Schrems-II and International data transfers
The Journey to a New Privacy Shield and Who is Leading the Way.
A panel discussion moderated by Jacob Høedt Larsen, Head of Communications at Wired Relations, Tara Taubman-Bassirian LLM , Scott Wilson Consultant and Bill Mew, Founder and CEO at Crisis Team will be speaking at a Privsec Webinar Tuesday 22nd of June at 12 BST.
The last few weeks have been extremely busy for privacy specialists. The wait of the UK adequacy decision has evidently made many nervous. ‘In a resolution passed on Friday (344 votes in favour, 311 against and 28 abstaining), MEPs ask the Commission to modify its draft decisions on whether or not UK data protection is adequate and data can safely be transferred there, bringing them in line with the latest EU court rulings and responding to concerns raised by the European Data Protection Board (EDPB) in its recent opinions.‘…’The EDPB considers that UK bulk access practices, onward transfers and its international agreements need to be clarified further. The resolution states that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.‘
Despite the Parliament’s vote and concerns about to bulk data collection and the Exemptions for national security and immigration, the Comitology committee met and the decision was unanimously voted. An adequacy leaked document has circulated and already widely commented. The TIGRR document announcing the desire by the UK conservatives to depart from the GDPR for a more ‘pro-business’, data heaven approach did not affect EU Commission’s to grant UK adequacy. Or at least, not yet. The UK ICO is to publish a new set of Standard Contractual Clauses. The Commission’s SCCs will not apply to the UK.
Eventually, on 18 June 2021 the Commission adopted the new Standard Contractual Clauses long awaited, for transfers of personal data to third countries as the GDPR prohibits the transfer of personal data to a country outside the EU unless the third country has been deemed adequate by the European Commission or one of the prescribed transfer mechanisms are in place. The role of the standard contractual clauses is limited to ensuring appropriate data protection safeguards for international data transfers.
Today, the EDPB adopted its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data – Version 2.0.
Just a short background reminder :
Since Edward Snowden’s revelations on the NSA surveillance, the general public has been made more aware of the US intelligence laws intercepting and monitoring EU citizens data (FISA section 702, EO 12333, US Cloud Act). The General Data Protection Regulation (GDPR) that entered into for on May 2018, offers a higher level of protection, regardless or the nationality of the data subjects. That includes strong data subjects rights- in principle- enforced by supervisory authorities as well as a right to judicial redress guaranteed by Art 82 GDPR. However, we are still to see non-material damages granted as the mere fact of non compliance with the GDPR has been deemed insufficient by European national jurisdictions.
If GDPR aims to facilitate the free flow of personal data within the EU/EEA (EEA, the 27 countries of the European Union plus Iceland, Liechtenstein and Norway), the flow of data outside the EU is prohibited unless measures of protection are in place. As a result of the privacy activist, Max Schrems – long hale legal actions, we saw the US Safe Harbour agreement then the Privacy Shield being invalidated by the European Court of Justice decisions (commonly known as Schrems-I and Schrems-II) based on the European Union regulation, read in the light of the Charter of the Fundamental Rights of the European Union. With this regard, data collected or processed in the EU should not be transferred to countries of non adequate data protection, including the U.S.A (Article 46 GDPR).
In a way, Schrems-II decision, requiring an equivalent level of protection for data exported outside the EU/EEA, the decision has established a sort of bubble of protection around the data that should be maintained even when the data is exported outside the EU (Art 45-3 a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on the condition that enforceable rights and effective legal remedies for data subjects are available).
Several countries have received an adequacy decision on the basis of article 45 of Regulation (EU) 2016/679 from the EU commission, lately Japan and the case of South Korea is on its on its way (The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate level of protection). In the case of the U.S.A., the EU commission had reviewed the Privacy Shield to give it a green light. That was not an opinion shared by the ECJ that invalidated the Privacy Shield in July 2020 with immediate effect. The Court however, said other measures of supplementary safeguard were needed to guarantee the same level of standard of data protection. In principal however, the court said Standard Contractual Clauses and Binding Corporate Rules remained valid when supplemented with appropriate measures, in the context of massive data flow between the US and the EU/EEA. To allow data transfer, data exporters are required to process a transfer impact assessment to assess the level of protection in the third country. In a way, data exporters are required to do what the commission had failed. A case by case analysis of the protection offered by the country of the data importer plus the implementation of appropriate supplementary measures of safeguard when there are indications that legislation may impinge on the fundamental rights and freedoms of data subjects in Europe – for instance when there is a potential risk of government access or surveillance legislation – supplementary measures need to be put in place by the data importer in the third country to protect the personal data coming from Europe. These can be technical, organisational and/or contractual measures.
