Five Candles gor the GDPR (Demo)

SYMPOSIUM

stay alert keep smart

FIVE CANDLES FOR THE GDPR

MAY 2023

1. Five Candles for the GDPR – A Symposium

Dominik Düsterhaus

2. Clash of Titans: Articial Intelligence and GDPR - A Modern Bale of Technology and Privacy

Boris Paal

3. International Data Transfers aer Five Years of the GDPR: Postmodern Anxieties

Christopher Kuner

4. What if the new adequacy decision for the EU-US Data Privacy Framework were to be declared invalid – again? Ways forward and out of the international-data-transfer dilemma

Susanne Dehmel

5. e Troubled Transnational Enforcement of the GDPR

Orla Lynskey

6. Are the nes ne? A tale of disharmony and opacity of GDPR enforcement?

Naomi Lintvedt

7. Do data subjects have a right to detailed disclosure of how an automated decision has been made (‘right to explanation’)?

Katrin Blasek

8. Processing in the context of employment – Will there ever be consistent rules under or beyond Article 88 GDPR?

Emilia Fronczak

9. Striking a Balance: Interpreting the Journalistic Exemption of Article 85 GDPR

Päivi Korpisaari

10. Procedures Maer – What to Address in GDPR reform and a new GDPR Procedural Regulation

Herwig C.H. Hofmann and Lisee Mustert

11.GDPR’s Right to Compensation and the Österreichische Post Case (C-300/21): Major Breakthrough or Much Ado about Nothing?

Jonas Knetsch

12. EU Data protection law & politics – A Candle that burns at both ends?

Dominik Düsterhaus

Five Candles for the GDPR – A Symposium

Dominik Düsterhaus

On 25 May 2023, the will have been in full application for EU General DataProtection Regulation 2016/679 5 years. A good reason, we thought, to light some candles in honor of the arguably most advanced and comprehensivedataprotectionregimeworldwide.

While had already put the EU at the forefront of data protection, the GDPR has Directive 95/46/EC adjusted,enhanced,expandedandoperationalisedtheEUregimesotomakeittrulyexemplary.

Its regulatory approach is unique indeed, seing out a number of core principles, rights and obligations, to apply irrespective of who/what, how and where processes EU based data, and championing national diversity,aswellasdualandcooperativeenforcement.

Yet, this anniversary is also an opportunity to shed light on the limitations and shortcomings of the GDPR regime,namelyacertainconceptualvagueness,holeyharmonisationandsub-parenforcement.

Our‘5candlesfortheGDPR’aremeanttodoboth.

roughoutthis month of May, renowned experts and practitioners will share their views on how key GDPR featureshavefaredoverthelastveyearsandwhethertheyaretforthefuture

With no pretense at exhaustivity, we thus look at some topical aspects of EU Data Sovereignty, Legal Diversity,TechnologyNeutrality,PublicaswellasPrivateEnforcement.

Follow our symposium to read about whether the GDPR is t for AI, how global its protective regime is and whether there is a future for the OSS Mechanism as we know it. Are the nes ne? May compensation for non-material harm be conditioned? Must automated decision-making be explained? And what do all those opening clauses allow in terms of harmonisation? ese are the questions which the op-eds of our symposium strive to answer, succinctly and subjectively Offering lile sparks of light, just like the candles on a birthdaycake.

Five Candles for the GDPR

Clash of Titans: Articial Intelligence and GDPR

A Modern Bale of Technology and Privacy

Since the adoption of the General Data Protection Regulation (GDPR) in 2016, the dynamic and 2016/679 disruptive progress of technologies of Articial Intelligence (AI) has raised various questions about how the GDPR should be implemented and applied in order to adequately address the challenges and requirements imposed by AI. As a legal regime, the GDPR has not been designed to regulate AI in particular e GDPR only incidentally touches upon the maer and where it does, establishes strict requirements In this sense, fully automated individual decision-making systems including proling are severely conditioned by Article 22 (1) GDPR. However, as a starting point, it should be noted that the GDPR applies to the use of AI when there is a processing of personal data Moreover, it is complicated to implement any national regulation due to the GPDR’s broad scope and its direct application according to Article 288 (2) of the Treaty on the Functioning of the European Union (TFEU). is is why there is an ongoing discussion regarding the need foradditionalregulationfromtheEuropeanlegislatoronthismaer.

