On January 28, 2016, the Centre for Information Policy Leadership (“CIPL”) held a special roundtable at Hunton & Williams’ Brussels office to examine the “essential equivalence” requirement for protection of data transfers to non-EU countries set by the Court of Justice of the European Union’s (“CJEU’s”) Schrems decision. The roundtable brought together leading lawyers, corporate privacy officers, legal experts, regulators and policymakers to discuss the critical issues and impact of the new “essential equivalence” requirement for global data transfers set by the CJEU, and its relevance to the current EU-U.S. negotiations of a new Safe Harbor agreement.
The roundtable discussion touched upon the following topics:
- How should we interpret the CJEU’s clarification of adequacy, and what standards exist to protect EU citizens’ data against access by EU government surveillance and intelligence agencies?
- What are the respective roles and the jurisdiction of the CJEU and the European Court of Human Rights, and how does the separation of competence between the EU and its Member States affect the protection of privacy in Europe?
- How should we interpret the Schrems decision in light of the court’s role within the EU legal order, its relationship with the European Court of Human Rights, and EU Member States exclusive competence in matters of national security and intelligence?
- What is the impact of the key criteria set forth in the Schrems decision on European and international businesses, cross-border data flows and the global economy?
The roundtable was a unique opportunity to hear from two of Europe’s leading voices: Geoffrey Robertson from the UK, and Noelle Lenoir from France. Both Robertson and Lenoir agreed that in determining whether the protection afforded to Europeans in the U.S. is “essentially equivalent” to those afforded by the EU legal order, one has to examine not only the laws and rules in force, but also administrative practices in effect in the country. They also emphasized that it is critical not to compare the two legal orders in abstract, but rather to focus on the protection of privacy in the context of government surveillance and national security. In Europe, that protection is firmly within EU Member States’ competence and hence subject to exemptions in the EU Data Protection Directive. Indeed, it is the European Court of Human Rights in Strasbourg, which is established under the European Convention on Human Rights, that has developed case law mandating eight safeguards for the protection of privacy in Article 8 of the Convention. Despite this mandate, both Robertson and Lenoir argued that most of the eight safeguards have not been fully implemented in all European countries.
Robertson concluded that, following the U.S. law and practice reforms enacted after the Snowden incident, U.S. citizens are significantly better protected against national security surveillance than EU citizens in Europe. Furthermore, based on the new administrative rules and practices, oversight arrangements, disciplinary provisions and right to remedies against improper use in the U.S., Europeans have at least equivalent protection in the U.S. as they do in Europe.
The roundtable discussion also turned to the role of national data protection authorities (“DPAs”) after the Schrems decision. Participants concluded that the DPAs will be required to look at each data transfer case to determine the existence of essential equivalence in data protection in a foreign country. In addition, the consensus was that because foreign laws and administrative practices may change over time, fresh assessments will be necessary, raising concerns over the ability of DPAs, the European Commission and data controllers to continually reassess these issues. Participants also believe the criteria for essential equivalence will have an impact on future adequacy decisions under the new EU General Data Protection Regulation, and potentially on other mechanisms for international data transfers, such as standard contractual clauses and Binding Corporate Rules. Lenoir suggested that there will inevitably be more cases and preliminary rulings by the CJEU, which will bring necessary clarification and further nuances to the criteria set out in the Schrems decision. The period of legal uncertainty is bound to continue for some time.
Finally, the discussion offered glimpses of future solutions, such as:
- The U.S. signing the protocol to the International Covenant on Civil and Political Rights;
- intelligence agencies adopting a code of conduct (an accountability-based framework) that would include privacy safeguards and protections for individuals;
- European jurisdictions developing oversight bodies pass the test of the European Court of Human Rights and enable effective supervision of surveillance activities;
- replication of solutions adopted in the SWIFT case; and
- acceptance of mass surveillance, by allowing collection of data en masse subject to judicial restrictions and use and access limitations.