SCCs Footnote 12 :
the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
Standard Contractual Clauses models adopted by the Commission pre-dated the GDPR and needed some refreshment. So the new SCCs finally published by the Commission were greatly welcomed. The risk assessment operation should begin with a data mapping that was anyway required for GDPR compliance. Knowing where the data is and what data is hold. Minimising the data, making sure data is accurate, limiting access to data, especially securing the data in this terrific context of cyberattacks and ransomware pandemics. We witness the clouds leaking, data raining like dogs and cats.
As touched above, SCCs are not the only tool available. ‘In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.‘ ‘The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by‘ Binding Corporate Rules (Article 47) that can be more appropriate, usually established within a same group. They are also ‘approved code of conduct pursuant to Article 40‘ or Code of Conducts (Article 46). However, not many have yet been adopted. The French supervisory Authority, the CNIL, recently approved a code of conduct for cloud infrastructures.
Article 49 -Derogations for specific situations applies ‘In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only‘ under restrictive conditions.
The newly published EU Commission’s implementing decision on SCCs has caused many interrogations around its Recital 7 ‘The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679.‘ This is the case when the importer falls within the definition of Art 3(2) long arm of the GDPR scope. When the organisation is targeting or selling goods and services to the EU, a Data Processing Agreement Article 28 is required. In order to protect the data transfer supplementary measures of safeguard adapted in a case by case biases to the country of import AND judicial redress (EU courts competence) AND/OR arbitration will have to be provided. This is what was lacking with the Privacy Shield, an independent authority and the ombudsperson to deal with EU citizens complaints. The EDBP recommendation has not specified the exclusion of importers subject to the GDPR.
Data localisation, recommended by some professionals, cannot be the escape solution as data is considered transferred as long as it can be accessed. As the EDPB notes, ‘remote access from a third country… and/or storage in a cloud situated outside the EEA offered by a service provider, is also considered to be a transfer. Are you using a third party using US cloud? That means transferring outside the EEA to US‘.
Data encryption can help, when the encryption key remain in Europe. That does not solve the problem when data needs to be accessed/processed in the country of import.
The European Data Protection board recommendations in 6 steps :
- Step 1- the EDPB advises you, exporters, to know your transfers. Mapping all transfers of personal data to third countries
- Step 2 – verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR.
- Step 3- Assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on,
- Step 4- Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence
- Step 5– take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on.
- Step 6 Final – re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any Adopted 5 developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.
SCCs Modular approach :
Organisations transferring personal data to third countries are “free to include those standard contractual clauses in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict the standard contractual clauses or prejudice the rights or freedoms of data subjects”.
SCCs used to be a one of signed document hidden at the bottom of a drawer. The new SCCs require adaptation, and regular assessments. These assessments have to be filed as the DPAs could request to access the logs. They are four modules.
- MODULE ONE: Transfer controller to controller
- MODULE TWO: Transfer controller to processor
- MODULE THREE: Transfer processor to processor
- MODULE FOUR : Transfer processor to controller
Third parties have now the ‘docking option‘ to join the contract. They can be adapted as long as the nature of the clauses are not modified.
Obligation of information and transparency.
Emphasised by the Commission’s document, this will not be easy to implement by data importers who are not necessarily aware of the information provided at the time of the collect of data, unless they have access to the exporter’s privacy policy. Data subjects have the right to be informed. Is this systematic or at request?
With a view to ensuring transparency of processing, data subjects should be provided with a copy of the standard contractual clauses and be informed, in particular, of the categories of personal data processed, the right to obtain a copy of the standard contractual clauses, and any onward transfer. Onward transfers by the data importer to a third party in another third country should be allowed only if the third party accedes to the standard.
With some exceptions, in particular as regards certain obligations that exclusively concern the relationship between the data exporter and data importer, data subjects should be able to invoke, and where necessary enforce, the standard contractual clauses as third-party beneficiaries.
while the parties should be allowed to choose the law of one of the Member States as governing the standard contractual clauses, that law must allow for third-party beneficiary rights.
Article 13(1)(f) and Article 14(1)(f)
Obligation of the controller to provide data subjects with information about the fact that it intends to transfer their personal data to a third country or in accordance with pursuant to
Article 46 of Regulation (EU) 2016/679,
such information must include a reference to the appropriate safeguards and the means by which to obtain a copy of them or information where they have been made available
Individual redress :
In order to facilitate individual redress, the standard contractual clauses should require the data importer to inform data subjects of a contact point and deal promptly with any complaints or requests.
EU courts :
The data subject should be able to lodge a complaint with the competent supervisory authority or refer the dispute to the competent courts in the EU.
The data importer should agree to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures.
