SEC Names New Deputy Director Of International Affairs -

Billy Xiong Trend Report: Organizations Are Left With No Practical Legal Grounds To

Attorney at Law Billy Xiong Lawyer Legal Xiong Xiong Billy

After the official statements of the European Data
Protection Board (EDPB) and several Supervisory Authorities (SAs),
it is clear that at the moment there is no practical way for data
to lawfully flow from the EU to the US.

The reasoning in 5 steps:

  1. On 16 July 2020 the Court of Justice of the European Union (CJEU)
    invalidated the European Commission’s Privacy
    Shield
    adequacy decision concerning the transfer of
    data between the EU and the US (see Case C-311/18
    “Schrems II”
    ). Privacy Shield
    therefore no longer constitutes a valid basis for the transfer of
    personal data to the United States. You can read the Press release here.

  2. The main reasons of the invalidation are:
    “[i] that the requirements of U.S. domestic
    law
    , and in particular certain programmes enabling access
    by U.S. public authorities to personal data transferred from EU to
    the U.S. for national security purposes, result in
    limitation on the protection of personal data which are not
    circumscribed in a way that satisfies requirements that are
    essentially equivalent to those required under EU law
    , and
    [ii] ]that this legislation does not grant data subjects
    actionable rights
    before the courts against the U.S.
    authorities”
    (EDPB Frequently Asked Questions); additionally,
    [iii] the Court underlines that certain surveillance programmes
    enabling access by US public authorities to personal data
    transferred from the EU to the US for national security purposes do
    not provide for any limitations on the
    power conferred on the U.S. authorities
    , or the existence
    of guaranties for potentially targeted non-US persons. (See
    question 1, EDPB FAQ)

  3. There is no grace period (See question 3, EDPB
    FAQ). However, it is interesting to observe that following the
    judgement, ICO (until 27 July 2020 when it published an updated
    statement, available here) stated on its
    website, “We are currently reviewing our Privacy Shield
    guidance after the
    judgment issued by
    the European Court of Justice
    on Thursday 16 July
    2020. If you are currently using Privacy Shield please continue to
    do so until new guidance becomes available. Please do not start to
    use Privacy Shield during this period.”
    Did this show
    that the ICO has already started to move away from EU influence in
    the area of privacy? Is such a statement an exercise of political
    power of the ICO or is it simply a pragmatic approach to manage the
    situation where transatlantic data flows are of huge value and it
    would be too disruptive to enforce? In any case, it is clear that
    this is not just a legal matter but also – if not especially
    a political and economic battle between the EU and the
    US.

  4. The ratio of the decision also applies to SCCs
    and BCRs and potentially holds
    for any third
    country
    (See questions 5 and 6, EDPB FAQ). Therefore,
    before transferring personal data to the US (and to any other third
    country that has not received an adequacy decision) on the basis of
    SCCs or BCRs, organisations are requested to (i) carry out an
    assessment on the appropriate safeguards “in order to
    ensure that the level of protection of natural persons guaranteed
    by the GDPR is not undermined”
    (see Art. 46 GDPR); which
    will also include the possible effects of (ii) supplementary legal,
    organizational or technical measures that the exporter and the
    importer will put in place. The EDPB is evaluating which kind of
    supplementary measures could be effectively be implemented.
    However, “the Court highlighted that it is the primary
    responsibility of the data exporter and the data importer to make
    this assessment, and to provide necessary supplementary
    measures.”
    (See question 10, EDPB FAQ). This approach
    seems to demonstrate a lack of familiarity with actual implications
    as the vast majority of organizations do not have (access to) the
    capabilities to carry out an assessment on whether the appropriate
    safeguards are guaranteed with respect to a specific transfer to a
    non-adequate third country. Moreover, how could supplementary
    contractual legal measures set forth between two parties
    (exporter-importer) limit the reach of national law provisions
    granting exceptional rights to local authorities for national
    security purposes? One may consider technical measures, for
    example, aimed at rendering the data unintelligible to
    third-country authorities; however, this may result in possible
    violations of other applicable legislation.

