Skip to main content

What says the CoJ Schrems-II judgment?

 The Privacy Shield is dead, long live the Standard Contractual clauses? - not so simple

Slowly the dust settles on the decision of the European Court of Justice invalidating the Privacy Shield, the most used basis of transfer of personal data to the U.S. The Court found no reason to invalidate the other frequent basis, the Standard Contractual causes but attached stringent conditions to their use. Some see the apocalypse coming, some say we cannot dispose of U.S: companies and try to find other solution. Staying in the middle, we try to shed light on what the 129-pages judgment means.

I asked Andrea Jelinek, chair of the EDPB on behalf of portfolio.hu - the answers were published in Hungarian, I am waiting for the English version. See below for a very interesting aspect of her answers.

Indeed, the SCC can be used as a legal basis to transfer personal data to a third country, but only if its clauses can be complied with. It was often said that the new data protection legal framework of the EU concentrates not on formal, bureaucratic aspects but real compliance with the principles and requirements. Accountability means the responsibility of the controllers for compliance and their obligation to demonstrate this compliance. This was now filled with real content by the judgment. This has far-reaching consequences for other bases of transfer of data to the U.S., but also to other countries. EU law is not common law, but principles in previous judgments are applicable and referred to in later cases.

The case revolved around transfer by outsourcing certain services to the U.S. mother company by Facebook Ireland. Transfers to countries, where the General Data Protection Regulation (GDPR), which is applicable in all countries of the European Economic Area (EEA) is not law, are subject to strict conditions, whether they are to be transferred to another controller (who can use these data) or a processor (a service provider processing data on behalf and according to instructions of the controller in the EEAS). If the European Commission finds that the country of the recipient ensures a protection of personal data which is considered adequate (the regulation does not use the word “equivalent” while the judgment does), it can take a formal decision which then enables transfer to these countries. The “Privacy Shield” was the second attempt by the Commission to declare the transfer to commercial organisations registering and undertaking to comply with the conditions in the Privacy Shield programme legitimate like those within the EEA or to another country with an adequacy decision. The first decision, the “Safe harbour” was already invalidated by the European Court based on a case initiated by the Austrian law student Maximilian Schrems, also using the case of Facebook. After this case, a new, improved system was set up but this was also found insufficient by the Court.

The first case took place soon after the Snowden revelations that the NSA is conducting an indiscriminate and mass surveillance of personal data held by U.S. companies – the legal basis being the P.A.T.R.I.O.T. act and section 702 of the FISA (Foreign Intelligence Surveillance Act). The latter is valid for electronic communications providers, the bad news is that could providers are considered being such. Executive Order 12333 also has to be mentioned, we will come back to that later. Handing over data to national security agencies is not forbidden under the GDPR, it just has to be justified and proportionate and provide guarantees to the rights and freedoms of those whose data are used – in DPspeech: the data subjects. The Privacy Shield tried to provide these guarantees to the extent the U.S. administration was ready to provide. This was now found insufficient – in particular the establishment of proportionality and necessity and the legal remedies the foreign data subjects had which were more limited than those for U.S: citizens. On the other hand, it is also new that the security interests of a third country are recognised just as the security interests of EEA member states.

What is the way forward? First of all, there is no grace period like there was after the demise of the Safe harbour: companies using U.S. contractors based on the Privacy Shield have to change their legal basis immediately. As the Standard Contractual Conditions were not invalidated, it is plausible to use them. The reason why the SCC was found valid is at the same time its limitation: the data importer has to declare by signing it that it is not aware of any stipulation in its national law which would enable national authorities access to the personal data transferred which access would infringe the protection required by the European data protection legal framework. The Court also formulated the three main requirements: if the access is

-        not proportional to the purpose of the access,

-        without appropriate safeguards or

-        without judicial redress available to the data subjects,

it is illegal under European law.

The essence of the judgment is that it puts the ball in the court of the data controllers, in accordance with the abovementioned principle of accountability. They have to determine in what cases they can transfer data. Thus, the fulfilment of the conditions has to be investigated. One of them is that there is no law in the target country (in this case the U.S.) which would render the compliance with them impossible. As mentioned, when the subcontractor is for example a cloud provider or a communications company, this is immediately not true. The judgment also means that it is not sufficient to sign the SCC, put it in the drawer and forget it. Compliance has to be monitored and if it is not ensured, for example due to a change in law or to new information, data transfer has to stop. If the controller doesn’t do it, the data protection authority has to.