See also
(b) | The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken. |
ADR :
In addition, the data importer should have the option of offering data subjects the opportunity to seek redress before an independent dispute resolution body, at no cost. In line with Article 80(1) of Regulation (EU) 2016/679, data subjects should be allowed to be represented by associations or other bodies in disputes against the data importer if they so wish
Time scale :
Organisations will have 18 months and 20 days to replace their current SCCs (See para 24 and article 4 in the implementing decision). This is for the organisation who have already SCCs in place.
My advice, as always, is to start as soon as possible with data mapping, data minimising, and securing access. Hold the data as a hot potato. Don’t keep it longer than necessary. Keep your archives out of the network. Limit access to data. Train your staff. Be ready for data breach that is not anymore IF but WHEN it happens.
Maybe the new Biden administration will keep its promise to finalise a new agreement with a change of the US legislation.
This part is more political and diplomacy than legal. From a strictly legal point of view, UK should never have reached adequacy, especially after the negative vote of the Parliament and the TIGRR plans to depart from the GDPR to make the UK a more business friendly data heaven with the risk of opening backdoors to data transfers to the US. Adequacy decision are to be reviewed after 4 years. Meanwhile, a DPA can challenge the decision based on an individual’s complaint.
EDPB specifically touched at this point : ‘However, adequacy decisions do not prevent data subjects from filing a complaint. Nor do they prevent supervisory authorities from bringing a case before a national court if they have doubts about the validity of a decision, so that a national court can make a reference‘.
“These negotiations underscore our shared commitment to privacy, data protection and the rule of law and our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies,” U.S. Commerce Secretary Gina Raimondo and European Commissioner for Justice Didier Reynders said in the statement released by the U.S. Commerce Department.
A quick look to the EU national courts decision dealing with data transfers complaints :
The Bavarian court ruled that MailChimp use of email addresses resulting on data transfer to the US created risks of interception and therefore the transfer is unlawful.
A Germain court ruled an employee asking compensation from his employer for sending his data for HR processing to the US had not grant for damage.
French Highest Administrative Court, Conseil d’Etat, was called by privacy organisations to rule against the processing of medical data DataHub by Microsoft transferring data to the US. The CNIL observations based on the unlawful transfer of data accessible as long as the data was stored on Microsoft servers even when the servers are based in EUROPE, recommended to allow a transitory period until a solution is found. Possibly by introducing an intermediary organisation to anonymised the data. The Conseil d’Etat in an interim decision gave an injunction to Microsoft to add an addendum to its contract to offer stronger guarantees.
French Highest Administrative Court Conseil d’Etat, had another preliminary judgement case, in the context of the pandemic with a website Doctolib used as a platform of COVID vaccination appointments using Amazon AWS cloud storage. The CE referring to the Schrems II decision, reminded that before implementing a transfer of personal information with appropriate guarantees, it is necessary to ensure that “the rights of persons whose personal data personnel are transferred to a third country on the basis of standard data protection clauses benefit from a level of protection substantially equivalent to that guaranteed within the European Union ”. To assess this level of protection, it is in particular necessary to take into account, continues the highest administrative court, (i) the contractual stipulations agreed between the exporter of personal information and the recipient of the transfer established in the third country concerned and (ii ) with regard to possible access by the public authorities of that third country to the personal information thus transferred, the relevant elements of the legal system of the country of destination. After consideration, the CE ruled that the partnership between the French State and Doctolib does not seriously and manifestly unlawful interference with the right to respect for private life and the right to the protection of personal data.
Portugal – DPA orders suspension– 27 April 2021
The Portuguese DPA investigated complaints against the national statistics institute (INE) for alleged unlawful data transfers. Census data were shared with a third party in the US. The transfer was based on SCCs, but without any supplementary safeguards put in place.The DPA concluded the INE failed to conduct a DPIA prior ti the use of the third party to process a census data (required because of large scale processing of sensitive data) and had not met the requirements for valid data transfers.The transfer of data was suspended both for transfers to the US and to any other country which does not offer an adequate level of data protection.
Max Schrem’s NGO, NOYB has filed 101 complaints including against Google and Google Analytics, Facebook Connect for unlawful data transfers to the US.
Case Law Digest 2021: Transfers of personal data to third countries
It was recently reported that German DPAs are investigating international data transfers, as a part of a cross-border audit. Aiming to enforce the requirements of the Schrems II decision by the European Court of Justice (Case C-311/18), they have developed coordinated questionnaires, based on which they will be reaching out to companies. Each DPA will independently decide upon its areas of action. Among the latter, they will be assessing (i) the use of email, web tracking and website hosting service providers, (ii) managing applicant data and (ii) intragroup transfers of customer and employee data.
Worth mentioning the issue of transfer of EU data to countries of non adequate data protection is not limited to the US.
This document does not constitute a legal advice. Simply a fresh analyse of the recent publications.