These are my six takeaways from the Schrems II decision published yesterday. They are
- Privacy Shield died because EU data subjects are disadvantaged by the USA’s approach to privacy.
- The Standard Contractual Clauses (SCCs) produced the European Commission are OK to use in general, but (and a “big butt” at that)….:
- SCCs might not be OK for the USA in the long term (watch for ICO and EDPB advice) as they are likely to be afflicted by the same problems as Privacy Shield.
- Controllers have to look to familiar accountability-like requirements on transfer to a recipient in a Third Country, and reassure themselves that the DP standards specified by the SCCs apply to any processing of personal data in that Third Country.
- Controllers and processors are likely need to know more about the privacy law in the Third Country, how it varies from the GDPR and when public authorities in the Third County can gain access to personal data so transferred.
- The UK could well be in difficulty for an adequacy decision from the European Commission given the comments concerning disclosure to public authorities.
- As it is election time, the USA would be advised to debate a Federal DP law at least to the standard of the updated Council of Europe Convention No 108+ (if the USA wants an adequacy determination from the Commission).
The above conclusions are justified in the rest of the blog. The mantra is: “Do not panic” (yet); be prepared to change transfer arrangements to the USA and keep an eye out for official pronouncements re transfers to the UK from the EU for next year. I would not be surprised if updated SCCs do not materialise soon as they were on the agenda of the EDPB meeting in May this year.
Privacy Shield shattered: EU citizens disadvantaged
Paragraph 65 of Schrems II judgement explains why Privacy Shield went "down"; the judgment raises four issues which need little in the way of amplification (but I do emphasise the key words in bold).
- “As regards judicial protection, the referring court states that EU citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities, since the Fourth Amendment to the Constitution of the United States, which constitutes, in United States law, the most important cause of action available to challenge unlawful surveillance, does not apply to EU citizens”.
- “In that regard, the referring court states that there are substantial obstacles in respect of the causes of action open to EU citizens, in particular that of locus standi” (i.e. the ability to bring an action before the US courts) “which it considers to be excessively difficult to satisfy”.
- “Furthermore, according to the findings of the referring court, the NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable”. Note: Executive Order 12333 deals with United States Intelligence Activities (as amended by Executive Orders 13284 (dated 2003), 13355 (2004) and 13470 (2008); all of these EOs predate the current President so there is no new dystopian Trumpian barrier).
- “Lastly, the referring court considers that, in so far as, in its view, the Privacy Shield Ombudsperson is not a tribunal within the meaning of Article 47 of the Charter, US law does not afford EU citizens a level of protection essentially equivalent to that guaranteed by the fundamental right enshrined in that article”.
These reasons kill Privacy Shield for any controller or processor. Even assuming if all the personal data were not required for surveillance or the national security agencies (i.e. (a), (b) and (c) “disappear miraculously”:- just like COVID according to President Trump), I can’t see how one gets around (d) without structural changes to Privacy Shield. Any fix is not going to be quick.
However, it might be possible to repair Privacy Shield in circumstances when (a), (b) and (c) do not apply (e.g. no surveillance; no national security). That is why the USA Department of Commerce put out a holding press release saying it will not give up the ghost: “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations”.
Adequacy determination for the UK?
The approach the Court took to SCCs was more nuanced, so I have published the judgement with commentary as needed. The key paragraphs are paragraphs 129-149, some of which deal with the difference between the SCCs and an adequacy determination (that the UK is hoping for by 2021).
The Court said that an adequacy determination (my emphasis from paragraph 129) was:
- “an examination of the legislation of the Third Country concerned taking into account, inter alia, the relevant legislation on national security and public authorities’ access to personal data” and whether “access of that third country’s public authorities to such data does not therefore impede transfers of such personal data to the third country”.
- “Such an adequacy decision can therefore be adopted by the Commission only if it has found that the Third Country’s relevant legislation in that field does in fact provide all the necessary guarantees from which it can be concluded that that legislation ensures an adequate level of protection” (which is more or less the GDPR)
The problem the UK Government has is: (a) the European Commission has to look at access by the public authorities etc and (b) it has implemented very generous data sharing legislation for its public authorities (e.g. in the Digital Economy Act 2017 and for national security purposes via the bulk personal data processing powers in the Investigatory Powers Act 2016).
In addition, the UK_GDPR envisaged by the “Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019” can diverge easily and quickly from the standards established by the GDPR in a very significant way.
So, in effect, any adequacy agreement between the UK and European Commission will have to contain a guarantee, given by the UK Government, concerning permitted divergence between the UK_GDPR from the GDPR. For example, with respect of further disclosure to public bodies or that any change to, rights, Principles and other GDPR obligations does not deviate too far from European norms. (See blogs mentioned in the references below).
For the life of me, I cannot see such a guarantee being given if the Government’s mantra of “taking back control” is to be realised.