  5. The derogations provided in Article 49 GDPR can
    theoretically be used, but practically will not offer many viable
    options in business contexts
    . Data subject consent is a
    very impracticable legal basis for transfer. The majority of
    organisations have not based data transfers on consent so far and
    collecting it now will not be very successful (i.e., very low
    consent acquisition rate). Moreover, even if the consent of data
    subjects is acquired, it will not be a “stable” legal
    ground for transferring due to the possibility for the data subject
    to withdraw it at any time. Transfer for the performance of a
    contract – either between data subject and controller (Art.
    49.1.b GDPR) or concluded in the interest of the data subject
    between the controller and another natural or legal person (Art.
    49.1.c) – can only serve as legal basis when the transfer is
    occasional. More generally, the derogations of Art. 49 GDPR
    “should not become ‘the rule’ in practice, but
    need to be restricted to specific situations and each data exporter
    needs to ensure that the transfer meets the strict necessity
    test.”
    (question 8, EDPB FAQ).

Conclusions: de facto, the regular transfer of
data from the EU to the US is not really possible at this
point in time without the risk of incurring sanctions
.

A collection of official statements and a few comments on
them

Below I provide a list of official statements and
FAQs from the European Data Protection Board, national supervisory
authorities, and European and international Institutions which will
be updated regularly.

The game-changer: On 16 July 2020 the Court of Justice of the European Union
invalidated the European Commission’s Privacy Shield
adequacy decision concerning the transfer of data between the EU
and the US (see Case C-311/18
“Schrems II”
). Privacy Shield
therefore no longer constitutes a valid basis for the transfer of
personal data to the United States. You can read the Press release here.

The same day, U.S. Secretary of Commerce Wilbur Ross
issued a Statement on Schrems II Ruling and the Importance of
EU-U.S. Data Flows
(Read it here). The statement notes
that the US has been and will
remain in close contact with the European Commission and European
Data Protection Board on this matter and hope to be able to limit
the negative consequences to the $7.1 trillion transatlantic
economic relationship that is so vital to our respective citizens,
companies, and governments. Data flows are essential not just to
tech companies-but to businesses of all sizes in every sector. As
our economies continue their post-COVID-19 recovery, it is critical
that companies-including the 5,300+ current Privacy Shield
participants-be able to transfer data without interruption,
consistent with the strong protections offered by Privacy
Shield.”
Mr. Wilbur Ross’ statement is politically
understandable, but as explained above, after the ruling of the
Court of Justice, the regular transfer of data from the EU to the
US is not really possible at this point in time without EU
organizations risking sanctions. The task of safeguarding the
transatlantic economy and, more generally, the digital society
which also strongly relies on such data flows) seems to be left to
EU Supervisory Authorities. This is a clear lack of political
agreement between the EU and the US, leaving EU Courts and
Supervisory Authorities to take decisions whose effects go way
beyond their mandate.

Following the decision, on 16 July 2020, European
Commission Vice President Jourová
acknowledged the
invalidation of Privacy Shield and stated that,
“transatlantic data flows can continue, based on the broad
toolbox for international transfers provided by the GDPR, for
instance binding corporate rules or Standard Contractual
Clauses.”
Jourová furthermore stressed that the
Commission is committed to ensuring that data flows are in line
with the judgment of the CJEU, respect EU law, and guarantee the
protection of fundamental rights and therefore offer a high level
of protection for personal data. She outlined the three priorities
of the Commission which include: 1. “Guaranteeing the
protection of personal data transferred across the
Atlantic”;
2. “Working constructively with our
American counterparts with an aim of ensuring safe transatlantic
data flows”
; and 3. “Working with the European
Data Protection Board and national data protection authorities to
ensure our international data transfer toolbox is fit for
purpose.”
The EC Vice President furthermore stressed, as
she has already done on multiple occasions in the past, that
“the Commission has already been working
intensively to ensure that this toolbox is fit for purpose,
including the modernisation of the Standard Contractual
Clauses.”
You can read the full statement here. Ms. Jourová clearly
underestimated the impact of the Court’s decision on the
the broad toolbox for international transfers provided by
the GDPR
“.

As indicated above, on the one hand, at present, both SCCs and
BCRs would require supplementary measures which also the EDPB is
looking to determine. On the other hand, as I already explained
above, the derogations pursuant to Article 49 GDPR aren’t very
practicable. I fully agree that the priority of the Commission
should be “Guaranteeing the protection of personal data
transferred across the Atlantic”;
but in order to achieve
such an objective, the EU international data transfer toolbox must
be fit for its purpose. Currently, instead, the lack of political
agreement, solidly based on a genuine objective, which is the
protection of personal data, is resulting in systematic exposure of
the majority of EU-based organizations to an incredible number of
sanctions.

