Code Reg Episode 6: Schrems II/GDPR Enforcement Posture

Julian Cunningham-Day
February 6, 2023

Even the most anticipated deadlines can pass without clear consequence. While December 27, 2022 came and went quietly, many organizations are left wondering about regulatory bodies’ enforcement posture now that the EU Commission’s deadline for implementing updated Standard Contractual Clauses (SCCs) has passed. 

This season, Factor’s podcast – Code Reg – is dedicated to Schrems II/GDPR related remediation. In episode six, our experienced internal practitioners are joined by special guest Julian Cunningham-Day, Partner with global law firm Linklaters. They discuss the current GDPR enforcement environment, and what organizations might expect on the other side of the long-anticipated deadline to implement updated SCCs following the Schrems II decision.  

In this recap of Code Reg episode six, we discuss:  

  • Where GDPR enforcement has been focused since 2018 
  • Recent developments in GDPR enforcement 
  • Likely enforcement posture following the December 27, 2022 deadline to implement updated SCCs 
  • Enforcement approaches taken by data protection authorities 

GDPR enforcement: 2018 to today 

Although the GDPR only came into force in 2018, enforcement focus has shifted through that time.  

“Initially, GDPR enforcement really focused on what you might call the low hanging fruit of compliance, such as data security breaches and failures to comply with individual privacy rights, such as marketing consents and data access rights.” 

- Julian Cunningham-Day 

During this time, fines were generally less than one million euros, and were often spurred by complaints from individuals directed to regulators, who would respond by seeking enforcement against companies. But more recently, the pervasive presence of big tech companies has led the data protection authorities (DPAs) to explore new avenues in their attempts to curb any perceived misuse of data by these companies.  

“There has been a lot of focus on the transparency ... about how data will be used, including which parts of the world it may be accessible from, and what steps are taken to legitimize those transfers. Also, the rigor that companies employ in ensuring that all of the processing that they do has a legal basis.” 

- Julian Cunningham-Day 

These broader enforcement avenues have been accompanied by much larger fines – some DPAs even seek amounts into the hundreds of millions of euros when they've identified significant areas of non-compliance with the GDPR.  

“This has really put compliance with these data protection rules on a similar level to the compliance risks associated with antitrust and competition issues.”  

- Julian Cunningham-Day 

Enforcement posture following the December 27, 2022 deadline 

The EU Commission’s deadline to implement updated SCCs passed on December 27, 2022. Many organizations are not yet fully remediated, leading to one obvious question: how likely are these organizations to face enforcement pressure from DPAs? 

“To give some initial comfort, the details of companies' implementation of these export compliance strategies, primarily using standard contractual clauses … [have] not historically been a main area of direct enforcement activity for the DPAs around Europe.” 

- Julian Cunningham-Day 

However, export compliance has moved up the enforcement agenda for DPAs since the Schrems II decision, and there has been some recent enforcement activity – specifically in the context of international data exports and associated compliance steps companies have been taking.  

“That's the biggest thing that we've seen – a number of high-profile data protection authorities coming out with public decisions regarding the use of big US technology platforms (Google Analytics, Microsoft 365, AWS) and questioning the legal basis on which companies, particularly those in Europe, are using those tools within their businesses.” 

- Julian Cunningham-Day 

These pronouncements have been published by regulators in a number of jurisdictions across Europe. Additionally, some DPAs have begun distributing routine questionnaires requesting explanations about how organizations legitimize data exports and comply with Schrems II. In some jurisdictions (such as Germany), organizations that fail to answer satisfactorily will then be sent a more detailed set of questions about their remediation efforts and may even face an audit.  

Target enforcement industries for data protection authorities  

So, although export compliance strategies (usually meaning standard contractual clauses) have not historically been a main area of focus for DPAs, international data exports and associated compliance were thrust into the spotlight thanks to Schrems II.  

Now, organizations around Europe may receive questionnaires from the local data protection authority about their remediation efforts. But how can they know whether or not to expect an email from an authority?  

Perhaps frustratingly, there’s no clear answer across jurisdictions.  

“There is not some exact copying of approach across industries in the different jurisdictions, it tends to be more driven by the sorts of technologies that companies are using … The authorities will send [questionnaires] on a fairly general basis to everybody and ask you what sorts of technologies you're using, which may imply an export of the data to other jurisdictions, and then follow up more after that.” 

- Julian Cunningham-Day 

Understanding the likelihood of enforcement 

Historically much regulatory posture has been “more bark than bite” due to resourcing constraints, but the GDPR implemented a focus on international cooperation between DPAs. 

“This way, they have 25-30 different bodies … all working in a much more coordinated way to give more coverage for the markets and using their resources more efficiently.” 

- Julian Cunningham-Day 

This is simply to say, one of the main barriers to enforcement in many instances isn’t relevant when it comes to Schrems II/GDPR. Still, even when pooling their resources, DPAs have to prioritize enforcement activity. 

“In terms of the likelihood of enforcement, particularly if you're a smaller organization, I think you can still feel fairly comfortable that the way the DPAs need to operate is to focus on the key areas of risk. That tends to be either most impact on the largest number of individuals or vulnerable individuals.” 

- Julian Cunningham-Day 

Another point to consider is optics. Regulators are likely to focus on areas that could potentially result in significant headlines and reflect poorly on them.  

“If you can avoid those areas, you're likely to be below the radar level, certainly for a while, as the regulators focus on those larger risks for the larger organizations who are processing significant amounts of data, particularly on a cross-border basis.” 

- Julian Cunningham-Day 

Looking ahead: a new privacy shield framework 

Recent months have seen new support in the US for establishing a framework which will be sufficiently robust to obtain an adequacy determination from the European authorities and withstand the inevitable legal challenges to that adequacy assessment.  

“In the next two, three years I'd say we may have something robust enough that companies can start to think about pivoting, if they want to, towards that. But unfortunately, with that kind of timescale in mind, you really have to think about a workable solution for now.”  

- Julian Cunningham-Day 

For all the Schrems II/GDPR related insights discussed throughout this inaugural season of the podcast, subscribe to Code Reg wherever you get your podcasts.