On July 16, 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield framework, sparking debates and discussions among privacy professionals. Perhaps more importantly, the decision gave some interpretation of the standard contractual clauses mechanism and how it should work in the current approach in the EU to personal data transfers outside the EU. But will this decision lead to a crisis in cross-border data flows?
Data protection frameworks for transfers outside the EU
Before Privacy Shield, there was the Safe Harbor arrangement that confirmed the adequate level of protection for participating U.S. companies. When the CJEU invalidated Safe Harbor (Case C-362/14), it emphasized that the European Commission did not make an adequacy finding but simply looked at the text of assurances in the Safe Harbor. While the EU took this into consideration when developing Privacy Shield, the CJEU now says that the framework had flaws in the text itself regarding the level of data protection and fundamental rights and freedoms enshrined in the freedoms and Charter of Fundamental Rights of the European Union.
According to the first reports on the annual joint reviews of Privacy Shield, the European Data Protection Board repeatedly expressed a number of significant concerns about the function and enforcement of Privacy Shield by U.S. authorities (e.g., the absence of substantial checks, scope of data collection by public authorities, powers and independence of the ombudsperson mechanism, and presence of redress for EU individuals), some of which the CJEU confirmed in its recent decision.
The commission could have used the mechanisms provided in Privacy Shield to, at least, amend or partially suspend their function, but it did not do so until the CJEU invalidated Privacy Shield. This means that the mechanism of annual joint reviews did not achieve its purpose, although it is one of the new tools that existed in comparison to Safe Harbor for the effective functioning of the adequacy decision. However, it was not a decisive factor as the issue lies in the U.S. policy approach to privacy, national security and surveillance programs.
One implication the Safe Harbor and Privacy Shield decisions give us is to what extent is it possible to use such public arrangements with third countries for issuing the adequacy decisions and whether they will follow them properly? It remains to be seen if further guidance and discussion on if we will see a third edition of a framework, but it should be more accurate and unambiguous, as well as effectively supervised and enforced.
The implications for SCCs as the most popular safeguard
It goes without saying that SCCs are frequently used by businesses for safeguarding transfers. Previously, some might have thought that it is simple and convenient to use — just fill it in, and print it out. However, with the “Schrems II” decision, the CJEU confirmed and reiterated the necessary actions to follow for using SCCs. The CJEU's confirmation of the validity of SCCs is certainly a step in the right direction, but the devil is in the details. The CJEU reminds us that to use an SCC, the data exporter must ensure a data importer in the third country will not violate the SCC and the mandatory requirements of the national legislation of a data importer do not go beyond what is necessary for a democratic society and constitute a necessary measure (e.g., to safeguard national security, defense, public security, the prevention, investigation, detection and prosecution of criminal offenses). Additionally, the data importer must notify the data exporter about possible violations that may lead to the breach of the SCC. When possible, the deficiencies of the national legislation have to be compensated by stating additional safeguards.
The decision leads to the following implications.
The extent of practical usage of SCCs
Transfer to the U.S. could be under attack or, at the very least, subject to profound scrutiny by local data protection authorities, simply because the CJEU decision has already given an unfavorable assessment of U.S. national legislation. It also concerns transfers to other countries without adequacy findings especially ones that have laws that do not comply with the requirements mentioned above. As the Article 29 Working Party stated in the Working document 12, the problem of overriding law and SCCs, "in some cases a contract is too frail an instrument to offer adequate data protection safeguards, and transfers to certain countries should not be authorized. [T]here will be some situations in which a contractual solution may be an appropriate solution, and others where it may be impossible for a contract to guarantee the necessary 'adequate safeguards.'"
It remains to be seen whether safeguards could compensate and "defend" the transfer from "inappropriate" requests of the national authorities, which are mandatory for a data importer. Perhaps, the updated versions of SCCs, as well as the adoption of the SCC for processor-to-processor cases, would provide a remedy. Extraterritorial acts of third countries, like the U.S. Clarifying Lawful Overseas Use of Data Act, also have to be taken into consideration in particular cases. Another area of concern is a data retention law. According to the CJEU’s news release No 145/16 regarding its judgment in joined Cases C-203/15 and C-698/15, "legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security … Such national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society."