On 17 July 2020, the European Data Protection Supervisor
(EDPS)
issued a statement
following the ruling in Case C-311/18 (EDPS
Statement following the Court of Justice ruling in Case C-311/18
Data Protection Commissioner v Facebook Ireland Ltd and Maximilian
Schrems (“Schrems II”)). In its statement the EDPS,
“welcomes that the Court of Justice of the European Union, in its
landmark Grand Chamber judgment of 16 July 2020
,
reaffirmed the importance of maintaining a high level of
p
rotection of personal data transferred
from the European Union to third
countries
.” And stresses that,
“The EDPS will continue to strive, as a member of the
European Data Protection Board (EDPB), to achieve the necessary
coherent approach among the European supervisory authorities in the
implementation of the EU framework for international transfers of
personal data.”
Importantly, the EDPS also noted that
European supervisory authorities will advise the
Commission
on any future adequacy decisions, in line with
the interpretation of the General Data Protection Regulation (GDPR)
provided by the Court.” And that it “trusts that the
United States will deploy all possible efforts and means to
move towards a comprehensive data protection and privacy legal
framework, which genuinely meets the requirements
for
adequate safeguards reaffirmed by the Court.”

With respect to Standard Contractual Clauses (SCCs), the EDPS
noted that “the Court, while in principle confirming the
validity of Standard Contractual Clauses (SCC), provided welcomed
clarifications regarding the responsibilities of controllers and
European DPAs to take into account the risks linked to the access
to personal data by the public authorities of third
countries.”
Read the complete statement here.

The real question is: what should organisations do now, in a
situation where a legal-political agreement between the EU and the
US could take months or even years, and being mindful of the fact
that the ratio of the Court ruling applies to all third countries
without an adequacy decision, a situation where SCCs are to be
revised and “supplementary measures” for SCCs and BCRs
are to be identified by the EDPB? Well, the EDPB is clear in this
respect: If no suitable
ground for transfers to a third country can be found, personal data
should not be transferred outside the EEA territory and all
processing activities should take place in the
EEA.”
(FAQ 12, EDPB). Therefore, the practical
result of the Court ruling, at present, is to restrict the data
processing to the EEA, which seems to clash with the free flow of
data which is inherent to the digital society and the digital
economy. This is not an easy outcome to accept and digest in the
era of the connected economy and society which is strongly based on
global data flows.

On 24 July the European Data Protection Board published its
much-awaited guidance on the question, in the form of Frequently Asked Questions on the judgment of
the Court of Justice of the European Union in Case C-311/18 –
Data Protection Commissioner v Facebook Ireland Ltd and Maximillian
Schrems, available here.

The FAQs, among others, confirms the immediacy of the
invalidation (there isn’t a grace period). See question 3),
“Is there any grace period during which I can keep on
transferring data to the U.S. without assessing my legal basis for
the transfer? –) No, the Court has invalidated the Privacy
Shield Decision without maintaining its effects, because the U.S.
law assessed by the Court does not provide an essentially
equivalent level of protection to the EU. This assessment has to be
taken into account for any transfer to the U.S.”

Importantly, the EDPB notes that in order to make use of other
transfer mechanisms (SCCs and BCRs) there is a first necessity of
carrying out an assessment “taking into account the
circumstances of the transfers, and supplementary measures you
could put in place”
which, considered together with the
relevant mechanism,“following a case-by-case analysis of
the circumstances surrounding the transfer, would have to ensure
that U.S. law does not impinge on the adequate level of protection
they guarantee. If you come to the conclusion that, taking into
account the circumstances of the transfer and possible
supplementary measures, appropriate safeguards would not be
ensured, you are required to suspend or end the transfer of
personal data. However if you are intending to keep transferring
data despite this conclusion, you must notify your competent
SA.”
(See EDPB FAQ questions 5 and 6).

Now, for the reasons I have extensively exposed above, the vast
majority of organisations will find themselves in the position
where they shall notify the competent Supervisory Authority –
unless they decide to opt for trying to conceal their unsafe
transfer to the US (and other third countries without adequacy
decisions). The following legitimate questions arise: How are SAs
going to deal with that potentially huge influx of notifications
when they have already made it clear that they have limited
resources and experience difficulty in enforcing the GDPR –
in the EDPS opinion on the Commission’s GDPR review, the EDPS
noted that “the consistent and efficient enforcement of
the GDPR remains a priority. Resources available for the national
data protection authorities (DPAs) are sometimes insufficient and
there are some discrepancies caused by the different legal
frameworks and national procedural laws.”
– ? What
is this going to mean in practical terms, does an organization just
notify and go ahead with the transfer or does it need to wait for
some kind of approval or response from them? Isn’t the SA going
to issue a fine if an organisation cannot guarantee an adequate
level of protection even with these extra mechanisms in place? What
it is sure is that the notification in and of itself will not
provide any further protections for data subjects.