I.DescriptionoftheConict

On the one hand, it is crucial to underline that the GDPR fundamentally approaches the handling of personal data in a restrictive manner. AI technologies, on the other hand, require a vast amount of data (e g., big data) for training and in certain constellations also in their practical application and use, some of these data are extremely sensitive (cf. Art. 9 GDPR).is may be at odds with (some of) the principles set out in Article 5 GDPR. us, a word-by-word application of GDPR to AI could lead to challenging consequences for the deployment of AI in Europe Given this context, the question arises whether AI should follow its path in full compliance with the GDPR interpreted in a strictly language-based manner or whether the interpretation of theGDPR(oreventheGDPRitself)needstobeadjustedtobeconsistentwiththeAIrevolution.

Especiallyinpractice,arathergoal-driveninterpretationoftheGDPRcouldbeabeerapproach.Itmightbe argued that such an approach would be more consistent with the way the Court of Justice of the European Union interprets European law, ie following a telos-oriented approach rather than applying the wording of thelegalprovisionstoostrictly.Indeed,thisdoesnotcontradict thecharacteroftheGDPRitself,whichoen contains open and vague formulations. In addition, a strict application based on restrictive standards may lead to a signicant impediment to the development of AI in Europe and represent a signicant disadvantage inthismarketofthefuture

i. Boris P.Paal, M.Jur (Oxford) is a Professorin Civil Law, Media Law, Information Law, and Data Law, and Director of the Institute of Media and Data Law and Digitalisation at the University of Leipzig. As an author and editor (among others of Gersdorf/Paal on Information and Media Law, and Paal/PaulyontheGDPR)heistheauthorofmorethan200publicationsintheaforementionedareasoflaw.

II.TowardsanAdequateApproachtothePrinciplessetoutinArticle5GDPR

An open-minded analysis of the Article 5 GDPR principles may help to avoid the above-mentioned disadvantageous results In this sense, it could be beer to analyse the core of Article 5 GDPR e main obligationssetout in Article 5(1) GDPR are lawfulness,fairness,accountability, and transparency. However, the principle of lawfulness laid down in Article 5(1)(a) GDPR and Article 6 GDPR is prevailing over other legal maxims of Article 5 GDPR. e principle of lawfulness establishes a general prohibition with the reservation of permission and requires the existence of the data subject’s consent or another legitimate basis underArticle6(1)GDPR eproportionalitytest,whichrequiresasuitablelegalbasis,isfurtherdenedby thegeneralprincipleslaiddowninArticle5GDPR.

With regard to the transparency principle of Article 5(1)(a) GDPR, the transparency in AI may be seen as problematic For instance, the possibility of fullling the retrospective and prospective traceability otherwise required in a ‘transparent manner’ may be questionable with regard to complex AI systems. Comprehensive information about the controller, processor, and data subject concerned is conceivable, but in most cases, due to the technical depth required, it will neither be effective nor meet the requirement of traceability is is congruent with the report Big Data, Articial Intelligence, Machine Learning and Data Protection by the UK Information Commissioner’s Office, which states that ‘the complexity of big data analytics can mean that the processing is opaque to citizens’ Rather, what is needed here is a teleological, purpose-based interpretation of transparency for AI. For example, a partial deviation from the comprehensibility principle may be conceivable for AI, insofar as it cannot be presented comprehensibly due to its technical nature, or only with alienating simplication. However, the question of the purpose of the data processing could be a central element of the transparency obligation in the future Such a shi of the reference point for transparency has already been applied in the UK through the . In Data Protection Act principle, this contradicts the wording of Article 5(1)(a) GDPR. However, an interpretation in line with the wording of the ‘transparent manner’ is at least conceivable if such an explanation of the manner of data processing is not technically possible, for example in cases of machine learning. In view of Recital 58 of the GDPR, however, this is to be treated extremely restrictively, as the transparency and associated information obligationsaretoapplyinparticulartocomplexsystems.

