International: Future international data transfer considerations
On 16 July 2020, the Court Justice of the European Union ('CJEU') issued its judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). The practical consequences for data transfers to countries outside the EU are currently still hardly foreseeable and the judgment makes clear the claim of applicability of European law, also in non-European countries. On paper, this claim is easy to read at first, but in practice this ruling will continue to have an impact for some time to come. Dr. Carlo Piltz provides an overview of the Schrems II Case, what the Judgment means for companies, and what requirements need to be in place in order to continue transferring data internationally.
EU-U.S. Privacy Shield
It is clear after the CJEU ruling that the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection provided by the EU-US Privacy Shield ('the EU-US Privacy Shield Decision') is invalid and this judgment was immediate, without a transitional period. This means that data-exporting companies from the EU no longer have the option of sending personal data to certified recipients in the US in accordance with Article 45 of the General Data Protection Regulation ('GDPR'). All the more surprising is the statement of the UK's Information Commissioner's Office of1: 'If you are currently using the Privacy Shield please continue to do so until new guidance becomes available.' As the CJEU clarifies in its ruling that the EU-US Privacy Shield is invalid, the invalidity of the decision is not limited to certain Member States, for example, but also applies in the UK.
From the point of view of the business community, the invalidity of the adequacy finding is an uncertainty factor which must now be removed in practice, if at all possible. Whether and when there will be a new European Commission ('the Commission') decision on a level of protection 'essentially equivalent' for personal data in the US cannot be foreseen in the current situation, but, in any case, companies exporting data cannot wait for this.
Of particular relevance, also for other transfer mechanisms of Chapter V of the GDPR, are of course the findings of the CJEU on the (lack of) legal protection for EU citizens and the disproportionate nature of access by authorities. Although these findings were made in the ruling specifically on the EU-US Privacy Shield, they will probably also have to be taken into account in transfer instruments that are to be used as alternatives.
EU standard contractual clauses
In its judgment, the CJEU also stated that the validity of Standard Contractual Clauses ('SCC') (Controller-Processor) (2010/87) had not been affected and they still contain sufficient safeguards to ensure an adequate level of protection of personal data, at least in principle.
First, it should be noted that the CJEU did not specifically carry out this examination of SCC in the third country- the US. Rather, it assessed the protection afforded by the clauses in general, based on the requirements of Articles 44 and 46(1) of the GDPR.
In the absence of an adequacy decision, personal data may be transferred to a third country if the exporter achieves the following three objectives:
- they have provided for 'appropriate safeguards' (these can be, inter alia, contained in the SCC);
- 'enforceable data subject rights;' and
- 'effective legal remedies for data subjects' are available.
The 'appropriate safeguards' themselves, e.g. the SCC, should guarantee a level of protection for persons that is essentially equivalent to the level of protection guaranteed in the EU.
Another important finding of the CJEU is that there may be situations in which the SCC can be used unchanged, as they themselves provide the appropriate level of protection. The CJEU distinguishes between two scenarios:
- Scenario 1: Depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of SCC.
- Scenario 2: Situations in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned.
As regards scenario 2, the Court gives an example: where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates.
So, just because interference with the rights of data subjects is possible and cannot be excluded by the non-adapted form of the SCC, the SCC are not inappropriate.
According to the CJEU, due to the general nature of the SCC, in the aforementioned second scenario, depending on the situation in a given third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection, may be necessary.
The question that is currently very relevant in practice is: what are these additional measures that companies could implement? The supervisory authorities have not yet (as of today) made any concrete statements on this.
The data protection authority of the federal state of Rhineland-Palatinate ('LfDI Rheinland-Pfalz') in Germany has published frequently asked questions2 ('FAQs) on the ruling, where it suggests, specifically in relation to the US:
'In addition, in connection with data transfer to the USA, it should be considered that, according to US Executive Order 12.333, monitoring of insufficiently encrypted data can also be carried out when the data passes through the transatlantic cables.'
The decisive and practically relevant conclusion of the CJEU: it is above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to SCC, by providing, where necessary, additional safeguards to those offered by the SCC.
Requirements in practice
The CJEU ruling on SCC concerns all transfers to any third country without an adequacy decision, so not only the US, but also China, Russia, the Philippines, and India, among others. Now is not the time for companies to panic, but for them to implement a verifiably level-headed approach to examining their own data transfers.
First, an internal mapping of the data transfers and the recipients should be carried out and the record of processing activities (Article 30 of the GDPR) can be of valuable assistance in this respect.
If it turns out that SCC is in use (which is most likely the case), the data recipients should be contacted.
In practice, the controller could, for example, use a pre-prepared questionnaire to validate whether access is possible and if so, for what purpose. If access to the data is possible, this necessity of this access must be verified.
The verification test is therefore roughly structured as follows:
Step 1: Use of the unchanged SCC. Can the recipient comply with all SCC obligations?
- The controller must 'verify' this (if necessary, in cooperation with the recipient).
- 'Verifying' includes checking whether the data can be accessed by authorities.
- If so, then it must be assessed whether the accesses are necessary and required to serve a purpose mentioned in Article 23(1) of the GDPR.
Step 2: SCC obligations alone are not sufficient. Additional measures must be implemented
These measures may be of a contractual or technical nature.
- Caution: Risk for the importer to violate national law.
It remains to be seen whether the data protection authorities will approach companies with appropriate advice and guidelines and not just use their powers to impose fines. At the same time, it should also be noted that the current situation, namely that the GDPR (i.e. its level of protection) is also exported to third countries, will inevitably lead to a collision with non-European law. However, neither the data protection authorities nor the companies alone can solve this conflict. Governments and politicians in particular are called upon to ensure that the conditions for international data transfer are manageable while ensuring a sufficient level of protection for personal data.
Dr. Carlo Piltz Partner
reuschlaw Legal Consultants, Berlin