The recent public statements from EU data protection authorities, including local regulators, and the European Data Protection Board, notably at the IAPP Europe Data Protection Congress in November 2021, have raised some legitimate concerns among the privacy community. Some are academic, others practical. Most are related to international transfers of personal data under the EU General Data Protection Regulation.
From clarity to perplexity
A first concern stems from the EDPB's guidelines dated Nov. 18, 2021, on the interplay between cross-border requirements under GDPR and its territorial scope of application. Undoubtedly, additional clarity on the definition of international transfers is more than welcome post- "Schrems II." Interestingly, the EDPB confirms that any transfer within the meaning of the GDPR shall meet three cumulative prerequisites: an organization based in the EU (acting as controller or processor); a transmission from this organization to another one; the latter located outside of the EU (regardless whether it falls within the territorial scope of application of the GDPR). That makes sense.
What may make less sense, in my opinion, is the EDPB guidelines exclude situations where a foreign controller targets the EU market, collecting personal data from EU residents. Surely this scenario falls within the "targeting" criterion under Article 3(2) of the GDPR, triggering a high level of protection. If GDPR applies, all provisions do, including Chapter V on cross-border flows. Truly, in the absence of an adequacy decision in which non-EU entities rely on the targeting criterion for collecting information from the EU, it would have been inappropriate for those entities to enter into standard contractual clauses made for organizations and data subjects. Surely not entering into SCCs does not deprive individuals of their rights and freedoms to the extent that non-EU entities fall under such circumstances into the scope of the GDPR and then must comply with its high standards of protection.
To get there, the EDPB guidelines refer to the Court of Justice of the European Union's Lindqvist ruling, which differs in some singular aspects: the latter is pre-GDPR and pertains to the possibility of accessing data from abroad made possible by an individual's website, while the former covers a company located outside the EU, whose business comprises importing personal data of EU residents. All those factors trigger Article 49 of the GDPR on individual-per-individual situations. As a reminder, this article applies when it is impossible to rely on any EU Commission's decisions confirming the adequacy with the GDPR of a third country (as a whole, per region or industry) or on appropriate safeguards (e.g., not being able to enter into SCCs with a data subject).
In practice, Article 49 of the GDPR allows organizations, in the context of international flows, to receive personal data from individuals, for example, either on their consent or because of an agreement between the individuals and recipient of the data. It does not prescribe whether Article 49 only covers situations where such organizations are located within or outside the EU. In other words, it does not exclude per se that there could be a transfer of personal data when an individual purposefully provides data to a non-EU-based importer. Interestingly, Article 49 has not been construed as a legal ground for international transfers but as an exemption to the general prohibition for exporting such data. It clearly provides a safeguard in addition to the other general GDPR requirements that any organization shall comply with as soon as falling into its territorial scope. It seems that all organizations that do not have an EU footprint will very much welcome the EDPB guidelines.
As a precaution, organizations should not rush to rely on the full validity of the GDPR with such non-binding interpretation from the EDPB. There is a material risk that the CJEU will take a narrower view since it has always taken a constant position to ensure the highest level of protection when it comes to essential notions under EU data privacy law. In the "Schrems II" ruling, an indicative factor of such a strict interpretation can be found in paragraph 92 that states that Article 44 of the GDPR requires a high "level of protection [to be] be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out." Arguably, a restrictive posture could extend this requirement to Article 49 exemptions, thus requiring an assessment of third countries laws compatibility with the essential EU data protection principles.
From perplexity to anxiety
Worst, perplexity gave way to some anxiety when several data protection authorities, including the France's data protection authority, the Commission nationale de l'informatique et des libertés, recently insisted at the IAPP Brussels Congress that transfer impact assessments do not rely on a risk-based approach. Such a statement is quite frustrating in light of the pathway slightly left open by the EPDB recommendations on supplementary measures and, beyond, also surprising on several levels.
Firstly, because it is difficult to articulate with the GDPR's philosophy, based on the principle of accountability, and which requires any stakeholders in the lifecycle of data to carry out an assessment of the level of risk involved. Of course, only risks for individuals and not organizations should be considered. However, the risk-based approach is the key factor for triggering the obligation to conduct impact assessments. Even if considering the GDPR as not exclusively relying on a risk-based approach but only containing risk-based approach components, how can the appropriate nature of the safeguards, enforceable rights and effective legal remedies be assessed pursuant to the "Schrems II" decision "on a case-by-case basis" without actually conducting any risk-assessment?
Secondly, because it contradicts the former Article 29 Working Party, now replaced by the EDPB, whose the first version of guidelines, but not the second which made it disappear, clearly listed international transfers as factors for conducting DPIAs. Not to mention EDPB recommendations on supplementary measures highlighting that "the categories of data transferred and their sensitiveness will be relevant to the assessment of the risk and the appropriateness of the measures," or "the risk of potential application to your importer and/or to your transferred data of laws" of surveillance measures.
At least, and despite any post-Brexit considerations, the British Information Commissioner's Office is more explicit about it. Its recent draft (still subject to public consultation) explicitly referred to the exercise as a transfer risk assessment.
Above all, the posture of EU regulators is not all aligned with the more pragmatic approach of other institutions. The European Commission has clearly indicated the importance of taking into account not only the local practices of the third country, in particular by industry but also any "specific circumstances of the transfer (such as the content and duration of the contract, the nature of the data to be transferred, the type of recipient, the purpose of the processing)." This obviously presupposes an examination of the likelihood, for example, that local courts are likely to grant or set aside requests for access by governmental authorities to personal data coming from Europe. In practice, the EU Commission strongly recommends relying on "different elements (…) as part of an overall assessment, including reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer." Clearly, this is not an exact science but merely a risk assessment, done as accurately as possible.
That is actually what France's administrative supreme court, the Conseil d'Etat, did when reviewing whether the supplementary measures implemented by Doctolib for the management of its anti-COVID-19 vaccination platform hosted by AWS met "Schrems II" standards. To do this, it assessed the sensitivity of the processed information, the level of security measures and the organizational mechanism in place by the hosting company. The Conseil d'Etat concluded that, in the absence of medical information (although such qualification for appointments for anti-COVID-19 vaccination could be challenged with a more inclusive definition of health data under the GDPR), the level of third-party encryption measures implemented by Doctolib to manage the platform and the existence of an internal procedure at AWS to review and challenge any access request by U.S. governmental authorities was not insufficient with regard to potential risks of violating GDPR. Actually, the Conseil d’Etat confirmed its previsions ruling. It indeed adopted the same risk-based approach in the Health Data Hub case, where it ruled that the actual risk of a U.S. court/authority requesting an access to this database appeared to be low, because health data are not likely to be useful for criminal/anti-terrorism purposes, and even less likely where data are pseudonymized, without the identity of the individuals.
Of course, there should be no confusion. Transfer impact assessments shall not inappropriately justify excessive transfers of personal data outside of the EU. They are not only about asserting that transmitted data is unlikely to be accessed by government authorities. Conversely, the purpose of the third country law assessments, as contemplated by the CJEU, is to identify the key characteristics of any transfer in order to assess what supplementary measures should be implemented to leave outside the perimeter of bulk surveillance program personal data that are not likely to present even indirect link with national security and public safety considerations. Rather than excluding any risk-based approach, is it perhaps more realistic, if not more supportive, for the countless entities (including the EU and non-EU) that have no other choice but to exchange personal data on a daily basis with actors located outside the EU to clarify what risk-based components exporters can rely on for securing their cross border data flows?
Photo by Christian Lue on Unsplash