Official Statements:

European Commission

  • 16 July 2020, “Opening remarks by Vice-President
    Jourová and Commissioner Reynders at the press point
    following the judgment in case C-311/18 Facebook Ireland and
    Schrems”. Available here.

European Data Protection Board

  • 17 July 2020, “Statement on the Court of Justice of the
    European Union Judgment in Case C-311/18 – Data Protection
    Commissioner v Facebook Ireland and Maximillian Schrems.”
    Available here.

  • 24 July 2020, “Frequently Asked Questions on the judgment
    of the Court of Justice of the European Union in Case C-311/18
    – Data Protection Commissioner v Facebook Ireland Ltd and
    Maximillian Schrems Adopted on 23 July 2020.” Available here.

European Data Protection Supervisor

  • Statement following the Court of Justice ruling in Case
    C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and
    Maximilian Schrems (“Schrems II”). Available here.

National Supervisory Authorities:

Danish Data Protection Authority

  • 20 July 2020, “Preliminary opinion of the European Data
    Protection Board on the consequences of the Schrems II
    judgment”. Available here.

French Data Protection Authority

  • 17 July 2020,”Invalidation of the “Privacy
    shield”: the CNIL and its counterparts are currently analysing
    its consequences”. Available here.

Germany:

Datenschutzaufsichtsbehörden des
Bundes und der Länder

  • 28 July 2020, “Judgment of the European Court of Justice
    on the transfer of personal data to third countries (“Schrems
    II”) strengthens data protection for EU citizens”.
    Available here.

Hamburg Data Protection Authority

  • 16 July 2020, “CJEU suspends Privacy Shield and confirms
    standard contractual clauses”. Available here.

Berlin Data Protection Authority

  • 17 July 2020, “After “Schrems II”: Europe needs
    digital autonomy”. Available here.

German Federal Commissioner for Data Protection and
Freedom of Information (“BfDI
“)

  • 17 July 2020, “BfDI on the Schrems II judgement of the
    CJEU”. Available here.

Rhineland Palatinate Data Protection
Authority

  • 16 July 2020, “Big bang: CJEU shreds the Privacy Shield,
    but data transfer to countries outside the EU still possible on a
    contractual basis.” Available here.

  • FAQ on Data transfers to third countries, available here.

Thuringia Data Protection Authority

  • 16 July 2020, Press release, Available here.

North Rhine Westphalia Data Protection
Authority

  • “ECJ declares decision on EU-US data protection shield
    invalid – standard data protection clauses permissible in
    principle but subject to review in individual cases (C-311/18
    “Schrems II”).” Available here.

Irish Data Protection Authority

  • 16 July 2020, “DPC statement on CJEU decision”.
    Available here.

Lichtenstein Data Protection Authority

  • 17 July 2020, “Invalidation of the EU-U.S. Privacy Shield
    by the European Court of Justice.” Available here.

Lithuania Data Protection Authority

  • 20 July 2020 “Judgment of the Court of Justice of the
    European Union on the EU-US ‘Privacy Shield’.”
    Available here.

Netherlands Data Protection Authority

  • 20 July 2020, “Privacy shield for transfer to US declared
    invalid.” Available here.

Polish Data Protection Authority

  • 20 July 2020, “CJEU judgment regarding Data Protection
    Commissioner against Facebook Ireland Ltd. and Maximilian
    Schrems.” Available here.

Romanian Data Protection
Authority

  • “Invalidation of European Commission Decision (EU)
    2016/1250 on the EU-US Privacy Shield.” Available here.

Swiss Data Protection Authority

  • 16 July 2020, “CJEU ruling on European standard
    contractual clauses and the EU-US Privacy Shield.” Available
    here.

UK Data Protection Authority (ICO)

  • 16 July 2020, “ICO statement on the judgement of the
    European Court of Justice in the Schrems II case.” Available
    here.

  • 27 July 2020, “Updated ICO statement on the judgment of
    the European Court of Justice in the Schrems II case.”
    Available here.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Billy Xiong

Leave a Reply