Schrems-II Invalidation of the Privacy Shield by the ECJ
A major decision issued by the ECJ on Thursday 16th of July invalidated toe Transatlantic data flow agreement between the EU and the US for the second time after the Safe Harbor invalidation by the ECJ.
NEW IMPORTANT UPDATE 24th July 2020 – NOYB Next Steps for EU companies & FAQs
FISA 702+EO 12333 have no territorial limitation. They also apply to servers in the EU that are operated by a US ‘electronic communication service provider’ or where certain operations are outsourced to a US provider. The location for hosting is therefore irrelevant.
Any non-EU/EEA provider had the duty to inform you about laws like FISA 702 and EO 12.333. If they have not done so, they are liable for all costs that result from cancelling the SCCs and transferring data back to the EU/EEA…
The #PrivacyShield Decision was an incorrect executive decision by the European Commission. In theory, damages claims can be brought against the EU under Article 340 TFEU.
providers may have sufficiently limited the factual access (‘possession, custody or control’) from US entities, so that an EU/EEA server is factually beyond the reach of the US govt.” I wonder if such controls are possible without full separation
It is a complex decision based on the constatation that :
U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by EU law on Fundamental Rights. Therefore EU data subjects do not have a right to effective legal remedies in the U.S. to ensure compliance with provisions of EU law when their data is used for national surveillance programs.The authorities of the EU Member States have insufficient powers and means to take effective action in relation to data subjects’ complaints based on allegedly unlawful processing in a third country.
We will attempt a Synthetic and immediate analysis of what has been shaking the privacy community and international corporations in the world this end of the week. At first read, the Privacy Shield is invalidated with immediate effect. Data export to the US cant be replaced by two other legal instruments which have been said valid in principle by the ECJ, specifically Standard Contractual Clauses and Binding Corporate Rules $Article 49 GDPR derogations).
In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default.
SCCs and BCRs are subject to a strict requirement to implement a case by case analysis and assessment. A complex issue unanswered at this stage.
One certainty for organisations that relied on the framework of the Privacy Shield mechanism as a legitimate basis of data transfer to the US, this mechanism has been invalidated – only not for the UK ICO !!!. Thousands of companies who relied on Privacy Shield will have to find another solution.
First observation, this is a judicial position versus a political stand. In other words, the ECJ ruling is based on rule of law – application of the General Data Protection Regulation (GDPR) – versus the EU Commission’s position. The EU Commission had reviewed the Privacy Shield the last two years not finding anything wrong with it. Max Schrems has been fighting with a small, rather powerless Irish Data Protection Commissioner (DPC) that has spent large amounts of the tax payer’s money to combat Schrems’ request.
The question initially to the Irish DPC was to estimate if there was sufficient protection for Facebook to transfer personal data to the US ?
Paragraph 103 of the ECJ decision states :
In that regard, although that provision does not list the various factors which must be taken into consideration for the purposes of assessing the adequacy of the level of protection to be observed in such a transfer, Article 46(1) of that regulation states that data subjects must be afforded appropriate safeguards, enforceable rights and effective legal remedies.
Further, in Paragraph 113 :
In that regard, as the Advocate General also stated in point 148 of his Opinion, the supervisory authority is required, under Article 58(2)(f) and (j) of that regulation, to suspend or prohibit a transfer of personal data to a third country if, in its view, in the light of all the circumstances of that transfer, the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
look at all circumstances and check if protection by other means is possible.
Paragraph 143 to add:
Return data, destroy data, and notify the DS and DPA “If the recipient of personal data to a third country has notified the controller, pursuant to Clause 5(b) in the annex to the SCC Decision, that the legislation of the third country concerned does not allow him or her to comply with the standard data protection clauses in that annex, it follows from Clause 12 in that annex that data that has already been transferred to that third country and the copies thereof must be returned or destroyed in their entirety. In any event, under Clause 6 in that annex, breach of those standard clauses will result in a right for the person concerned to receive compensation for the damage suffered.”
