EU Parliament adopts Resolution on data transfers following Schrems II Ruling

On 20 May 2021, the European Parliament adopted, with 541 in favour, 1 against and 151 abstaining, a resolution on data transfers following Schrems II Ruling. In this Resolution, the members of the European Parliament (MEPs) urge the European Commission to issue guidelines on making data transfers compliant in line with the recent CJEU judgments and EDPB’s opinions. Some of the key aspects of the Resolution are as follows:

1. Irish DPC failed to effectively enforce GDPR: MEPs express disappointment with the Irish Data Protection Commission that it brought proceedings against Maximilian Schrems and Facebook at the Irish High Court, instead of independently triggering enforcement procedures based on GDPR rules. The EU Parliament calls on the Commission to launch infringement procedures against Ireland for failing to effectively enforce the GDPR.
2. Lack of prioritization of international data transfers by national supervisory authorities: MEPs express concerns at the lack of prioritization by national supervisory authorities with regard to personal data transfers to third countries and urge the EDPB and national supervisory authorities to include international data transfers as part of their audits and compliance activities.
3. SCCs are welcomed: MEPs welcome the EDPB’s recommendations for data transfers and a Joint Opinion with the EDPS on the issue for safeguards related to third-country data transfers. MEPs further support the creation of a toolbox of supplementary measures to choose from, e.g. security and data protection certification, encryption safeguards, and pseudonymisation, that are accepted by regulators and publicly available resources on the relevant legislation of the EU’s main trading partners.
4. Guidance for the use of SCCs is required for SMEs: MEPs urge the Commission and EDPB to publish further guidance on international data transfers and the practical use of reliable supplementary measures, especially for SMEs.
5. US surveillance laws need to be reformed: There is a need for a reform of US surveillance laws to ensure that access of US security authorities to data transferred from the EU is limited to what is necessary and proportionate and that European data subjects have access to effective judicial redress before US courts. This is because SCCs are not possible for data controllers that fall within the scope of the US Foreign Intelligence Surveillance Act (FISA) due to the high risk of mass surveillance. MEPs note that no contract between companies can protect from indiscriminate access by intelligence authorities to the content of electronic communications nor can any contract provide sufficient legal remedies against mass surveillance.
6. CCPA does not provide an essentially equivalent level of protection: Neither CCPA nor any of the federal proposals so far meets the requirements of the GDPR for an adequacy finding. Therefore, MEPs strongly encourage the US legislature to enact legislation that meets those requirements in order to provide an essentially equivalent level of protection to that currently guaranteed in the EU.
7. Mass surveillance in the US and other countries needs attention: MEPs encourage the Commission to proactively monitor the use of mass surveillance technologies in the US and other third countries that could be the subject of an adequacy decision such as the UK and urge the Commission to not adopt adequacy decisions concerning countries where mass surveillance laws do not fulfill the criteria of the CJEU.
8. Cloud providers falling under section 702 FISA need attention: MEPs call on the Commission to analyze the situation of cloud providers falling under section 702 of FISA who transfer data using SCCs and analyze the effect on the rights granted under the EU-US Umbrella Agreement. MEPs find unacceptable that the Commission has still not published its findings of the first joint review of the Umbrella Agreement, even a year after the deadline and calls on the Commission, if necessary, to without delay bring the agreement in line with the CJEU judgments.
9. Commission has not suspended the privacy shield: MEPs regret that the Commission has ignored Parliament’s calls to suspend the Privacy Shield until the US authorities comply with its terms.
10. No self-certification in the future: Any future adequacy decision by the Commission should not rely on a system of self-certification as was the case with both Safe Harbour and the Privacy Shield. The Resolution emphasizes that the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings and ensuring full GDPR compliance