The future of EU-US data flows under the GDPR

Mikolaj Barczentewicz

Since the Schrems II decision of the EU Court of Justice, lawfulness of
transfers of personal data from the EU to the US has been in a
precarious position. True, there have been changes in US intelligence
collection rules and practice since the state of the matter in 2016
which was the basis of the European Commission’s assessment in the
“Privacy Shield Decision” and to which facts the CJEU limited its
reasoning. However, there has also been a vocal movement among NGOs,
European politicians and – recently – national data protection
authorities, to treat Schrems II as if it conclusively decided that
exports of personal data to the US cannot be justified through standard
contractual clauses (“SCC”) in most contexts (i.e. when data can be
accessed in the US). The latter interpretation has now led to a series
of enforcement actions by national authorities in Austria, France and
likely in several other member states (“Google Analytics” cases). The
purpose of this project will be to assess to consider how the Schrems II
assessment of US law and practice, as presented in the 2016 Privacy
Shield Decision, should be applied today and whether it should be
adjusted given (1) the changes already implemented by the US government
since 2016 and (2) the changes planned as a part of the new data flows
deal currently being negotiated between the US and the EU.