Read on Twitter
As promised, a 2nd
on the #SchremsII decision. 1st thread with links to judgment, press release, and AG opinion here: https://twitter.com/t_streinz/status/1283765013820379137?s=20 What does the decision mean for transatlantic data flows? What are the implications for global data law and governance more broadly? 1/
on the #SchremsII decision. 1st thread with links to judgment, press release, and AG opinion here: https://twitter.com/t_streinz/status/1283765013820379137?s=20 What does the decision mean for transatlantic data flows? What are the implications for global data law and governance more broadly? 1/
As a starting point, especially from a US perspective, it's important to acknowledge the #GDPR's default restriction on transfers of personal data to third countries (Article 44 GDPR) which dates back to the 1995 Data Protection Directive. 2/
That restriction and its underlying logic has been contested. W. Kuan Hon provides a rather skeptical book length treatment: https://www.e-elgar.com/shop/usd/data-localization-laws-and-policy-9781786431967.html She emphasizes in particular what she regards as a disconnect between the restriction and the reality of cloud computing. 3/
Conversely, one can understand the restriction as the EU's insistence that law governs technology and not the other way around. @PaulNemitz has been a vocal proponent of this philosophy: https://royalsocietypublishing.org/doi/10.1098/rsta.2018.0089 4/
One can read today's decision as a thorough endorsement of the latter view. There is no questioning of the restriction's rationale in the judgment. The Court recognizes that EU data protection law seeks to protect European data subjects everywhere. 5/
Under the #GDPR's logic, this requires extending European data protection standards beyond the EU's borders. This is precisely what has turned the #GDPR into a poster child for what @anubradford has theorized as the #BrusselsEffect: https://global.oup.com/academic/product/the-brussels-effect-9780190088583?cc=us&lang=en& 6/
The #GDPR provides for a number of ways to extend EU data protection standards beyond the EU's borders. Today's judgment addresses the two most important ones: a) adequacy decisions under Article 45 GDPR; b) standard contractual clauses under Article 46 GDPR. 7/
After #SchremsI @EU_Commission had negotiated the #PrivacyShield ( https://www.privacyshield.gov ) to address the gaps in US law that Luxembourg had identified. On this basis, the Commission decided that the US provided an adequate level of data protection: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016D1250&from=EN 8/
The ECJ today annulled the Commission's decision. Privacy Shield is gone 
. On substance, this was hardly a surprise. Indeed, I sense some frustration in the Court's reasoning along the lines of: haven't we been clear the first time around? See, for example, para 191: 9/
. On substance, this was hardly a surprise. Indeed, I sense some frustration in the Court's reasoning along the lines of: haven't we been clear the first time around? See, for example, para 191: 9/
EU data protection law, read in light of Article 47 of the Charter, requires effective judicial remedies. US law, famously, does not extend its protections under the 4th Amendment to foreigners. The PrivacyShield created an Ombudsperson within the State Department 
10/
10/
The Court finds this arrangement insufficient. This is significant, because it makes clear that any future adequacy decision would require actual changes to US law through Congress. This seems unrealistic at least in the near future. 11/
I emphasized above that this decision was hardly a surprise on substance. But procedurally it was not clear whether the Court would rule on the #PrivacyShield at all. The Advocate General had urged the Court to avoid this question altogether. 12/
It's a (persistent) myth that the Court follows the Advocate General in most cases. Their divergence in this instance is instructive for the relationship between adequacy decisions and standard contract clauses as alternative ways to transfer personal data to 3rd countries 13/
The AG had urged the Court (in paras 167 ff of his Opinion) to focus only on the Standard Contract Clauses, claiming that the referring Irish court could resolve the case on that basis (even though it had asked explicitly about the #PrivacyShield). 14/
In the view of the Court, the AG missed the relationship between adequacy decisions and standard contract clauses. Both require a holistic assessment of other countries' data protection regime. 15/
If the EU Commission has found another country to provide an adequate level of data protection, data protection authorities are bound by this finding unless the Court of Justice invalidates the Commission's adequacy decision (as it did today). See paras 117 and 118. 16/
This brings me to the continued viability of standard contract clauses as a legal mechanism to transfer personal data from the EU to 3rd countries in accordance with Article 46 GDPR 17/
The Court *upheld* the Commission decision which contains the template for standard data protection clauses: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02010D0087-20161217 (originally adopted under #DPD but still valid under #GDPR) 18/
It is important to recognize two key differences between the two mechanisms: Adequacy is wholesale (with the self-certification requirement under #PrivacyShield as a retail component). Standard contract clauses are retail (contractual). 19/
The Commission template for standard contract clauses appears to provide some wholesale relief. But the Court emphasized today that it's insufficient to just copy&paste the template. Data controllers and DPAs need to ensure effectiveness in practice. 20/
This creates an obvious problem which is indicative of the differences between public and private #datalaw: a contractual guarantee is insufficient if another country's (public) data law requires or allows for access to personal data contrary to #GDPR guarantees 21/
The Court gestures towards additional safeguards in paras 133 and 134 but it's not clear to me what those safeguards would look like and how they could help controllers to escape the double bind between US surveillance law and EU data protection law. Any ideas? 
22/
22/
It seems to me, the more likely outcome is the one contemplated in the ensuing paragraph (135): if additional safeguards are not feasible, personal data cannot be transferred. 
/23
/23
This is, of course, the outcome that advocates on behalf of tech companies have feared. It also conflicts, somewhat, with the EU's data strategy which emphasizes the importance of data flows for Europe's digital economy: https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/european-data-strategy_en /24
What is to be done? I'm running out of space in this thread. So I promise to @harlangcohen and others interested in this a 3rd and final thread. 25/end