It is this issue that bedevils the future use of SCCs for use of transfers to the UK from the EU (e.g. controller in France to processor in the UK). If this is what your organisation’s is about please read the description of the SCCs in the judgement as it gives further detail of what the controller or processor receiving personal data from the EU might need to do from January 1st 2021.
I am only providing some headlines that caught my eye.
Standard Contractual Clauses (SCCs)
The way I understand the judgement with respect to the role of SCCs can be summarised as follows:
- SCCs should specify required DP safeguards (SCCs are European Commission approved remember) but controllers and processors need to identify certain accountability-like obligations (the judgment does not refer explicitly to “accountability” but essentially that is what is being suggested).
- These accountability-like obligations will vary depending on whether the SCCs relate to controller (EU) to controller (Third Country) or controller (EU) to processor (Third Country). They include managing, establishing, reporting and auditing compliance with the SCCs against the specified DP standards and checking for the existence of effective remedies in the case of a breach of the SCCs. The UK, remember is such a Third Country in 2021.
- The SCCs provide a baseline of DP expectations and safeguards; where necessary, the controller and processor can implement safeguards in addition to those identified in the SCCs.
- The recipient in the Third Country has a role in identifying obligations placed on that recipient by Third Country law and inform the controller or processor of those obligations (especially if they relate to access to personal data by public authorities in that Third Country). The transferring controller can then consider whether additional safeguards are required.
- Once informed, and if there is an absence of additional safeguards that are deemed necessary, then the controller or processor should not transfer the personal data.
Quotes from the judgment that establish the above
Paragraph 131 states that the controller or processor ‘should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject’ and that ‘those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies … in the Union or in a third country’ (My emphasis)
The above is made clear in paragraph 132 as it may “prove necessary to supplement the guarantees contained in those standard data protection clauses”. In that regard, “Recital 109 of the regulation states that ‘the possibility for the controller … to use standard data-protection clauses adopted by the Commission … should [not] prevent [it] … from adding other clauses or additional safeguards’ and states, in particular, that the controller ‘should be encouraged to provide additional safeguards … that supplement standard [data] protection clauses’.
Paragraph 133 adds that “standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law” so the implementation of additional safeguards “may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection”.
Paragraph 135 concludes “Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned”.
This is especially the case “where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data”.
It follows (paragraph 142) that “a controller established in the European Union and the recipient of personal data (in the Third Country) are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the Third Country concerned”. The “recipient (in the Third Country) is, where appropriate, under an obligation… to inform the controller of any inability to comply with those clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract”.
It is, in my view, paragraphs 135 and 142 that “does for” SCCs to the USA. Privacy Shield went down because the CJEU concluded that “the level of protection required by EU law is NOT respected in the Third Country (i.e. USA) concerned”; the deficiencies (identified in paragraph 65) are not removed by the SCCs.
Concluding comments
So what should controllers do now? Well, I would wait until Data Protection Authorities, EDPB and the European Commission get their collective heads together and make suggestions in public. I do not think transfers to the USA will be stopped overnight by this judgment which is far more complex than most observers had envisaged.
The judgement will certainly give the UK Government a headache over adequacy if the UK_GDPR strays too far from the GDPR.
If an adequacy determination for the UK does not arise for whatever reason, the SCCs with respect to transfers from the European Union to the UK, are likely to pick up the strain.
It will be embarrassing if these SCCs have to contain additional requirements to protect European data subjects because the UK’s DP regime is viewed to be inadequate.
Upcoming Data Protection Courses (in Autumn)
Obviously COVID19 has put a spanner in the training works, but the following courses are scheduled for the Autumn now lockdown is unlocked (fingers crossed).
All courses lead to the relevant BCS qualification:
- Data Protection Practitioner: London, Starts Sept 22 (6 days)
- Data Protection Foundation: London, Oct 13-15 (3 days)
- Data Protection Practitioner: Edinburgh, Starts Nov 23 (5 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
USA Dept of Commerce press release on Schrems II https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and
Draft Brexit Data Protection Regulations would undermine adequacy determination for the UK : https://amberhawk.typepad.com/amberhawk/2019/01/draft-brexit-data-protection-regulations-would-undermine-adequacy-determination-for-the-uk.html
Adequacy of the UK’s data protection regime; now the UK has left the EU, the battle lines are drawn: https://amberhawk.typepad.com/amberhawk/2020/02/adequacy-of-the-uks-data-protection-regime-now-the-uk-has-left-the-eu-the-battle-lines-are-drawn.html
Schrems II Press release decision: Judgment of the Court of Justice in Case C-311/18
Schrems II judgement itslef C-311/18 http://curia.europa.eu/juris/documents.jsf?oqp=&for=&mat=or&lgrec=en&jge=&td=%3BALL&jur=C%2CT%2CF&num=C-311%252F18&page=1&dates=&pcs=Oor&lg=&pro=&nat=or&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&language=en&avg=&cid=9892073
Comments
You can follow this conversation by subscribing to the comment feed for this post.