TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Could the CJEU upend the global framework for data flows by answering a different question? Related reading: FTC-Facebook settlement to include board-level privacy oversight

rss_feed

""

GDPR-Ready_300x250-Ad

This week, the Court of Justice of the European Union will hear the Schrems II case. The case focuses on Facebook’s transfer of personal data to the U.S. using standard contractual clauses and whether those EU-approved commercial contracts meet European legal standards for government access to data. As the primary legal mechanism underpinning companies’ global data transfers, there is a lot at stake. Privacy professionals around the world are asking what happens if SCCs are deemed insufficient. One issue that merits greater discussion is whether a transfer mechanism is needed in the first place when a company receiving personal data is itself subject to the EU General Data Protection Regulation.

The EU’s 1995 Data Protection Directive originally set forth various data transfer mechanisms to prevent companies from circumventing EU data protections when moving personal data outside the EU. The territorial scope of the 1995 law corresponded directly with the physical territory of the EU itself. The directive applied only to entities established in or making use of equipment in the EU.

The adoption of the GDPR in 2016 greatly expanded the jurisdictional reach of the EU data protection regime. The GDPR applies to entities established in the EU or those outside of the EU offering goods or services to data subjects in the EU or monitoring their behavior. To make this scope enforceable, the GDPR requires non-EU entities subject to the law to appoint a representative in the EU. When data are transferred to a processor (inside or outside the EU), the GDPR obliges the controller of that data to implement safeguards to ensure the processing meets the requirements of the GDPR. The expanded territorial scope of the GDPR was one of its most impactful features. Companies around the world have spent billions of dollars complying with its requirements and providing new rights to EU data subjects.

While significantly extending the reach of EU data protections, the GDPR largely maintained existing mechanisms to transfer personal data. The text of the law, however, does not indicate whether these mechanisms should be used when data is transferred outside EU territory or outside the territorial scope of the law. As a result, many, if not most, companies have applied transfer mechanisms just as they did under the directive.

European Commission officials have suggested that data transfer mechanisms are only necessary when transfers are made for processing operations to which the GDPR does not apply. This stands to reason. If a data transfer mechanism were needed to send data to a non-EU-based recipient when the GDPR already applies, it would seem to call into question the law’s extraterritorial application. It would also make it less clear whether that transfer mechanism, which might offer substantially similar but not identical protections, or the GDPR itself governs in case of a dispute. The European Data Protection Board has not yet weighed in on the issue, deferring its planned guidance on the topic to a later date.

While the premise of Schrems II is that the protections afforded by SCCs might be insufficient, it is worth considering if a further question should be asked: Was a data transfer mechanism needed in the case at hand? The CJEU could address the threshold issue: Is a data transfer mechanism ever necessary if the entity receiving the data is already bound by GDPR requirements?

The CJEU has discretion to answer the questions of its choosing. It already has some critically important ones before it. Ultimately, which questions the court considers are just as consequential for global data flows as the answers it provides.

Photo by Bill Oxford on Unsplash

3 Comments

If you want to comment on this post, you need to login.

  • comment Kevin Kreuser • Jul 8, 2019
    Very interesting, and it definitely does stand to reason.  Hopefully they will address this issue in the affirmative, and not limit their analysis just to the standing of SCCs.
  • comment Lyn Boxall • Jul 8, 2019
    Yes, I agree with Kevin that it is very interesting.  But if this issue is addressed it seems to me that it only solves part of the problem. Sitting here in Singapore, we have many companies to which the GDPR clearly applies.  But we have many other companies where it might or might not apply because we still don't really know the scope of the extra-territorial provisions. 
    
    Companies in Singapore that believe they might be caught often choose to comply with the GDPR simply as a matter of commercial convenience and risk management.  But where do they stand with the argument in this article if it subsequently turns out that they were not required to comply with the GDPR?  
    
    We also have a lot of service providers who choose to comply with the GDPR to satisfy the preferences of their customers or who are required by their customers to comply with the GDPR - for example, I understand that Microsoft and IBM require GDPR compliance of everyone in their supply chain. I have the same question about where they would stand.
  • comment Caitlin Fennessy • Jul 10, 2019
    Thanks for your interest. Lyn, I wanted to respond to the issues and questions you raised. We see the same confusion here in the United States regarding whether GDPR applies directly to certain entities. The European Data Protection Board did issue some guidance on the topic, as you likely saw (https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en). But, as explained in the article, without clear written guidance on the intersection between GDPR’s extra-territorial application and transfer mechanisms from either the EDPB, the European Commission, or the CJEU, I wouldn’t expect that confusion to go away. The EDPB has indicated that they plan to publish guidance in this area, so I am hopeful that will address some of these issues. It is hard to say if such guidance could fully address the specific question you raise (what if they thought they were subject to the GDPR and they weren’t). But, ultimately, the substantive protections would be the same, so hopefully that goes a long way.