The Privacy Shield is dead, long live the Standard Contractual clauses?
The statement of the EDPB does not refer to a grace period and some DPAs are already sending out communications. What timeline you would propose to the controllers to find new safeguards?
There is no grace period. The Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to that guaranteed within the EU. Controllers must take into account the Court's assessment in any of their transfers of personal data to the U.S.
Would you have a preference for some possible safeguards or derogations? Would you advise to use consent over others?
The Court has established that appropriate safeguards under Article 46 GDPR must meet the standard of "essential equivalence" with the level of protection guaranteed within the European Union. This standard applies to the appropriate safeguards contained in standard contractual clauses, binding corporate rules and other safeguards that may be complementary to them.
The Court reiterates that Article 46 appears in Chapter V of the GDPR. Accordingly, it must be read in the light of Article 44 GDPR, which lays down that “all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined". The level of protection must therefore be guaranteed irrespective of the provision of the chapter on the basis of which a transfer of personal data to a third country is carried out.
In the absence of a valid adequacy decision, controllers must carry-out an analysis of the circumstances surrounding a transfer of data to a third country and the safeguards available for the protection of personal data, including the legislation of the third country, to determine if they are able to meet the standard of essential equivalence. If this standard cannot be met, controllers are required to suspend or end the transfer of personal data. If they intend to keep transferring data despite this conclusion, they must notify the competent supervisory authority.
The EDPB will continue to assess the consequences of the judgment on the existing transfer tools.
Derogations under Article 49 GDPR
It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in article 49 GDPR provided the conditions set forth in this Article apply. The EDPB issued guidelines on this provision and it is important to recall that these derogations, as such, can only be applied on a case-by-case basis and cannot become "the rule" in practice.
In particular, it should be recalled that when transfers are based on the consent of the data subject, it should be: explicit, specific for the particular data transfer or set of transfers (meaning that the data exporter must make sure to obtain specific consent before the transfer is put in place even if this occurs after the collection of the data has been made), and informed, particularly as to the possible risks of the transfer (meaning the data subject should also informed of the specific risks resulting from the fact that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented).
With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”. In any case, this derogation can only be relied upon when the transfer is objectively necessary for the performance of the contract.
In relation to transfers necessary for important reasons of public interest (which must be recognized in EU or Member States’ law), the EDPB recalls that the essential requirement for the applicability of this derogation is the finding of an important public interest and not the nature of the organisation, and that although this derogation is not limited to data transfers that are “occasional”, this does not mean that data transfers on the basis of the important public interest derogation can take place on a large scale and in a systematic manner. Rather, the general principle needs to be respected according to which the derogations as set out in Article 49 GDPR should not become “the rule” in practice, but need to be restricted to specific situations and each data exporter needs to ensure that the transfer meets the strict necessity test.
Do you see as a positive development the retention of the validity of the SCC and the recognition of the security interests of the U.S. being a justified basis for access to data as the security interests of EEA member states?
In its judgment, the Court examined the validity of the European Commission’s Decision 2010/87/EC on Standard Contractual Clauses (“SCCs”) and considered it valid. Indeed, the validity of that decision is not called into question by the mere fact that the standard data protection clauses in that decision do not bind the authorities of the third country to which data may be transferred, owing to their contractual nature. However, the validity of SCCs depends on the existence of effective mechanisms that ensure an equivalent level of data protection to that guaranteed within the European Union.
National security interests alone cannot justify disregarding fundamental rights such as the right to data protection. In its reports on the annual joint reviews of the EU-U.S. Privacy Shield, the EDPB already questioned the compliance with the data protection principles of necessity and proportionality in the application of U.S. law. The Court has considered that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law. The Court also considered that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities.
What practice will the EDPB propose to DPAs if they receive complaints that the SCCs are basis of a transfer but potentially not complied with?
As mentioned in the EDPB's statement of 17 July 2020, the competent supervisory authorities (SAs) have a duty to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer.
The EDPB and European SAs are working to ensure a consistent approach on these issues across the EEA. The EDPB will respond to other pending questions derived from the Schrems II judgment as it progresses in examining and assessing the judgement.
Background and Portfolio comment:
The case revolved around transfer by outsourcing certain services to the U.S. mother company by Facebook Ireland. Transfers to countries, where the General Data Protection Regulation (GDPR), which is applicable in all countries of the European Economic Area (EEA) is not law, are subject to strict conditions, whether they are to be transferred to another controller (who can use these data) or a processor (a service provider processing data on behalf and according to instructions of the controller in the EEAS). If the European Commission finds that the country of the recipient ensures a protection of personal data which is considered adequate (the regulation does not use the word “equivalent” while the judgment does), it can take a formal decision which then enables transfer to these countries.
The “Privacy Shield” was the second attempt by the Commission to declare the transfer to commercial organisations registering and undertaking to comply with the conditions in the Privacy Shield programme legitimate like those within the EEA or to another country with an adequacy decision. The first decision, the “Safe harbour” was already invalidated by the European Court based on a case initiated by the Austrian law student Maximilian Schrems, also using the case of Facebook. After this case, a new, improved system was set up but this was also found insufficient by the Court.
EU law is not common law, but principles in previous judgments are applicable and referred to in later cases. Therefore not just transfers to the U.S. but also to other countries outside the European Economic Area (EEA) are impacted. The biggest disturbance is nevertheless caused to transfer to the U.S: as a lot of companies use U.S. service providers.
It is not sufficient to sign for example a contract complying with the standard clauses, put it in the drawer and forget it. Compliance has to be monitored and if it is not ensured, for example due to a change in law or to new information, data transfer has to stop. If the controller doesn’t do it, the data protection authority has to.
The Court also formulated the three main requirements to investigate: if the access is
- not proportional to its purpose,
- without appropriate safeguards or
- without judicial redress available to the data subjects,
it is illegal under European law.
But “navigare necesse est”. Companies like Google, Microsoft etc. have already published their standard contractual clauses but said nothing about how these become their contractual obligations and whether they really warrant that they will not be subject to surveillance. Electronic communications providers, including cloud companies, are subject to strict surveillance requirements by U.S. law.
After some preliminary statements the 10th August European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross, the two negotiating parties responsible for the agreement between the EU and the U.S. on data protection issued a cautiously positive joint press statement announcing that they initiated discussions to evaluate a potential for an enhanced EU-U.S. Privacy Shield framework. There are challenges on both sides of the Atlantic: the EU will have to formulate the next version very carefully. Given the international context, the looming U.S. elections and some initial reactions from U.S. lawmakers, will the U.S. fundamentally change its national security surveillance rules?
What remains are the derogations according to Article 49 GDPR or Article 50 EUDPR: consent, contract, important reasons of public interest recognised in Union law, establishment, exercise or defence of legal claims, vital interest only when the data subject is physically or legally incapable of giving consent and data from a public register. The responses by Ms Jelinek clearly indicate the limitations of these.
Therefore wherever a European service provider can be found, it has to be preferred even when the functionalities or comfort provided is weaker that a U.S. or other local provider. Is this, however, a good solution? It can classify as a protectionist measure and entails the disadvantages of protectionism: extra costs, suboptimal solutions and weaker quality. On the other hand, security of our data is not ensured by a number of countries whose security agencies are exempt from data protection laws – just look at what reservations some countries added to their ratification of Convention 108 of the Council of Europe – for example exempting the protection of data which should be declared public by their national law. Therefore, however difficult it is to comply with it, the judgment protects us.
László S. Szabó, Szabó Consulting