While that issue is also problematic for the EU, in the context of transfers, attention should be paid to the legislation of third countries as it may require, for example, internet service providers in third countries to collect and store all traffic and content data of users and subscribers in that country within a specified time. They may also be required to provide access for law enforcement purposes that entirely or partially might be deemed unreasonable and go beyond what is necessary for a democratic society. It might be a tricky issue if we look at how the internet works and its nature in the global and digital context. Hence, it seems that the transfers of sensitive data might be very restricted from a practical standpoint.
Compliance efforts will be increased
Data exporters should perform assessments on a case-by-case basis; however, they may have different decisions regarding the "adequacy" of a particular country. The CJEU decision also demonstrates the level of scrutiny for adequacy. It might, therefore, be reasonable for the commission to intensify its work on analyzing the "adequacy" of third countries, as well as provide reports on those that cannot be deemed to provide an adequate level of protection of personal data for the purpose of transfers from the EU under the General Data Protection Regulation. Hence, the level of effort for complying with the accountability principle will be increased as the data exporter will have to document the assessment. Guidance on the matter remains to be seen from the supervisory authorities, but it will most likely add compliance expenses. As a result, it might be difficult to maintain compliance for some data exporters (e.g., small to medium enterprises, startups).
Other safeguards and mechanisms
One may argue that even without SCCs and Privacy Shield, the GDPR provides plenty of other tools for legitimizing data transfers. But if we look at them closely, they can be used in very limited and exceptional cases. Binding corporate rules (that might also be reassessed by DPAs after the CJEU decision) could be a viable option for large corporations, but it only safeguards the transfers within the enterprise and not with service providers and other operators. In addition, setting up BCRs is an expensive and cumbersome endeavor. Some might think of using derogations for specific situations provided in Article 49 of the GDPR. It is submitted that, to some extent, the usage of the derogations (e.g., data subject explicit consent for transfer) will be increased but not significantly. It should be noted here that in Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 the EDPB said that "the derogations must be interpreted restrictively so that the exception does not become the rule’ and ‘transferring personal data to third countries on the basis of derogations leads to increased risks for the rights and freedoms of the data subjects concerned.'" Furthermore, to rely on the derogations, a data exporter would need to document its assessment as to why any other safeguards are not appropriate or available to use and whether it is possible to use that particular derogation for a particular case. Thus, a proper reliance on the GDPR’s Article 49 requires enormous transactional costs (e.g., for the SMEs).
What's next?
The invalidation of Safe Harbor and Privacy Shield, used as tools for nearly 20 years to confirm the adequacy and protection of transfers to the U.S., shows the crisis of the mechanism and that personal data protection, as well as other rights and freedoms enshrined in the EU Charter, was not, in fact, properly respected. The issue is definitely not only about the mechanisms, but mainly in the reconciliation of the EU high standard and the U.S. public policy approach, as well as the standards of the other third countries. The issue is reinforced by the current CJEU decision stating, among other things, that "E.O. 12333 allows the NSA to access data ‘in transit’ to the United States, by accessing underwater cables on the floor of the Atlantic, and to collect and retain such data before arriving in the United States and being subject there to the FISA. It adds that activities conducted pursuant to E.O. 12333 are not governed by statute."
This is a tricky issue, as it is known how the global internet functions regarding data routing. With this in mind and the current case law with relation to SCCs, the EU might unfortunately further go to EU data localization, which may also mean the abruption of global business chains, and may further limit innovations, growth and development of isolated EU markets. As noted in Recital 6 of the GDPR, "[n]atural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data."
That is presumably where the system of the GDPR's workable and effective safeguards should jump in and play. It remains to be seen how the landscape would be adjusted and how in practice the assessment tool under the SCC will work further. Maybe it is time for reshaping the EU system of safeguards for transfers.
Photo by ål nik on Unsplash