A valid objection has been expressed that other countries access to data with less transparency. However, the US surveillance and data access stands out from its scale and capabilities, despite a relative transparency in the US national security laws. Furthermore, the US corporations’ position of quasi -monopoly means massive collection and curation of data. Not only data is massively collected and at risk of access by the US government, EU Data subjects suffer the lack of effective judicial review in the US where there cannot be redress unless a damage is proven. Therefore, EU citizens will not have a mean of complaint about their data transferred to the US
I – What the ECJ based its decision on :
- The GDPR
- The European Charter of Human Rights (ECHR) mainly articles 7, 8, 46, 47, 48 and the Charter of Fundamental Rights
- Visa of JUGEMENTS
– judgment of 6 October 2015, Schrems, C‐362/14, EU:C:2015:650, paragraph 47 Jehovah,
– Schrems judgment of 6 October 2015, Schrems, C‐362/14, EU:C:2015:650, in particular paragraphs 51, 73
– judgments of 24 September 2019, Google (Territorial scope of de-referencing) (C‐507/17, EU:C:2019:772), and of 1 October 2019, Planet49 (C‐673/17, EU:C:2019:801)
– judgment of 10 July 2018, Jehovan todistajat, C‐25/17, EU:C:2018:551, paragraph 37
– judgments of 26 February 2013, Åkerberg Fransson, C‐617/10, EU:C:2013
– judgment of 20 March 2018, Menci, C‐524/15, EU:C:2018:197, paragraph 24
judgments of 17 December 1970, Internationale Handelsgesellschaft, 11/70, EU:C:1970:114, paragraph 3; of 13 December 1979, Hauer, 44/79, EU:C:1979:290, paragraph 14; and of 18 October 2016, Nikiforidis, C‐135/15, EU:C:2016:774, paragraph 28
– judgment of 17 December 1970, Internationale Handelsgesellschaft, 11/70, EU:C:1970:114, paragraph 3; of 13 December 1979, Hauer, 44/79, EU:C:1979:290, paragraph 14;
- Despite the Commission’s review of the Privacy Shield
- in light of Edouard Snowden’s revelations of the NSA bilk data collection , and based on FISA 702 / Prism / Cloud Act
- the right of data subject, not sufficiently protected by Ombudsman
The ECJ decision invalidated the Privacy Shield, however Standard Contractuel Clauses (SCCs) are in principal OK only if it documented that there will be no FISA interception and data subject rights respected. Not an easy condition. The devil is in the detail. How by a case by case analysis, these SCCs could be made compatible with the rights of data subjects as guaranteed by the GDPR ?
It’s interesting to note that :
– the decision of the ECJ was first published on the US Twitter Platform before reaching their own website.
– the Irish DPC Hellen Dixon opted to express her first reactions on US LinkedIn live platform as a guest of the US IAPP – the main certification organisation for privacy practitioners
– and the US Future of the Privacy Forum, using the US cloud videoconferencing app, Zoom.
What did the court said about data flow to the US and the Privacy Shield ?!
- No grace period has been given
- the Commission’s reaction has been to say ‘we will modernise SCCs’ – Article 288 TFEU, a Commission adequacy decision
- The Irish DPC has ‘welcomed’’ the judgement after spending tax payers money to combat Schrems!!
At this stage, we are left with many uncertainties. As mentioned above, thousands of companies rely on data transfer to the US. So SCCs and BCRs are the only option left, only IF they are adapted and re-evaluated with the DPAs supervision. Here is what the EDPB has said in its statement reacting to the ECJ decision :
“While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR. out under2) GDPR.
“If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.” Hopefully, we will soon know more about these ‘additional measures’.
To raise EU’s credibility, EU DPAs might want to show more actively their concerns about the EU Data Subject’s rights. DPAs will have to access the security of the data transfers.
This data flow restriction is not exclusif to the US, they are other countries of non adequate data protection such as China, Russia or India or in same bucket. The French CNIL has created of a map world of data protection.
What organisations are going to do to better protect Personal Data ?
Ask the lawyers exchanging data across the channel, will they ensure the data flow is adequately protected since this decision ?
