Schrems II: Consequences for Big Tech, or a lack thereof

The CJEU's invalidation of the EU-US Privacy Shield's adequacy decision left companies scrambling to ensure compliance. It is typical for companies in the EU to outsource tasks to the US. Those using servers outside of the European Economic Area (EEA) often use Standard Contractual Clauses (SCC) for data processing, storing, hosting, and various other tasks. Lawmakers now require that SCCs are reexamined to ensure their compliance. Additionally, companies must adopt encryption, anonymization, and even recording their most minute actions while working with personal data.

The previously mentioned remedies for using servers outside of the EEA come at no insignificant cost. Businesses may lose sight of the value they once found in outsourcing tasks. This could lead to the abandonment of EU-US data transfers and data centers migrating to the EU. In this scenario, the $7.1 trillion relationship between the EU and the US would suffer dramatically.

Despite the severity of the Schrems II ruling, lawmakers have taken their time while rolling out guidelines for businesses continuing to implement EU-US data transfers. A survey done by noyb, a privacy rights group, demonstrates that companies are continuing as they were until consequences are more strictly enforced. Many Big Tech companies questioned were not even able to present clear or complete answers regarding how their practices have changed since July's decision. Max Schrems has filed over 100 complaints against companies violating data transfer regulations, but little has been done beyond his initial filings.

The Schrems II case is absolutely a milestone in the fight for data privacy. Despite the EU's firm stance on this topic, little has been done to enforce their ruling. Will there ever be any tangible implications?

Sources: TechCrunch, TheArticle, JDSupra