State Secretary, Federal Ministry of Justice and Consumer Protection, Germany,
Vice President & Head Of Office, CCIA Europe,
Head of team, UK Government Department for Digital, Culture, Media & Sport,
event and q&a
At this event, we tackled the challenge of international transfers of personal data from the EU to two countries: the USA and the UK.
These transfers are essential to many economic activities in the EU, USA and UK. An adequacy decision enables the unrestricted flow of personal data to a non-EU country. Furthermore, data streams and sharing in the digital Single Market is important for digital and data sovereignty and competitiveness in Europe as a whole.
With the Schrems II decision, the Court of Justice of the EU (CJEU) invalidated the adequacy decision for Privacy Shield as regards transfers of personal data to the USA, and also made clear that no change to the the current mechanisms (including Standard Contractual Clauses, or SCCs) is sufficient in itself to fix the problem. The USA was felt to conduct excessive and disproportionate surveillance for national security purposes, and to provide EU persons with inadequate means of redress for improper government surveillance. But it is impractical to even begin to attempt to negotiate a better successor to Privacy Shield with the US government until the elections in the USA have been resolved.
Under those circumstances, what are EU firms that need to transfer personal data to the USA supposed to do? What workarounds are possible in the absence of an adequacy decision?
Closer to home, the UK urgently desires an adequacy decision, but faces multiple hurdles. Firstly, there seems to be no commitment on the part of the UK to maintain protection of personal data at a level at least as good as that of the GDPR going forward. Secondly, the UK's surveillance for national security purposes appears to be no less intrusive than that of the USA, suggesting that an adequacy decision would be unlikely to survive judicial review unless additional safeguards were first agreed between the EU and the UK.
So the question rises again: What are EU firms that need to transfer personal data to the UK supposed to do while this sorts itself out? What are the implications?
Meanwhile, there is a clear opportunity within the EU to promote greater use of data, including non-personal data, and especially including non-personal public sector data and industrial data. What more can be done to facilitate the use of data within the EU as a means of strengthening the EU digital economy?