But “navigare necesse est”. Companies like Google, Microsoft etc. have already published their standard contractual clauses but said nothing about how these become their contractual obligations and whether they really warrant that they will not be subject to surveillance. Moreover, Google already lost a case in a U.S. court and had to disclose data kept in the cloud where it could not be proven that data were indeed in the U.S. while Microsoft won based on the argument that they can prove that the data are within the EU. The contradiction should have been resolved by the U.S. Supreme Court but before the judgment, the legislator stepped in: the C.L.O.U.D. act clarified the situation – not to the favour of companies not wanting to disclose data. On the other hand, some data kept by cloud providers may not be interesting to U.S. authorities or if they are so limited that their acquisition by them poses no risk to the data subjects. Banks, travel agencies, manufacturing companies are not subject to the most dangerous disclosure requirements but if data are sent to them through electronic communications providers, the risks remain.

Other legal bases – binding corporate rules, codes of conduct – are rare in practice. They could go beyond the SCCs (which are only valid if they are not changed) in describing the response of the U.S: processor to surveillance requests. The Executive Order is namely not law, the target of an order to disclose data can contradict. These are nevertheless marginal cases. Before coming to another legal basis, consent, we have to remark that ideal would be to arrive to a new adequacy decision soon. This, however, would require things which do not seem too probable. It would require the U.S. changing its philosophy and abandon its insatiable appetite for personal data of foreigners. Given the international context, the looming U.S. elections and some initial reactions from U.S. lawmakers, the U.S. will not fundamentally change its national security surveillance rules. One of the weaknesses of the present framework could be easily remedied (but it is not sure the U.S. administration is ready to do it): equal treatment of U.S. and foreign citizens in terms of legal remedies. This, however, most probably will not be sufficient.

It is also questionable what the next steps will be on the side of the European Commission and the U.S. authorities. The second rebuttal of a compromise by the Commission also puts the Commission in a situation where the next version will have to be very carefully formulated. Therefore counting on a new agreement soon is not a practical option.

What remains are the derogations according to Article 49 GDPR or Article 50 EUDPR: consent, contract, important reasons of public interest recognised in Union law, establishment, exercise or defence of legal claims, vital interest only when  the data subject is physically or legally incapable of giving consent and data from a public register.

Consent must be freely given, an affirmative action which is documented. Therefore consent cannot be used in an employment context unless there are guarantees that not giving consent does not entail adverse consequences to the data subject and cannot be the condition of receiving a service or having access to a right – unless an equivalent alternative is provided for the case consent is not given. Also, consent can be withdrawn at any time.

Necessity, as another ground for derogation, will be strictly interpreted, i.e. that the function cannot be executed without transferring data to the third country, like in the case of travel arrangements to that country. The EDPB has issued guidelines about the application of the derogations, and there it states for this case: “requires  a  close  and  substantial  connection  between  the  data transfer and  the  purposes  of  the contract” and transfer has to be occasional. Therefore it concludes that standard continuous outsourcing cannot be justified on this basis.

Andrea Jelinek also said that if a controller wants to continue transfer to the U.S. without any safeguard and derogation, the DPA (data protection supervisory authority) has to be notified. This refers to Article 49 (1) of the GDPR which states after the list derogations that a controller can transfer data if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests which are not overridden by the interests or rights and freedoms of the data subject and the controller has assessed all the circumstances and has on the basis of that assessment provided suitable safeguards (simplified text). This means that safeguards have to be provided even in this case, but only "suitable", i.e. adapted to the situation, not "adequate" or "appropriate" ones and inform the DPA and the data subject - the latter also about the interests pursued and the safeguards. Given the - already mentioned - enmity of the supervisory authorities to the transfers to the U.S., they may make use of their right to stop r suspend transfers. By the way, if safeguards are applied which do not require the approval of the authority, the authorities have to be informed about the categories of transfers based on these but not about the individual transfers but then they can start an investigation which may also end in suspension or prohibition of the transfer.

Therefore wherever a European service provider can be found, it has to be preferred even when the functionalities or comfort provided is weaker that a U.S. or other local provider.

Finally, there is the question whether data localised in Europe but processed by a U.S. company or a subsidiary of a U.S. company can be considered safe. Given the extraterritorial powers of U.S. state security authorities, this is very doubtful and the data controller has to ascertain whether the protection of these data is ensured.

Is, however, the use of exclusively European companies, which solves the legal problem, a good solution? It can classify as a protectionist measure and entails the disadvantages of protectionism: extra costs, suboptimal solutions and weaker quality. Advocates of free flow of information mention also that it is already in the title of the GDPR. Looking more closely we see that free flow is mentioned only as free flow within the union and between member states. The purpose of the regulation is also “to facilitate the transfer to third countries and international organisations”, but only “while ensuring a high level of the protection of personal data”. And this is what is not ensured by a number of countries whose security agencies are exempt from data protection laws – just look at what reservations some countries added to their ratification of Convention 108 of the Council of Europe – for example exempting the protection of data which should be declared public by their national law. Therefore, however difficult it is to comply with it, the judgment protects us.

Labels:

Comments

Post a Comment

Popular posts from this blog

Transfer of Personal Data to Third Countries and International Organisations

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...
Post a Comment
Read more

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n...
1 comment
Read more

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...
Post a Comment
Read more