e principle of consent as per Article 4 (11) GDPR in conjunction with the purpose limitation (Article 5 (1)(b) GDPR) could also be interpreted appropriately for AI. In principle, the determination of an explicit and legitimate purpose is required. Furthermore, there must be no incompatibility of the purpose of the processing with the original purpose of collection. Especially the laer is problematic in view of multiple further processing and uses in the application of AI. However, if further processing is compatible with the originalpurpose,itmaybepermissibleinprinciple

e dataminimisation rule according to Article 5(1)(c) GDPR could be deemed as discussable, especially in the context of the necessity of data processing in big data applications. As far as the mere anonymisation of the data does not conict with the purpose of the processing, there should be no regular violation. However, a different situation arises if it is precisely the reference of the data that is important in the context of the use In this case, the interpretation of data minimisation may raise the question of when the data becomes personally identiable (cf. recital 26 GDPR). A conceivable requirement as to when the personal reference

of the data is given could be, for example, the pseudonymisation of the data as an alternative to anonymisation, in cases when anonymisation is not possible. Moreover, synthetic data, which serves as a virtual representation of the initial dataset, could be considered as an alternative method to evade a personal reference andconsequently,theapplicationoftheGDPR.

e storage limitation of Article 5(1)(e) GDPR requires, in the application of the principles of purpose limitation and data minimisation, that the data should only be stored for the absolutely necessary period. When such data is processed for a secondary purpose, the data controller is obliged to justify this. In terms of the learning of AI, this would not pose a problem if the data has been collected particularly to train the AI. In this case, the application of this principlewill run parallelto that of purposelimitation.is is becauseif there isalegitimatepurposefortheprocessing,thestorageofthedataisjustiedaswell.

III.Conclusion

Taking into account the potential negative effects of AI, namely the aspects of mass data collection and biasbased proling, AI should not be exempt from complying with the legal objectives of the GDPR as set down by the European legislator Nevertheless, an interpretation of the GDPR that, unlike the one applied above, does not sufficiently reect the specic characteristics of AI, may lead to drastic impairments to the development and innovation potentials of AI – not only in Europe. To maintain a proper balance between these two aspects, a separate legal framework governing the permissibility of processing operations using AIbased applications should be established. For the establishment of a functional and robust framework, it is necessary to design it in a technology-neutral, predictable and respectful manner that upholds fundamental rights and the principle of reasonableness. e more tailor-made the interpretation and application, the beer the results. is way a workable and resilient framework can be achieved – and the bale of technology and privacy can be pacied. Finally, it is to note that the proposed AI Act unfortunately neither seeks to establish such a comprehensive framework nor fully claries the important relationship with the GDPR –thus,furtherchallengesandproblemsregardingtheapplicationofbothregimesarejustaroundthecorner.

International Data Transfers aer

Five Years of the GDPR:

Postmodern Anxieties

e regulation of international transfers of personal data remains a work in progress ve years aer entry into force of the It reects phenomena oen designated as ‘ ’ , such as legal fragmentation and GDPR postmodern confusedrelationsbetweenlawandpolitics.

Protecting the rights of individuals whose data are transferred under the GDPR is subject to the contradictory impulses of various stakeholders: companies transfer the data of individuals while complaining about the cost of compliance; individuals expect online services to enable innovative uses of their data while giving them control over it; data protection authorities (DPAs) require companies to comply with legal rules on data transfers but oen have difficulty enforcing them; the EU and the US negotiate data transfer arrangements while engaging in mutual recriminations; and EU institutions enact legislation with a short aention span determined by the political priorities of the day Although the GDPR has considerable international inuence as shown by the that have adopted large numbers of countries around the world similar laws, the conicting priorities to which it is subject sometimes makes it seem like a regulatory system onthevergeofanervousbreakdown.

Many of the challenges facing the GDPR’s data transfer regime derive from institutional tensions, a turn toward formalistic mechanisms, problems with enforcement of cross-border cases, and questions about the comparative methodology used to implement it, all of which could be resolved with the necessary political will However, others result from global developments and unresolved questions about how the GDPR shouldinteractwithforeignlegalsystems,whichwillprovemoreintractable

Institutionaltensions

e GDPR gives the Commission the sole power over adequacy decisions, with only a consultative role for the European Data Protection Board (EDPB) and no formal role for the European Parliament, although the laer does adopt e Commission’s legal role of ensuring that fundamen- resolutions on pending decisions tal rights are protected in the legislation it proposes stands in tension with the political reality that it needs to compromisewhen negotiating datatransfer arrangements with third countries. esedual rolesare reected in its of 13 December 2022 to replace the Privacy Shield decision dra adequacy decision for the US

invalidated by the Court of Justice in Facebook Ireland Ltd. ( ). While the protections contained in C-311/18 the new decision represent an improvement over the Privacy Shield, political pressure has led to compromises that seem questionable in light of the fact that the Court admonished the Commission that its evaluation in adequacy decisions must be ‘strict’ and its discretion in issuing them is ‘reduced’ (Schrems, , para C-362/14 78). For example, the data protection principles of the framework can be limited when necessary to comply with a court order or to meet public interest, law enforcement, or national security requirements (Annex I, para 5), which is very close to the formulation that the Court of Justice objected to in Schrems (para 86) and Facebook Ireland Ltd (para 164). In retrospect it seems unfortunate that the GDPR did not grant the EDPB ortheParliamentaco-decisionpowerforadequacydecisions.

