As most have noticed, the decision communicated by the European Court of Justice, CJEU, the 16th of July in the Schrems II case has made the usage of American cloud services, if not impossible, so at least a lot more complicated.
We will get plenty of opportunities to return to Schrems II and its implications on data protection, the need for a personal data inventory, and cross-border transfers, but the CJEU does make other clarifications in Schrems II that also deserves some attention.
First some background.
Schrems II is called so as the compliant against Facebook Ireland, transferring data to its mother Facebook US, was originally posted by the private person Maximillian Schrems to the Irish DPA back in 2015 who referred the case to CJEU in 2017.
5 years in the making is a long time for a private person, and the CJEU therefor clarifies the role, and the responsibilities, of the Data Protection Authorities in each country.
As fewer than 1% of all privacy complaints have led to investigations by the DPAs, and as fewer than 1% of the investigations have led to fines, there was also a need for clarification. Especially since some DPAs publicly declared that they will focus their efforts on pro-active activities such as guidelines, and not re-actively enforce the legislation through fines.
The Irish high court therefor asks the CJEU (the eight question) to what extent national data protections authorities are obliged to enforce the GDPR, and even suspend personal data flows to third countries it finds unlawful.
The response from the CJEU is clear:
- The DPA is responsible for monitoring compliance towards GDPR within its territory
- Furthermore, the CJEU clarifies that each data subject has the right to complain to the national DPA, and that the DPA has an obligation to investigate each such compliant with all due diligence.
- If the DPA, following the mandatory investigation, finds any non-compliance towards the GDPR, the DPA is required to take appropriate action by choosing from the list of corrective powers given to them.
- The CJEU also concludes that the DPA must determine what action is appropriate, they also conclude that the DPA is “required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence”.
The above answer is as clear as it can possible be.
National Data Protections Authorities are obliged to investigate all complaints.
They are also obliged to take action against all or any non-compliance towards the GDPR.
They must ensure that the action chosen ensures that the GDPR is fully enforced.
The days of guidelines and proactivity from the DPAs therefor seems to have come to an end.
Instead, we should see an increasing number of enforcements, including the suspension of personal data processing and transfers, and of course, dissuasive fines.