Schrems II and its implications
Much has been written and commented about following last week’s judgement by the European Court of Justice in relation to the case taken by the Austrian lawyer, Max Schrems, against Facebook.
In (very) brief summary, Herr Schrems took issue about the extent and manner in which Facebook was transferring his personal data to the US, and in doing so, making it available to US government scrutiny.
Under the GDPR and preceding privacy legislation, EU citizens have a reasonable expectation that our personal data will be managed in an appropriate, secure and proportional manner. The legislation has provided various safeguards by which to ensure this protection, including contractual structures between EU Data Controllers and those with whom they share such data in other jurisdictions.
Specifically, where personal data is shared with or disclosed to companies based in the US, the EU and the US Federal Trade Commission came up with an arrangement in 2004 known as Safe Harbour. This was intended to ensure that any US firm processing or receiving EU data could register with a Federal body and commit to give the data the same protections as it would have it if remained within the EU.
Thanks to the same Herr Schrems, Safe Harbour was put under substantial scrutiny back in 2014 and found to be wanting, so was disbanded. It was replaced a year later by a new, more robust arrangement, known as Privacy Shield, which was intended to give those substantial protections we had all expected and wanted.
In a decision which is being referred-to as Schrems II (for obvious reasons), Privacy Shield has now come under similar scrutiny as a consequence of the Austrian’s ongoing dissatisfaction with Facebook, and further dissatisfaction with the way in which his complaints are being managed by the Irish Supervisory Authority (our DP Commission). And as a result, Privacy Shield has now, too, been found wanting and has been disbanded (as of Thursday 16th).
The primary concern, in the view of the EU Court of Justice (CJEU), was the lack of power of the US Federal Authorities to control the surveillance activities of the various US Government security services who might be interested in such data, and who have the powers to demand that US entities disclose such data to them, or at least make it accessible. If such access cannot be controlled, or where excessive and disproportionate processing of such data cannot be prevented, then Privacy Shield is ineffective and toothless as a device to protect our (EU citizens’) privacy rights.
So what’s the point in having it? What’s the value in being able to claim that your US partner or service provider (call centre, marketing company, cloud storage provider, webinar host, social media partner, etc.) is Privacy Shield registered if, in response to a proverbial ‘knock on the door’ by the authorities, your service provider is obliged (under US security and surveillance legislation) to unlock its systems and make them accessible to investigation – often without even letting you know that this has happened? There is no value, according to the EU Court of Justice – Privacy Shield is only providing a false veneer of confidence, where no such confidence is justified.
So the CJEU decision effectively means that EU firms can no longer rely on Privacy Shield and must find another mechanism by which to guarantee the safety, security and protection of any personal data which leaves these shores. And the responsibility for doing so rests with the individual organisations to decide to transfer or ‘export’ such data, reinforcing the GDPR principle of accountability and liability (Article 5, Principle Seven).
Thankfully, Privacy Shield was not the only mechanism available to EU Data Controllers when sharing or disclosing personal data with US-based organisations. Article 49 of the GDPR provides a set of ‘derogations’ or specific circumstances under which personal data can be disclosed to or shared with countries outside the EU (individual consent, legal obligation, concern for the welfare of the data subject, etc.).
The EU also recognises a long-standing (2004) mechanism known as the Controller – Processor Standard Contractual Clauses (or Model Contract) which acts as a boiler-plate contract which organisations planning to export personal data from the EU can establish with the recipient or ‘Data Importer’.
This might seem contradictory – why would the Standard Clauses give any more confidence or security than Privacy Shield when engaging with a US-based company? Surely the same obligations to provide access to the data will apply, whether the service is provided under the protection of Privacy Shield or these contracts?
The bad news here is that, in the logic of the lovely people at the CJEU, the Standard Clauses offer more security because they heap all of the responsibility for the protection of the data on the Data Controller exporting the data, rather than on the respective Governments who were supposed to be managing Privacy Shield.
In the logic of the CJEU, the use of the Standard Clauses is only ‘acceptable’ because there is an expectation that EU Data Controllers will only deploy these contracts where they are certain of the credibility and reliability of their ‘Data Importer’. And further, that the EU Data Controller will immediately cease operating with any provider who fails to meet the stringent provisions of the Standard Clauses.
So once again, the pressure, the obligation and the scrutiny of the Supervisory Authorities will focus on the Data Controller.
So what are the implications for EU Data Controllers? There are a few which come immediately to mind:
Firstly, organisations currently relying on Privacy Shield as the lawful mechanism to protect their data exports can no longer do so, and must start looking for an alternative (unhelpfully, most Supervisory Authorities have so far declined to given any guidance on an acceptable replacement and seem to be waiting for the European Data Protection Supervisor (EDPS) to do so);
Further, even where they are considering to replace Privacy Shield with Standard Clauses, Data Controllers must first conduct due diligence on the intended ‘Data Importer’ to ensure that they are competent, capable and sufficiently compliant to offer what the CJEU calls a level of protection ‘essentially equivalent’ to the protections provided under the GDPR. This would imply some level of initial and on-going audit of compliance and possibly even a more robust Data Privacy Impact Assessment (DPIA) before progressing to contract negotiations.
And lastly, (particularly relevant for Irish Data Controllers) the concerns raised by the CJEU in relation to the compliance of Data Importers, while they may have focused on US-based service providers, have effectively drawn further scrutiny on our partners in the UK. As we approach the midnight hour on December 31st, and assuming that no substantial trade agreement will be negotiated in the interim, the UK will effectively become a ‘third country’ for data export purposes, and Irish and other EU Controllers will need to consider the introduction of Standard Contractual Clauses with them.
In conclusion, while the CJEU decision during the week was helpful in indicating the level of protection and security which the EU Courts will expect, it falls short of providing clarity and guidance on what solutions will be considered acceptable. We find ourselves in ‘limbo’, knowing enough to realise what is not enough, but without enough information to know what ‘good’ might look like.
Vielen Dank, Herr Schrems! Can’t wait for “Schrems III”.
If you have any questions or would like to find out more about how we at Sytorus could support you and your organisation following this decision you can book a free one to one virtual meeting with us by clicking on the button below or you can call us on +353 (0) 1 513 6301.