The four months since the EU’s Court of Justice shut down the Privacy Shield have seen a series of judicial and regulatory attempts to clarify matters as data exporters try to balance operational reality and legal compliance.
This week, the European Data Protection Board (EDPB) issued recommendations on additional compliance measures for transfers while the European Commission published a draft of its long-awaited "modernisation" of the Standard Contractual Clauses (SCCs), which remain the most commonly-used method for enabling data transfers.
With both documents currently in public consultation, the new practical landscape for data exporters is perhaps starting to become a little clearer, although it should be stressed that we are in an exceptionally fast-moving regulatory context.
What is causing this uncertainty?
The difficult compliance challenges now facing actors of all sectors, both inside and outside Europe, follow a decision in July by the Court of Justice of the European Union (CJEU), in a case known as Schrems II.
In that case, the Court invalidated an "adequacy decision" by the European Commission, under which personal data transfers to US entities subscribing to a charter called the Privacy Shield were considered compliant with European law, in particular the General Data Protection Regulation (GDPR).
In addition to invalidating the Privacy Shield, the court also addressed the question of the use of SCCs, under which the data exporter in the EU and the data importer in a third country sign an agreement based on templates adopted by the European Commission. This agreement contains guarantees on the part of the data importer that it will process the shared personal data in accordance with minimum standards. Its signature is thus considered to provide "adequate safeguards" of the rights of the individuals concerned, in compliance with GDPR.
However, in Schrems II, the CJEU held that since SCCs are only binding on the parties that sign them and not on the public authorities of the countries where the personal data is transferred, the safeguards they contain may not be be sufficient to protect the rights of individuals. Therefore, the parties to the transfer have the responsibility to check, on a case by case basis, whether the law in the country in question enables adequate data protection under EU law when taken together with the SCCs. The CJEU further stated it may therefore be necessary for the "data controller" (i.e. the organisation responsible for the processing) to adopt "supplementary measures" to ensure compliance with the level of data protection required under EU law.
Thus, since Schrems II, the very many European organisations which transfer personal data to third countries (for example, members of their groups or external providers of Cloud storage, SAAS solutions, etc.) have been forced to ask whether these transfers can be carried out legally on the bases of the SCCs (or other previously GDPR-compliant safeguards which do not specifically bind foreign authorities, notably "binding corporate rules", or BCRs.
What position are regulators taking in France?
On 8 October, the French data protection authority, the Commission Nationale de l’Informatique et des Libertés ("CNIL"), submitted observations to the French Conseil d’état (France’s supreme administrative court) covering, in particular, the question of "supplementary measures" for transfers to a cloud provider.
In short, the case involved an accelerated legal procedure (similar to a request for an injunction) brought by various non-profit organisations, regarding the use of Microsoft’s Azure cloud service to host France's "Health Data Hub", a very extensive national database of patients’ health data.
In its submissions, the CNIL stated that supplementary measures to the SCCs "appear particularly difficult to apply" in the case of transfers to the USA. The CNIL added that where the US data importers were subject to certain provisions of American law (section 702 of FISA and Executive Order 12333), including data importers, such as Microsoft, which are categorised as electronic communication service providers "additional guaranties to protect against such surveillance appear particularly delicate to put in place". The CNIL added that, even where this was not the case, data was generally subject to surveillance programmes while in transit to the recipient, but that additional measures such as encryption would likely enable, under certain conditions, an appropriate level of data protection.
The CNIL’s submissions in some respects went further than the CJEU in Schrems II, in considering that FISA Section 702 (and possibly EO 12333) could enable the US authorities to compel American service providers such as Microsoft to transfer personal data to them even where the data in question is exclusively stored and processed in the EU.
As a result, the CNIL took the view that the continued authorisation of service providers which are subject to US law to store health data "appears problematic" in the light of Schrems 2. It suggested that the safest solution would be to use "companies which are not subject to US law" to host health data. Thus, the CNIL considered, it may be appropriate to modify the legal structures of groups or grant licences to European companies, in order to achieve this aim.