Negotiations regarding a US adequacy decision have been ongoing since the late 1990s, and issues concerning data access by US law enforcement have distracted aention and diverted resources from other important data protection questions that have tended to be neglected ese include transferring data for purposes of ; ; data transfers to international humanitarian action data sharing to combat global pandemics international organisations; and protecting fundamental rights in transfers of personal data to authoritarian countriessuchasChina.

For its part, the Court of Justice has played the role of as ‘der Geist, der stets verneint’ (‘the Goethe’s Mephisto spirit that always denies’), invalidating two adequacy decisions covering the US (in Schrems and Facebook Ireland Ltd.) and holding that a dra international agreement with Canada covering the transfer of airline passenger data could not be concluded (Opinion 1/15), while failing to engage fully with important questions concerning what a valid data transfer mechanism does require (as discussed in ). e my recent article Courthasalsostatedthatitdoesnotexpressaviewonthelawofathirdcountry(seeforexampletheOpinion of Advocate General Mengozzi in Opinion 1/15, para 163), which seems disingenuous in light of the fact that the validity of adequacy decisions (Article 45 GDPR) and appropriate safeguards (Articles 46-47) depends inpartonacomparisonbetweenforeignlawandEUstandards(seebelow).

Aturntowardsformalism

Data transfer issues under the GDPR are increasingly addressed through formalistic mechanisms. is risks reducing data protection to a series of complex, untransparent procedures determined by technocrats that aredifficulttoapplyandunderstand.

For example, the EDPB has imposed an increasing number of documentation requirements on parties transferring data (as in its and ), which include preparing Recommendations 01/2020 Guidelines 05/2021 maps to show how data are transferred; conducting ‘data transfer impact assessments’ about the law and practices in third countries; and performing a legal analysis to determine whether the GDPR applies directly to entities in third countries A lack of transparency also plagues adequacy decisions, which are negotiated in secretand which can be based on information that is difficult to nd and understand (see pp. 2-3 of the EDPB Opinion draadequacydecisionfortheUS onthe ).

Problemswithcross-borderenforcement

is formalistic turn is ironic in light of the fact that the most signicant data transfer development in recent years resulted not from action by public authorities, but from the initiative of a single individual, Austrian law student and Max Schrems, whose dogged pursuit of claims against Facebook over several years activist resulted in the landmark judgements of the Court of Justice in Schrems and Facebook Ireland Ltd. National procedural requirements have hindered development of the higher level of cross-border enforcement that the Court foresaw in these two judgments, which and are aempting to address. the EDPB the Commission However, problems with cross-border enforcement are also caused by human and organisational factors in DPAs, such as limited resources and training, linguistic problems, and a lack of technical understanding, and thusrequirepoliticalandorganisationalsolutions.

More general issues facing the GDPR can also affect data transfers, such as a against large lack of enforcement technology companies. is reects the fact that enforcement is the responsibility of Member State courts and DPAs and the EDPB only has a coordination role. As the has European Data Protection Supervisor suggested,newmechanismsforcross-borderdataprotectionenforcementareneeded,suchasthecreationof a single enforcement body with pan-EU competence over cross-border cases, though this would face formidable political obstacles It remains to be seen whether the 1.2 billion Euro ne levied against Facebook and conrmed by an adopted in April 2023 will mark a turning point for EDPB dispute resolution decision moreeffectiveandcoordinatedenforcementofdatatransferrequirements.

eroleofcomparativelaw

e GDPR’s data transfer regime is based on determining whether the law and practice of countries to which data are transferred are sufficient under EU standards It requires comparative exercises such as the Commission and the conducting research on third country law; Commission and foreign officials EDPB delving into the intricacies of each other’s law when negotiating adequacy decisions; and parties analysing thelawofcountriestowhichtheywilltransferdata.

