A lot happened since Schrems-II, among others the European Data Protection Board published a FAQ document, a guidance on essential guarantees for surveillance measures and submitted another guidance, on measures that supplement transfer tools.
Transfer tools are either safeguards which ensure that data subjects enjoy adequate protection of their privacy at the place and in the organisation to where their data are transferred or derogations which enable transfer essentially without adequate protection. I used the term adequate protection and previously the view was that the protection ensured need not be identical with that in the EU. The Schrems II judgment, however, speaks about equivalent protection and this is stronger.
In case the derogations (according to article 49 GDPR) are used, the EDPB is of the view that the last sentence of Article 44 GDPR (All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.) implies that even in this case the protection of the rights and freedoms of the data subject should be maintained as far as possible, i.e. additional safeguards should be applied. The guidance submitted for consultation talk about these safeguards.
Also the EDPB (which issued a guidance about the derogations) and national data protection authorities have taken a very limited view about the applicability of the derogations, practically stating that every derogation except those based on explicit consent, important reasons of public interest (which must be recognised in EU or member state law) and on vital interest as well as transferring data from a register which is intended to provide information to the public and is open at least for any person who can demonstrate a legitimate interest, must be occasional. It adds that even these cases should be exceptional. It is extremely difficult to imagine how transfer necessary for the performance of a contract can be occasional if a contract runs for example over several years.
Also, it is not clear on what the requirement of exceptionality is based. Consent, as well known, must be explicit and specific, thus, the data and the purpose for which consent is given, must be fixed in the consent. So where is the exception? Even if a company transfers a lot of data for processing to its third country subsidiary or mother company or associated company, consent can be asked for all instances.
That's why it was intriguing what I read first in a LinkedIn post, that Judge Thomas von Danwitz, the judge rapporteur of Schrems-II stated on a question from the audience on the Data Protection Day 2021 of the IITR Datenschutz GmbH that the possibilities of Article 49 have not yet been totally worked out ("ausgelotet"). This could be interpreted as it was by a tweet that there are still possibilities to be exploited which the EDPB and the data protection authorities did not endorse yet (or, in a stronger wording, the possibilities are wider that what the authorities have recognised). A response to this tweet, also confirming the mention of a possible wider interpretation of the cases when derogations could be applied, nevertheless, states that the interpretation of Mr von Danwitz is in line with the guidance of the data protection autorities. The judge also said, that he did not want to make a definitive statement as it is for the Court to decide. So looking forward to someone brave enough - or forced - to probe it.
Sime commentators referred to the "Data hub" case in France but in my view, this was more about another open question concerning transfers, about which I will talk in another post. The CNIL, however, noted in this case that there is a clear public interest to arrange a transition period and to guarantee the continuity of data hosting health and related uses - this is interesting as it does not name the law where this public interest is recognised, although one could be certainly found. The derogation namely allows only important reasons of public interest recognised in European or member state law as a legal basis of transfer. Note: important resons of public interest and not important public interest. Thus the interest has to be public but not important while the reason has to be important for this public interest.
This leads us to the point which will in my opinion be interpreted more strictly by the Court of Justice: necessity. It is usual practice of the ECJ that necessity is not the same as convenience, the controller must demonstrate that there is no other way (without the transfer) to fulfil the given task. This is also mentioned in the guidance of the EDPB, although formulated differently: simply outsourcing a service is not sufficient to justify transfer. We know that a number of digital services are offered by U.S. companies (mass mailing, surveys, analytics, social media, videoconferencing and on line events etc.) but for some there are European alternatives. Some of these are known, some much less. European alternatives sometimes offer more limited functionality or comfort, but if necessity will be strictly interpreted, additional functionalities can only be a justification for using U.S. service providers only if the additional functionalities offered by them are indeed necessary.
I started to explore European videoconferencing providers, there are several candidates so it will be interesting to see the results.
Comments
Post a Comment