incompatibility of certain business practices regarding data transfers, including transfers between the US and the EU and the use of Standard Contractual Clauses.  

The battle to protect European citizens' rights during data transfers will lead to further significant developments, with the EU as the leading actor, in the upcoming months. This blog will discuss the consequences of the current GDPR and the Irish Data Protection Commission’s (IDPC) preliminary decision for the future of technology companies in the EU.

The Schrems II case

In July 2020, the CJEU issued its judgment in the Schrems II case, through which it invalidated the existing data transfer arrangement between the US and EU, known as the Privacy Shield, on the grounds that the EU could not ascertain that the data of EU citizens would be safe from US government surveillance once this data is transferred to US data collection centers. Under US laws, personal data protection may be subjected to controls to the extent necessary to meet national security, public interest, or law enforcement requirements. The CJEU found that US mass surveillance infringes several rights recognized under the Charter of Fundamental Rights of the European Union (CFR), such as the protection of personal data identified under Article 8. Therefore, the CJEU, in July 2020, concluded that the Privacy Shield agreement could not be used for the transfer of data. 

The use of Standard Contractual Clauses

Since the CJEU's verdict, several US technology companies have relied on a different legal mechanism, known as "Standard Contractual Clauses" (SCCs) to transfer EU users' data to the US. These mechanisms are pre-approved terms and conditions for extraterritorial data transfers published by the EU Commission and include several guidelines provided in the GDPR. Even if SCCs are considered to be compliant with the GDPR, technology companies are now required to verify on a case-by-case basis if the personal data transferred through with the use of these SCCs will be adequately protected in the destination state. According to the CJEU’s verdict, these companies now have the obligation of  ensuring that the data protection law of the destination state offers a similar level of protection as established within the GDPR. The need for this additional control emerged after the CJEU found that supervisory authorities of third states are not bound by these contractual clauses. This requirement has primarily limited the action of technology companies; moreover, a future decision by the IDPC could restrict even more their activities, even putting them to an end.

IDPC's preliminary decision

A month after the Schrems II judgment, the IDPC, the EU's leading regulator of technology companies, preliminarily concluded that Meta Platforms Ireland's use of SCCs violates the GDPR's provisions and proposed that these transfers of user data be suspended. According to the IDPC, the US does not grant any rights to EU data subjects before the courts against US authorities, directly violating the right to an effective remedy under Article 47 of the CFR.

The IDPC gave Meta until March 22, 2022, to respond to its preliminary decision and will issue its final decision in the first half of 2022. If the IDPC ultimately decides that the use of SCCs does not comply with the GDPR, this would eliminate any transfer of data between EU and US companies, leaving technology companies no other option than to withdraw their services from the EU. In light of this possibility, the EU Commission and the US Government started negotiations to replace the former Privacy Shield agreement in line with the CJEU's verdict.

The future of the technology companies in the EU

The European Union's institutions plan to adopt several pieces of legislation in the upcoming year, such as the Digital Markets Act, to limit the power of technology companies and protect the fundamental rights of EU citizens. On March 25, 2022 the EU Commission President announced the EU's “agreement in principle” on a data transfer deal with the US. While this “agreement in principle” is, in fact, a preliminary agreement, all indications are that the final deal will align with the new legislation. Furthermore, the EU has already noted that the final agreement will be in line with the CJEU case law on data transfers, requiring any third state to provide a minimum level of data protection. The fact that the IDPC may override the use of SCCs has also contributed to the content of this future agreement, including the possibility for European citizens to go to US courts if US companies violate their privacy rights under EU law. A new movement to stricter regulation on privacy issues seems to be underway, leaving a narrower space for technology companies to operate without any limits.