Political philosophers and scholars back to Montesquieu (De l’esprit des lois, Book I, Chap. 3) have warned about the dangers of blindly transplanting concepts and institutions from one legal system to anotherComparing legal systems is a complex endeavour that requires prociency in other languages; a deep knowledge of both one ’ s own system and the foreign system being compared; going beyond the wording of the law to ascertain its purpose and meaning; and protecting against unconscious cultural bias. Basing data transfer instruments on a awed comparative analysis can lead to them being invalidated later on, as demonstrated by therulingsoftheCourtofJusticeininSchrems,FacebookIrelandLtd.,andOpinion1/15.

is complexity can be seen in in the new EU-US framework for data transfers. e signed Executive Order by US President Biden on 7 October 2022 requires intelligence gathering to be ‘proportionate’, and this is mentioned repeatedly in the Commission’s However, as ProfessorVicki Jacksonhas draadequacy decision wrien, while the concept of proportionality is used in some areas of US constitutional doctrine, the structured proportionality analysis used in Member State and EU constitutional law is not. Merely inserting the word ‘proportionate’ into US legal instruments does not necessarily mean that the concept will be

interpreted the same way as in the EU legal system. is shows that greater rigor is needed in the EU’s comparativemethodology.

Globalchallenges

e economic and geo-political signicance of data processing has made countries recognise at the highest political level the need to provide a more stable legal framework for international data transfers (for example, the Digital Minister of Japan, which is currently chair of the G7, the intention to establish an has announced international organisation dealing with transborder data ows). Dealing with such global developments will beoneofthebiggestfuturechallengesfortheGDPR.

is can be seen in the increasing number of data transfer initiatives of various international and regional groups For example, countries including Canada, Japan, the Republic of Korea, the , and the US have UK established ‘ ’ (GCBPRs) as an alternative system for data transfers. Global Cross-Border Privacy Rules

GCBPRs seem designed to provide only a , and so far have had lile practical minimum level of protection relevance. However, if countries in the GCBPR group that are already subject to a Commission adequacy decision (which includes , , , the , and in the future also the US) begin to allow data Canada Japan Korea UK transfers based on this new system, then it could put them on a collision course with the GDPR Regional groups such as and the have also published ASEAN Ibero-American Data Protection Network model contractualclausesforinternationaldatatransfers.

SuchinitiativesraisequestionsabouthowtheGDPR’sdatatransferregimeinteractswithotherlegalsystems e Court of Justice’s insistence on the autonomy of EU law (see Opinion 2/13 of the Court) and on a high level of data protection show that it is hesitant to allow such interactions. Even a Member State constitutional system with a strong history of fundamental rights protection such as that of Germany may be more willing to recognise foreign data protection systems than the Court of Justice (see Judgment of the German Federal ConstitutionalCourtof20April2016,para334).ereareunresolvedtensionsbetweenviewssuchasthose of Advocate General Szpunar, who in his in Google LLC (C-507/17) was sceptical about allowing Opinion EU data protection law to have effect beyond EU borders (see para 53), and those expressed in the judgment of the Grand Chamber of the Court in the same case, which seemed to take a more expansive view of this question (see para 72). is tension inevitably impacts issues such as how far EU law should go in expecting thirdcountrylawtoadoptstandardssimilartoitsown.

Outlook

e problems facing the GDPR oen overshadow its successes. e GDPR has made explicit a number of important legal principles that were previously only implicit; raised public awareness about data transfers; created political momentum in favour of stronger legal protections; strengthened the position of DPAs; and increasedpenaltiesforviolations AllofthishasresultedingreaterrespectforEUdataprotectionlaw

However, EU law must take further steps to address the challenges facing the GDPR’s data transfer regime. is should include the EU institutions beer balancing their legal and political roles; providing simpler and more transparent compliance mechanisms that are more understandable to individuals; addressing proce-

dural impediments to cross-border enforcement; improving the organisational capacity of the DPAs; evaluating foreign legal systems more rigorously; and establishing an EU-wide enforcement body for crossborder cases. e Commission should include such proposals in its next evaluation report on the GDPR, whichisduein2024.

