Australia: Schrems II and the challenges for equivalence under the GDPR
'Because some Australians are not on our side' necessitates Australia's national security surveillance laws, but the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') challenges the potential for and ability to attain equivalence under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Alec Christie and Andrea Mitchell, from Mills Oakley, discuss how the Schrems II Case may have an impact on other countries outside of the EU and the US, and how local security and surveillance laws may also be affected.
The present is a timely reminder that 'not all Australians are the good guys1' and of Australia's unequivocal necessity for surveillance. This led us to reflect on the recent decision of the Court of Justice of the European Union ('CJEU') in the Schrems II Case and the impact that local security and surveillance laws in those countries (specifically Australia) receiving data transfers from the EU may have on existing and future arrangements for cross-border data transfers.
The Schrems II Case ruled on the legality of the EU-US Privacy Shield ('the Privacy Shield') and the Standard Contractual Clauses ('SCCs') mechanisms. Although the Schrems II Case relates to the Privacy Shield arrangements between the US and the EU and will primarily impact the transfers of personal data from the EU to the US, this ruling also affects the ability of other countries, such as Australia, to prove 'adequacy' or 'equivalence' with the GDPR via contractual means in order to receive personal data from the EU. But is there a possible way to deal with this significant new requirement efficiently and effectively?
The Schrems II Case
On 16 July 2020, the CJEU ruled that the Privacy Shield was invalid. The invalidity was due specifically to US 'surveillance laws' (such as the Foreign Intelligence Surveillance Act) which allow the US Government access to EU personal data without sufficient judicial review or oversight and limited data subject remedies for any improper collection/use of such data. The lack of judicial review and limited data subject remedies were found to make US law not, and thus US companies unable to be, equivalent or adequate to the data protections of the GDPR, even for US companies certified under the Privacy Shield, effectively striking down the Privacy Shield.
As regards the SCCs, in general the CJEU upheld their use for data exports as a valid mechanism and adequate safeguard when transferring personal data from the EU to a receiving party outside of the EU. However, and some might argue unnecessarily, the CJEU also imposed new conditions on the use of SCCs relating to the privacy protections and 'surveillance laws' in the receiving party's country. In other words, while the SCCs are still a valid mechanism, they do not (and cannot) by themselves overcome any fundamental overarching local law impacts (e.g. surveillance laws) on the adequacy or equivalency of local privacy protections. According to the CJEU, a comprehensive assessment, case by case, is now required prior to any and all personal data transfers by EU data exporters, even where the SCCs are in place.
The CJEU ruling also requires EU supervisory authorities to assess and monitor compliance with the assessment of local privacy protections and surveillance laws and, potentially, prohibit any data transfer from the EU to a non-compliant receiving country (i.e. based on its surveillance laws).
In its ruling, the CJEU calls for close scrutiny of personal data transfers under SCCs (or other cross border mechanisms) to any country: (i) without an adequacy decision; and (ii) with surveillance laws that relate to national security interests of the country in which the recipient resides, such as in Australia with its Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) and Australia's involvement in the 'Five Eyes' intelligence alliance, an 'alliance of like-minded states [that is] the most powerful, effective and enduring intelligence partnership the world has ever known2.'
However, unhelpfully vague, the ruling contemplates any laws of a country 'which do not go beyond what is necessary in a democratic society to safeguard, inter alia, national security, defence and public security are not in contradiction3' with the GDPR and thus using the SCCs to achieve equivalence. It remains unclear exactly what level (if any) of national security surveillance is compatible with the GDPR and 'necessary' in a democratic society and how such will affect future adequacy decisions and the determination as to whether a country outside the EU affords data subjects an equivalent level of protection to the GDPR when the SCCs are used.
In Australia, laws regulating public authority surveillance of personal data are at a Federal level4 and also each State and Territory has its own laws relating to surveillance of personal data by its public authorities and private organisations.
Unfortunately, based on the ruling in the Schrems II Case, we suspect that (like those in the US) our Australian Federal and State surveillance laws and our membership of the Five Eyes Intelligence alliance will prevent the SCCs alone from creating equivalency to the GDPR protections.
The role for ISO 27701
Whether using the SCCs or a State agreed mechanism (e.g. similar to Privacy Shield or the APEC Cross Border Privacy Rules), post Schrems II businesses must now assess the overarching adequacy of data protection arrangements in both the recipient company and the country in which it is based.
One way an organisation could seek to do this more efficiently (and reduce the burden on it) is to use independent certification against a global standard such as ISO/IEC 27701 ('ISO 27701') to determine if there is an equivalent level of protection in those organisations/countries it wishes to transfer personal data to. This will be especially so if, as anticipated, ISO 27701 is recognised as a 'certification mechanism' under the GDPR.
While ISO 27701 does not specifically address this at present (and those already certified under it will not have been assessed in relation to this yet), a relevant assessment could be built into the certification process. That is, to consider the 'adequacy' of the entity's privacy processes and local privacy protections vis a vis local surveillance laws and derogations from the privacy protections for/in relation to the specific countries/regions (e.g. EU) from which the entity is to receive (or import) personal information.
Of course, based on the Schrems II Case, for the export of personal data from the EU one will still need to be satisfied as to how any problematic local surveillance laws in the recipient country (e.g. Australia) have been neutralised or sufficiently addressed (if they can be). However, as noted, local surveillance laws and other derogations from privacy protections could be (with some tweaking) addressed, assessed and certified under a 'privacy information management system,' such as ISO 27701.
For nearly 75 years the Australian Government has invested in its cybersecurity, intelligence gathering, and offensive capabilities with its national security and surveillance laws and policies. Many of our allies (and adversaries) are engaging in similar surveillance and are not always transparent with the safeguards, enforceable rights, and effective legal remedies to protect data subjects that they have (or do not have) in place.
The Schrems II Case has again shown the fragility of country-to-country bilateral or multilateral government solutions and highlighted the impact of local privacy and surveillance laws. There are practical challenges ahead in evidencing equivalence or adequacy amidst the growing number of countries' surveillance and national security laws. Eyes will be watching as to how a country can achieve a level of protection essentially equivalent to that guaranteed by the GDPR while maintaining local surveillance laws and intelligence gathering capabilities which, in Australia's case, our own intelligence architects describe as 'intrusive powers …and very intrusive capabilities5.'
Perhaps it is time to see if the private sector, with the aid of a recognised global standard privacy information management system (tweaked to suit), can do any better for private sector related personal data transfers and ensuring appropriate privacy protections and safeguards exist, despite any local surveillance laws.
1. Rachel Noble, Director-General Australian Signals Directorate, Speech 'Long Histories-Short Memories: The Transparently Secret ASD in 2020,' at National Security College, Australian National University Canberra Australia, 1 September 2020, transcript accessed at: www.//asd.gov.au/publicaion/speech-transparently-secret-asd
3. The Schrems II Case, 16 July 2020 at 141.
4. The Federal laws in Australia regulating public authority surveillance of personal data are: Surveillance Devices Act 2002, Telecommunication Act 1997, Telecommunication (Interception & Access) Act 1979, Australia Security Intelligence Organisation Act 1979, Intelligence Services Act 2001, and the Privacy Act 1988.
5. Rachel Noble, Director-General Australian Signals Directorate, Speech 'Long Histories-Short Memories: The Transparently Secret ASD in 2020,' at National Security College, Australian National University Canberra Australia, 1 September 2020, transcript accessed at: www.//asd.gov.au/publicaion/speech-transparently-secret-asd