Prohibition of data transfer to United States: the short-circuit of decision “Schrems II”

Privacy in Europe is a very serious matter, and we can only be happy and proud of this.

Protecting personal data of an individual means to safeguard a person in his/her deepest values and to avoid it becoming a commodity in the hands of governments and industry.

Unfortunately, not every extra-European country offers the same guarantees and for this reason the GDPR includes limitation in exporting data to third countries. Such transfer can happen essentially only if the country is considered safe by the European Commission or if the subject importing data commits itself to respect certain pre-set clauses, the so-called SCC (Standard Contractual Clauses).

For what pertains to the possibility to export data in the United States of America, a strategic country for many companies and for the provision of many internet based services, after the “Safe Harbor”, declared invalid by the CJEU after the case Schrems I, the Privacy Shield USA- UE introduced a protection regime which allowed the transfer of data in the USA in compliance to the European legislation.

On July the 16th 2020, with decision n. 2016/1250 (Schrems) the CJEU also declared  the Privacy Shield invalid as the United States were not found to be offering adequate guarantees mainly because of their national security programs.

The Court reiterated the possibility to use the SCC in case of transfer of data outside the European Union but it recalled that this could be possible only towards countries found to be reliable and at the moment, on the basis of its decision, the USA does not seem to be.

The Schrems II thus creates a real “short-circuit” from which it will not be easy to get out for those who intend to transfer data outside Europe and in particular in the USA.

To evaluate if an extra-European country can be considered reliable is certainly not an easy exam and it involves a high degree of accountability.

For the USA the situation is even more critical. If the Court does not consider it to be an adequate country on a personal data processing level, it will be difficult to found the basis to prove that it is.

For certain processes there could be some ways out, such as the possibility to use derogations in accordance with article 49 of the GDPR and in particular the legal basis of the necessity to transfer data in the USA to comply to a contract with the party concerned (this could apply to Facebook and any other social network) but these solutions will not apply to everyone.

A solution could be to consider outside the GDPR’s scope data processing for national security reasons also in cases where the processing is performed by extra-European countries, but at the moment this is not a viable route because these prerogatives are reserved to member states.

In anticipation of a Data Protection Authorities statement, or a normative one, one could only re-examine carefully every data processing and find, as far as possible, to reconduct them in the European scope, a necessary operation if the third country is not safe and if no derogation are found to the prohibition to export data in non-adequate countries.