There are many, many summaries on the #SchremsII decision, including from Max Schrems & #NOYB, so I’ll save everybody’s eyes. What I’d rather do is post some of the political and practical questions I’ve been mulling about all day since the ECJ decision came out.
- In light of the ECJ’s decision, will Congress be motivated to pass more comprehensive, #GDPR-like privacy legislation in the US?
- Will Europe become a data island ?
- Will companies actually start pulling EU personal data out of the US?
- How will #enforcement play out? @DPCIreland already seems to drag its heels when responding to complaints. I’m sure the same is true for other DPAs. If DPAs are now charged with assessing the validity of individual SCCs, how will this work?
- How much worse off is the #UK in now that they’ll face the same hurdles as a #thirdcountry come Dec. 31?
- Do the concerns addressed by the ECJ with regards to #SCCs also apply to #BCRs? If the problem is the inability of companies to honor their contractual obligations (because saying no to a National Security Letter is impossible), this won’t change simply because it’s a corporate rule made within the same firm.
- Since SCCs are still alive-ish, which situations will SCCs still be viable? Presumably, for non-tech industries, SCCs will work, at least until the NSA/FBI/LLE come a’knockin. But I can’t see how this works out well for the likes of #microsoft, #google, #facebook, #amazon, #Twitter…
- What new contorted logic will lawyers devise to get around #adequacy issues in order to keep data transfers in place between the EU / US and other inadequate locales?
- How much bigger will the legal industry get to keep up with all the lawsuits?
In all, there’s a lot of fascinating things to think about, and I look forward to hearing the insights from fellow practitioners, and guiding others as we all learn how to navigate these challenges together.