Schrems II: Article 49 GDPR derogations may not be so narrow and restrictive after all?
by Rob van Eijk and Gabriela Zanfir-Fortuna
On January 28, 2021, the German Federal Ministry of the Interior organized a conference celebrating the 40th Data Protection Day, the date on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened for signature. One of the invited speakers and panelists was Prof. Dr. Dr. von Danwitz, the judge-rapporteur in the CJEU Schrems I Case (C‑362/14), the CJEU Schrems II Case (C‑311/18), and the CJEU Case La Quadrature du Net and Others (C-511/18). He spoke at length about the Schrems II judgment and its significance for cementing the importance of the fundamental right to personal data protection, as well as generously replied to specific questions about the options available now to companies to lawfully transfer personal data from the European Union to the United States. In particular, his comments on the possibility to rely on Article 49 GDPR derogations were noteworthy, as they seemed to contradict the narrow approach taken by the European Data Protection Board in its interpretation.
The recording of the keynote by Prof. Dr. Dr. von Danwitz starts here (1h12m).
The recording of the panel intervention by von Danwitz starts here (2h17m).
Please note that all quotes used in this article are a translation from German.
The broader context: A fundamental right that still needs to be taken seriously
In his introductory remarks providing context to the Schrems II judgment of the CJEU, judge von Danwitz admitted that he had “quite a lot of sleepless nights over this case”. He added that, “however, it is not the task of a court to find the least problematic solution to a case”.
According to the judge, the awe that the judgment created for some comes from the fact that the consequences of having the right to the protection of personal data elevated as fundamental right in the EU Charter and in the Treaty of Lisbon “are still not fully understood and recognized today”. He added that “the EU attaches great importance to the protection of these rights (respect for private life under Article 7 and protection of personal data under Article 8 of the Charter – n.), especially in comparison to the partial or rudimentary textual references in national constitutions”.
Judge von Danwitz showed that he is fully aware of the breadth and the pervasiveness of cross-border data transfers in today’s digitalized society: “data transfers to third countries are not rare incidents. It is common practice to outsource certain data-based services to third countries. This may be economically useful and desirable for enterprises, but it should not compromise the level of protection of personal data”.
He explained that “the necessary balance between the legitimate interests of economic operators and the promotion of international trade on the one hand, and the right to the protection of personal data on the other, is reflected in the legal requirements that an essentially equivalent level of protection of personal data must be ensured when data is transferred to third countries”.
The judge also acknowledged that some countries may not ensure at all this high level of protection of personal data and this fact “may have economic disadvantages for companies in individual cases”. He explained that “nevertheless, this is the necessary consequence of the fundamental decision taken by the European Union to ensure a high level of protection of personal data”. As he ultimately framed it, the entire discussion “is about the much more fundamental question of what is the society we want to live in and our aspiration to shape this society in line with European law and values”.
No legal void: The Court saw Article 46 safeguards and Article 49 derogations as filling the gap
First in his keynote and later on in the panel, judge von Danwitz explained that the Court decided to annul the Privacy Shield with immediate effect – as opposed to allowing for a grace period, because there was no legal void in its absence. He mentioned that GDPR Article 46 safeguards and Article 49 derogations “cover the absence of an adequacy decision”.
During the panel, the discussion centered around the following question: “How, for example, am I as an entrepreneur supposed to implement these requirements in data transfer after Schrems II? Which guidelines apply?”
In response to the question, von Danwitz remarked: “The question is very legitimate. The question is this, as an enterprise, do I have to transfer data to third countries for which there is no adequacy decision by the European Commission? Yes or no? That’s the fundamental question.”
“And if this question is to be answered to the effect that [transfers] are absolutely necessary, then I need to use, e.g., standard contractual clauses. At least that’s the standard approach. (…) If standard contractual clauses are not possible, because my process in the third country cannot comply with these clauses under the applicable national law, then, of course, there’s the question of the transfer of data by relying on [the derogations for specific situations in] Article 49 GDPR.”
Von Danwitz mentioned that Article 49 derogations are in particular an option for intra-group transfers and that they should be more attentively explored. “(…) In my opinion, the opportunities granted by Article 49 have not been fully explored yet. I believe they are not so narrow that they restrict any kind of transfer, especially when we’re talking about transfers within one corporation or group of companies.”
Von Danwitz indicated that the conditions from the text of the GDPR in any case must be met. For example, in the case of the derogation relying on necessity to enter a contract or for the performance of a contract, the first test is to ask “is the transfer of that data really required? Is it really necessary to fulfill the contract?” He added: “In my opinion, this gives people sufficient scope of action”.
The judge didn’t go into further details and also clarified that questions related to the scope of Article 49 derogations might be posed to the court in the future, and he doesn’t want to “preempt any judgments by making a statement now”.
Although von Danwitz made the observations in a personal capacity, they mark a new opening in the discussion on data transfers which some refer to as a proverbial Gordian Knot. Furthermore, the remarks are important against the background of the European Data Protection Board (EDPB) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. The public consultation period for the recommendations has ended and the EDPB has started processing the comments submitted by stakeholders.
You can find the recordings here: in German, English, and French. The intervention in German by Prof. Dr. Dr. von Danwitz on the exploration of the Article 49 derogations starts at this bookmark: 02h23m12s.
Photo credit: arbyreed CC BY-NC-SA 2.0.
To learn more about FPF in Europe, please visit fpf.org/about/eu.