Schrems II and the future of cross-border data transfer
Choi Man Yiu - The Alexander von Humboldt Foundation;
Hong Kiu Cheng - Independent journalist
-- The issue of how human sovereignty and human rights are able to sync with cross-border data transfer is increasingly relevant in modern society. It affects whether a legal system which balances human sovereignty and efficiency is able to be established and if the companies may develop big data to a common good.
In our recent paper, “After Schrems II: Human rights and cross-border data transfer in the EU and Hong Kong” (attached below), we analyse the results of Court of European Union (“CJEU”) judgments in Maximillian Schrems v Data Protection Commissioner Case C-362/14 (“Schrems I”) and Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems Case C-311/18 (“Schrems II”), which are the cases that overturned the EU-US frameworks allowing transatlantic data transfer for commercial purposes between the European Union and the United States. These cases also study the extra-territoriality of the General Data Protection Regulations (“GDPR”) and the future of cross border data transfer.
Privacy Shield, an EU-US framework which allows transatlantic data transfer for commercial purposes between the European Union and the United States, was overturned by Schrems II in July 2020 by European Court of Justice. The CJEU held that the surveillance by US authorities does not meet the EU standard of data protection. This poses a huge challenge to multinational technology companies when user data from the EU is transferred to the US. Similar disparity of data protection standards is expected between the EU and other countries.
The court sees Standard Contractual Clauses (“SCC”) as a possible fallback for the data export from the EU to the US. However, the industry generally agrees that SCC should be updated and both jurisdictions need to agree on a compliant standard for sustainable international data transfer.
In the long run, how human sovereignty may be weighed by the companies as they perform international data transfer will profoundly affect the technological development of big data. This paper assess the problem from three perspectives: (a) the impact the Schrems judgments bring to the data protection landscape in the EU and beyond; (b) as an unscathed mechanism, the prospects of SCCs in the context of international data transfer; and (c) the related lessons for Hong Kong with regard to the proposed amendments in the Personal Data (Privacy) Ordinance (Cap. 486).