We have been watching for months as the world's superpowers spar for supremacy in a tech-shape boxing ring. In one corner of the squared circle, regulators in the US (and elsewhere) are considering whether tech assets and digital networks need protection from potentially “hostile” acquirers and service providers, such as those with links to mainland China; while market commenters trace a clear connection between the growing geopolitical tension and Beijing’s apparent enforcement on Apple’s App Store, to name just one example in the other corner of our canvas arena.
Then, Mr Schrems’ case leans over the ropes. One swing of an ECJ judgment and boom – the EU-US Privacy Shield hits the canvas: the Privacy Shield does not ensure adequate protection of personal data as required under EU law. Same swing, however, and out of the corner of Mr Schrem’s eye, any use of Standard Contractual Clauses for data transfers to mainland China is seen dropping to its knees as an unexpected victim of the same uppercut.
Well, maybe. GDPR experts and data protection authorities will need to do some more analysis on several jurisdictions that are seen as having strong state security and surveillance laws: the UK (post-Brexit), India, Russia and mainland China all spring to mind. Are personal data transfers from the EU to these other markets still possible under SCCs following Schrems?
Whatever the answer, as our prize-fighters in the shape of the US and China vie for the front-foot in their ongoing context, last week’s Schrems judgment does not make it easier for these nations to connect their digital economies to that of the EU. Hopefully not another nail in the coffin of globalisation, but the ruling will no doubt require a number of tech companies and other businesses that operate between the EU and elsewhere – including mainland China – to reconsider how they execute their cross-border data flows.
More assessment of the Schrems judgment can be found on our DigiLinks page.