REJECTING THE TRANSATLANTIC OUTSOURCING OF DATA PROTECTION IN THE FACE OF UNRESTRAINED SURVEILLANCE

Abstract

On 16 July 2020, the Grand Chamber of the Court of Justice of the European Union (‘CJEU’), in a departure from the Advocate General’s (‘AG’) Opinion, invalidated the the key mechanism for EU-United States data transfers, Privacy Shield for not affording ‘essentially equivalent’ protection to that provided under the EU legal order for personal data transferred to the US. The Court upheld the validity of the SCC for international data transfers, ruling that the National Data Protection Authorities (‘DPAs’) must take action where these clauses do not provide ‘essentially equivalent’ protection to EU law. The Schrems II judgement will have significant implications for many areas of EU law and policy, transatlantic relations and global data governance more generally. It will impact the EU-US data transfers, data transfers to third countries beyond US, including the post-Brexit UK, because SCCs are relied on by 88 per cent of EU companies transferring data outside the EU. Following the Snowden revelations in 2013, the CJEU has developed a powerful body of jurisprudence which rejects the transatlantic outsourcing of data protection without adequate safeguards. Schrems II reasserted the fundamental role of data protection in the EU legal order and transatlantic relations, and emphasised the need for EU to suspend, limit, or even block data transfers to countries where fundamental rights are not protected. Full implications of Schrems II are yet to be seen but the effects will be felt for many years to come.