Such steps would help the GDPR’s regulation of data transfers become more effective and relevant over the next ve years and beyond. However, full resolution of the issues surrounding data transfers would also require EU law to reach clarity about the parameters for creating interfaces with foreign legal systems. is will in turn require fundamental decisions to be taken about the place of EU law in the wider world, a process likelytooccupytheEUforyearstocome

What if the new adequacy decision for the EU-US Data Privacy Framework were to be declared invalid – again? Ways forward

e European Court of Justice´s ruling of 16 July, 2020 (C-311/18, Schrems II) continues to cause ripple effects for thousands of businesses worldwide, but especially in Europe and it is still shaping the political debate concerning international data transfers. With the new EU-US Data Privacy Framework, the EU Commissionwants to create a solidlegal basis for the transfer of personal datafrom the EU to the US aer the PrivacyShieldwasdeclaredinvalidwiththeSchremsIIruling.

is Op-ed focuses on the economic effects the decision has had, the impact another failed EU-US agreementwouldhave–andarguesforshiingthelinesthatweredrawninthesand.

Lookingatthepast

e legal situation brought about by the ruling of the Court of Justice has long caused perplexity and a lot of uncertainty within the industry on how to deal with international data transfers e uncertainty relates less to the directly implementable aspect of the ineffectiveness of the adequacy decision on the Privacy Shield. Rather, it concernsthe more subtle consequencesfor international datatransfers in general. According to the ruling, even when using standard contractual clauses within the meaning of Article 46(2)(d) of the GDPR, companies need to assess the legal framework in the country they are transferring data to and, depending on the assessment, need to implement supplementary measures for the protection of the rights and freedoms of datasubjects.

e Court did not make any clear statements on the subsequent questions, on the triggers for the necessity of additional measures and on the nature of the measures themselves, so that this vacuum must be lled by practice.

EU companies are connected around the world. Data transfers to countries outside the EU do not only play a role for international corporations and the global sales markets Smaller companies are also increasingly storing data in the cloud, using soware from US providers and using social networks and web conference systems from international communication providers. Support and IT-security services are oen also offered from locations in Asia. And companies that outsource tasks to external service providers in third countriesoenneedtotransferemployeedatainordertofullltheirtasks

and out of the international-data-transfer dilemma

Susanne

Datatransfers are an essentialpart of the entire economy and indispensablefor research and science, with the US being the most important destination for the data that is being transferred (see ). e prevention or here even obstruction of data transfers is at least as serious for German and European companies as the disruption ofsupplychains.

With its judgment of 16 July, 2020 (C-311/18, Schrems II), the Court of Justice declared the EU Commission’s adequacy decision on the transfer of personal data to the USA (EU-US Privacy Shield) invalid e Court did not consider the level of data protection in the USA to be adequate according to Article 45 GDPR It held that there was a lack of suitable guarantees, enforceable rights and effective legal remedies against requests by intelligence services to surrender personal data of EU citizens that are processed in or transmied to the USA. e ombudsman provided for in the Privacy Shield did not offer sufficient protectionagainsttheintelligenceservicesaccordingtotheCourt.

Lookingatthepresent

With the Privacy Shield struck down, without a grace period in place and no timely solution in sight, companies in Europe had to nd alternative means to make their (necessary) transfers legally compliant again and implement additional measures for more secure transfers. And although the GDPR thankfully provides other means to legally secure data ows, the implementation efforts, investments and process changes were enormous. Non-essential transfers were, in some cases and companies, stopped, providers were changed –butoverall,thelossofthePrivacyShieldshowedhowessentialdatatransfers trulyare.Nobusinessexecutive, no compliance officer, no HR-director or product designer would have gone through the weeks and months of time, money and effort to shi data transfers onto (in most cases) Standard Contractual Clauses if the transfer itself would have been just a ‘nice to have’ e Bitkom working group on Data Protection worked for two years on a systematic approach and tool for the assessment of third country data transfers and the risk mitigating measures. Especially for SMEs the additional layer of legal and organizational costs hurts and slows down their potential for modernisation and innovation. Also, core business processes are run on systems that are based on data owing freely around the globe e digitised economy with its globalised production, the cooperation of research institutions and a follow the sun 24/7 security support system are always in need of legally secure, stable and cost-effective data processing. Many businesses are currently workingwithStandardContractualClausesasalegalmechanismtosecurethetransferinaGDPRcompliant way e efforts to conclude the individual contracts, implement hundreds of different additional measures to comply with the Schrems II ruling in thousands of different combinations (related to the individual contractual agreements between the companies) are demanding. e hurdles for conducting business within and with EU companies are therefore quite high and seem to be geing higher instead of making it easier. And while the GDPR carried the promise of a harmonized framework that would strengthen the competitiveness of EU companies, the status quo shows that the practical difficulties are perceived as too burdensomeandnotstrengtheningtheEUSingleMarket(see ).here