Note that the submissions contain a specific proviso that they only apply to health data. Indeed, the CNIL specifically reserved judgment on the possible consequences for other sectors and less sensitive data. In addition, the judgment of the Conseil d’état, delivered on 13 October 2020, pointed out that the CJEU in Schrems II only addressed the question of the conditions under which transfers of personal data to the USA could be carried out, and not the conditions under which such data coud be processed within the EU by members of US-headquartered groups. In its ruling, the Conseil d’état ordered the body operating the Health Data Hub to sign, within 15 days, an amendment to its contract with Microsoft Ireland Operations Limited, stating in particular that the law applicable to a previous contractual document regarding data protection was the EU Member State law applicable to that company, and that the said amendment applied to all Microsoft services which could be used to process personal data from the health system.
Despite these provisos, we would nevertheless underline the fact that the CNIL in its observations was willing to apply an expansive interpretation of Schrems II (albeit in relation to a highly sensitive data set). It therefore appears important for the actors involved in transferring data outside the EU to show that they have applied the principles of the Schrems II decision by carrying out the necessary verifications of the level of data protection in the third countries involved and, if necessary, putting in place additional safeguards.
So what should data controllers and processors do
The EDPB draft recommendations provide a clear methodology for applying the Schrems II principles. Also of interest is a strategy document issued by the European Data Protection Supervisor, setting out a calendar for the EU’s own institutions to comply with the judgement (including the requirement to map all transfers before 15 November 2020).
Although the present version of the EDPB recommendations is subject to public consultation, businesses and other organisations which transfer personal data should take immediate steps to comply with Schrems II, particularly as the CJUE specified that there would be no transition period prior to the judgment taking effect. Thus, applying the current version of the recommendations, organisations should:
1. Identify transfers outside the EU ("know your transfers")
The EDPB specifies that a detailed mapping of all transfers carried out by the organisation should be put in place, taking into account "onward transfers" by the recipient, the principle of data minimisation, remote access to the data for maintenance purposes, etc. etc.
2. Identify the legal mechanism allowing the transfer
For each transfer, check the possible legal basis under the GDPR: adequacy decision, appropriate safeguards (SCC, BCR, etc ...), derogations, if any.
3. Assess the effectiveness of your appropriate safeguards
If the transfer is based on an appropriate safeguards, including SCCs, you must ensure that these are "effective in practice". Therefore, each transfer based on such a mechanism should be analysed on a case-by-case basis, in view of the risk it poses to the rights and freedoms of the data subjects.
4. Adopt supplementary measures
If the step 3 assessment reveals that the mechanism adopted (e.g. SCCs) is not effective, you should consider whether there are supplementary measures which can ensure, in combination with the safeguards provided by the transfer mechanism, that a sufficient level of protection exists. These measures may be of a technical, contractual or organisational nature. The recommendations provide concrete examples of such measures, in particular technical measures.
The EDPB underlines that, absent such measures, the transfer cannot go ahead legally.
5. Procedural steps
Once the appropriate safeguards and, where applicable, supplementary measures, have been identified, the parties to the transfer need to put in place any necessary formalities (e.g. signing SCCs with the recipient, obtaining authorisation from the data protection authorities in the event of use of "ad hoc" contractual clauses, etc.).
6. Ongoing reevaluation
The recommendations add that the level of data protection in the third countries in question should be monitored on an ongoing basis and reevaluated at "appropriate intervals".
Note on intra-group transfers
One of the scenarios discussed in the EDPB’s recommendations concerns the sharing of personal data within a group of companies, for example to enable a group company outside the EU to provide "personnel services" to an affiliate within the EU.
The EDPB states that, where such processing is carried out on data "in the clear" (i.e. data which is not encrypted or pseudonymised) and the public authorities in the recipient country have disproportionate and unnecessary power to access such data, it is "incapable of envisaging an effective technical measure" which would prevent infringement of the rights of the individuals concerned.
Groups of companies which regularly share customer or employee data across borders should therefore review their practices to limit such processing and, where appropriate and possible, identify a combination of organisational, technical and contractual measures which are capable of preventing infringements of data subject rights.
What about Brexit?
With the end of the Brexit transition period (31 December 2020) fast approaching, data transfers to the United Kingdom will soon be subject to the regime summarised above, unless the European Commission makes an adequacy decision in favour of the UK before that date. Thus, businesses which regularly transfer personal data to recipients in the UK should immediately take steps to anticipate the possible illegality of such transfers from the start of 2021.