Several easy options come to mind : First of all, and this is an all winner option, data minimisation. If you dont hold un-necessary that, you reduce you liability. Check your third party processors, compare them with the market. Data processing agreements must be signed with all processors, assessing their guarantees (obviously, this can’t be extended to the possibilities of a government access). Apart from SCCs, Binding Corporate Rules, approved code of conduct, or derogations for specific situations. and a case by case analysis reviewing the data importer’s security measures, data encryption or tokenisation can reduce the chances of access although at some point the data will need to be unencrypted and vulnerable. Using EU companies as processor, or or data storage as much as possible will avoid the data flow outside the EU. A Franco-Germanic project called Gaia-X might be the winner in this muddle. Still remains the question of US operating systems. Check all the tracing and tracking that incidentally enable data transfers. Many might not realise using third party cookies such as Google Analytics or Facebook Modernizr are means of transfer of data to US, making the website owner co-controller and therefore liable. Same applies to some of the widely used tools such as MailChimp or videoconferencing apps.
How will using Microsoft product will comply? The Department of Defence in France or the UK for instance are equipped with Microsoft. What data sovereignty ?
Microsoft published a statement by Julie Brill, assuring :
“We want to be clear: If you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” wrote Julie Brill, corporate vice president for global privacy and regulatory affairs at Microsoft. “The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.”
While the CNIL published on their Twitter account analysing the decision with their European colleagues, three German DPAs – Berlin, Hamburg and Rhineland-Palatinate quickly published statements inviting companies to suspend data transfer and even to repatriate the data back to the EU. Great proactive reaction. However, we can hope the EDPB will ensure the consistency mechanism of the application of the GDPR.
The UK Government statement expressed their disappointment :
‘It is disappointed that the EU’s adequacy decision for US Privacy Shield has been invalidated by the court in its judgment of 16th July 2020.’
Standard Contractuel Clauses will have the same challenge :
- 1- ensuring no access to the data by US Government using FISA and the Could Act
- 2- ensuring same level of protection for data subjects in the US.
Still many un-answered questions remain :
- What will happen with the Swiss Privacy Shield ?
- What will the CCPA change the done ?
- Will UK get adequacy decision after Brexit despite RIPA ?
Further reading :
Section 702 is a key provision of the FISA Amendments ActDecoding 702: What is Section 702?
of 2008 that permits the government to conduct targeted
surveillance of foreign persons located outside the United
States, with the compelled assistance of electronic
communication service providers, to acquire foreign
Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems – European Data Protection Board – European Data Protection Board
Schrems and the future of EU-US data transfers (or lack thereof…) this is a LONG article. An interesting US view. It has some good elements but still missing few important points. No mention of the lawful basis of processing and the obligation of transparency FB failed. Why should there be any doubt on Facebook’s basis of data transfer to the US while SCC or Privacy Shield should be clearly stated in their privacy notice. Also no reference to the Cambridge Analytica interference into élections and manipulation of public opinion. I think this was a wake up call to many on the sort of game FB was playing when collecting data and profiling. Facebook is one player in the game, they are other big ones, US corporations have somehow grow so big that they are nous out of control even for the US government. I suggest reading Professor Lawrence Lessig on the point of Lobbying and corruption of the US Congress. Are EU countries much better? Well, surely they don’t have the same power. Plus there is some sort of partnership between EU countries offering some sort of guarantee. The EU is based on free mouvement of people and goods. Therefore the directive 95 came to ensure the free flow of data within member states. The real terror created by the 9/11 tragedy is the rising level of state surveillance.
State surveillance is the real threat to freedom and individual human rights. All Western countries have taken oppressive measures. What US has done is again one level higher with clear segregation against the rights of foreign citizens. Yes, in the EU we do care about our fundamental rights as much as the US is focused on free speech, Unlike the free speech in the US, The right to privacy and data protection are not absolute and have to be balanced with other fundamental rights. The right to privacy and data protection are différent despite being interconnected. Europe is a patchwork of sovereign nations with various cultures and legal systems. I fully agree with the authors ‘there are deep cultural differences between EU and US and you definitely need someone on your side that actually speaks and thinks “European” on this one.’ Both EU and US need each other. Transatlantic trade is essential but not at the cost of EU citizens rights. We might have woken up a bit late. Not sure we can actually stop the GAFAM with not enough EU competitors. Better late than never? It’s time for the Commission to play it’s role and negotiate a fairer agreement. I don’t believe a code of conduct could be sufficient. It won’t be an easy game.