What the Schrems II decision means for the future of data privacy… and your business

There are two things businesses everywhere like: certainty and harmonization. The Schrems II ruling in the Court of Justice of the European Union (CJEU) strikes a blow on both of these counts with respect to the vast (and hugely valuable) transfer of user data from the EU to the United States.

By ruling that one of the two main legal protections for user data transferred to the US – the so called “Privacy Shield” – doesn’t sufficiently guarantee respect for fundamental data rights, the CJEU’s decision poses a clear and immediate threat to businesses that rely on Privacy Shield to facilitate data flows.

That’s 5,378, including some of the biggest tech companies in the world.

It’s notable that while Privacy Shield has been invalidated, the use of Controller-Processor Standard Contractual Clauses (SCCs) for data transfer was upheld, albeit with new guidance on how those could be invalidated – essentially, if privacy rights couldn’t be guaranteed in the countries receiving EU user data, SCCs’ validity can also be questioned.

I don’t wish to play the policy prediction game in response to this ruling; I’d only suggest that for some of the world’s biggest and most powerful enterprises, a lack of legal basis for moving data from Europe to the US is simply untenable.

There may be other potential mechanisms that can fill in for data transfer, like GDPR’s Article 49, but this was built for exceptional or unusual instances rather than consistent ongoing transfer of huge data quantities through a transatlantic pipeline.

Something will have to give.

The ruling suggests that – since EU privacy rights aren’t protected in the US, per CJEU – even the use of SCC’s for transferring data from Europe to the US may not be adequate. I can’t predict what the next move will be but I agree with Simon McGarr, that “this is a massive strengthening of the EU’s regulatory power in order to enforce its human rights-based vision of data processing.”

But for myself and the team at Ethyca, the result is…well it’s not irrelevant by any means,  but to focus on specific operational consequences on day Schrems II +1 somewhat misses the point. We already know that over the next 10 years, the global privacy landscape will evolve rapidly.

GDPR wasn’t the end, it was only the start.

Businesses must accept and plan for an unstable, unharmonized global privacy regulatory environment. As Twilio’s Robin Andruss said on a recent Ethyca panel, playing “whack-a-mole” with regulation as region-specific issues crop up will only result in an inefficient, time-consuming, and hugely frustrating privacy operation during this period of rapid evolution.

Put differently, if data privacy compliance for your business relies on hard-baked processes, excel spreadsheets, emails, and humans, the manual effort and technical data debt that will inevitably occur in the next decade will be hugely costly. Possibly even fatal. The only way to viably ride this roller-coaster is to implement agile, modern tech-driven solutions to dataflows in your business. That applies to each phase of the data lifecycle and each facet of privacy rights management.

I don’t mean to suggest that a company using state-of-the-art privacy tech would be unaffected by the Schrems II decision. If your business relies on the EU/US data pipeline, it’s going to cause disruption no matter what. But if you already understand, at the touch of a button, all the data your business holds, where it lives, the region-specific regulations that apply, and the entitlements systems currently in place, it’s a disruption that may be manageable in days.

But if you’ve now got to put a team to work to understand all those same things…it could be a messy few years. And if you can’t adjust data governance on the fly, the future will only get messier.

– CK