On July 16, 2020, the long awaited landmark decision of Court of Justice of the European Union (“Court”) on the validity of the controller to processor standard contractual clauses (European Commission Decision 2010/87/EU dated February 5, 2010) and the EU-U.S. Privacy Shield (European Commission Decision 2016/1250 dated 12 July 2016) was published on the website of the Court. Accordingly, the EU-U.S. Privacy Shield is invalidated and cannot be used as an instrument of a data transfer between European Union (“EU”) and United States (“U.S.”). On the other hand, standard contractual clauses (“SCC”) are validated and can be used to provide adequate level of protection for international data transfers, yet, the application of SCC’s will be under strict assessments by supervisory authorities.
International Data Transfer under the GDPR
The process of ensuring a level of protection, not specifically identical but essentially equivalent, to that guaranteed within the EU by virtue of the GDPR (“Regulation (EU) 2016/679”) is the main concept of international data transfers in essence. According to the Article 45 (1) of the GDPR, in cases where the European Commission (“Commission”) has decided that such protection is provided by a third country or an international organization, data transfer may take place based on that the adequacy decision of the Commission. While determining whether a third county ensures an adequate level of protection, the Commission have to take into consideration several capabilities of that third country such as having “effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred”.
If there is no adequacy decision, parties have to “compensate for the lack of data protection in a third country” via appropriate safeguards stipulated in the Article 46 of the GDPR. Moreover, providing merely appropriate safeguards is not enough to transfer personal data. Additionally, according to the Article 46 of the GDPR enforceable data subject rights and effective legal remedies must be available for data subjects regarding such data transfer.
Background on the Privacy Shield
It was found that the U.S. ensured an adequate level of protection for personal data transferred from the Union to organizations in the U.S. under the EU-U.S. Privacy Shield with the Commission Decision 2016/1250 dated 12 July 2016. Following the adequacy decision, the EU-U.S. Privacy Shield became one of the most frequently used data transfer instruments when transferring personal data from the EU to the U.S. in support of transatlantic commerce by enabling U.S. based organizations to self-certify and publicly commit to comply with the Chapter V of the GDPR for transferring personal data.
The Privacy Shield Is No Longer an EU-US Data Transfer Instrument Anymore
In the Judgment, it is implied that data exporters and importers principally have to fulfill the requirements of the Chapter V of the GDPR for international data transfers at first. However, the GDPR is applicable for onward data transfers or further processing activities made at the time of that transfer or thereafter in the third country where data importer is resident. Moreover, the fact that these onward transfers or further processing activities are required under such third country’s legal system and made for the purposes of public security, defense, and security does not remove the application of the GDPR.
Pursuant to the Judgment, the U.S. authorities’ intelligence activities concerning the personal data transferred to the U.S. are based on Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and on Executive Order 12333 (“E.O. 12333”).
In the Judgment, it is specified that the Section 702 of the FISA enables surveillance of individuals who are not United States citizens located outside the U.S. in order to obtain foreign intelligence information and provides ground for several programmes which requires internet service providers to provide for personal data of such targeted individuals. Moreover, telecommunications undertakings are required to allow the National Security Agency (“NSA”) to copy and filter Internet traffic flows in order to acquire communications from, to or about a non-US national associated with a ‘selector’. Additionally, the E.O. 12333 allows the NSA to access data ‘in transit’ to the U.S., by accessing underwater cables on the floor of the Atlantic, and to collect and retain such data before arriving in the U.S. and being subject there to the FISA.
Since surveillance programmes based on the Section 702 of the FISA and E.O. 12333 neither subject to any specific limitation in regard to the principle of proportionality nor necessity in terms of foreign intelligence, the Court concludes that such surveillance programmes are not capable of fulfilling the requirements of an adequacy decision.
Moreover, even though the Privacy Shield is introduced by an ombudsperson mechanism which was designated to ensure that individual complaints are properly investigated and addressed, such mechanism cannot satisfy the conditions set out in the Article 45(2) of the GDPR, since an ombudsperson cannot be regarded as a tribunal within the meaning of Article 47 of the EU Charter of Fundamental Rights. Accordingly, the Court invalidates the EU-U.S. Privacy Shield without a grace period.
Standard Contractual Clauses Are Valid
In regard to SCCs, the Court primarily discusses which factors need to be taken into consideration for the purpose of determining whether the adequacy of the level of protection is ensured in the context of a transfer based on SCCs. By referring to that level, it indicates that the level of protection that is essentially equivalent to and do not undermine the guarantees of the GDPR must be provided irrespective of the subject data transfer instrument. Therefore, data exporters and importers have to ‘compensate for the lack of data protection in a third country’ by virtue of appropriate safeguards in accordance with Article 46(1) of the GDPR and their appropriate guarantees such as entering into SCCs must be capable of ensuring the level of protection which is essentially equivalent to the GDPR, as in the context of a transfer based on an adequacy decision.
To this end, the Court states that although there is not list the various factors which must be taken into consideration for the purposes of assessing the adequacy of the level of protection, the Article 46(1) of the GDPR specifies that data subjects must be provided with appropriate safeguards, enforceable rights and effective legal remedies. Therefore, the Court states that assessment of such requirements includes both assessing contractual clauses agreed between data exporter and importer, and legal systems of the third county where the data importer is established as regards to any access by the public authorities.
To this end, the Court concludes that the non-exhaustive list stipulated in the Article 45(2) of the GDPR for assessment of adequacy by the Commission corresponds to the list of criteria to be taken into consideration by data exporters while determining whether the level of protection ensured by virtue of SCCs are adequate for that specific data transfer. Since SCCs have a contractual nature and cannot bind any third parties including public authorities, the Court encourages data exporters to add other clauses or additional safeguards to SCCs to promote effectiveness of these clauses.
Furthermore, it is explicitly stated that in cases where additional measures are not sufficient to guarantee required data protection or reachable by parties, such data transfers have to be suspend or ended. Therefore, if the data importer is under a legal obligation to provide personal data without adequate data subject rights and remedies, and entering into SCCs does not incorporate effective mechanisms to ensure compliance with the level of protection required by the GDPR, such transfers cannot be made on the mere fact that parties have entered into SCCs. Accordingly, such transfers have to be suspended or prohibited.
In this sense, the Court recalls the corrective power of each competent supervisory authority to suspend or prohibit a transfer of personal data to a third country if it deems SCCs agreed between parties are not or cannot be complied with in that third country to ensure such level of protection.
What to do next?
Although the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with the Chapter V of the GDPR for transferring personal data from the EU to the U.S., U.S. based organizations public commitments are still binding and enforceable under U.S. law. Therefore, U.S. based organizations still under the obligation to fulfill their commitments in line with the EU-U.S. Privacy Shield Framework (See, https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update). U.S. based organizations must continue to comply with their commitments and, if they do not want to stay committed, withdraw from the EU-U.S. Privacy Shield.
Moreover, hence, there is no transition period stipulated in the Judgment, affected data importers have to provide quick solutions. Data importers in U.S. which was depending on the EU-U.S. Privacy Shield have to consider other available instruments for their data transfers.
Parties may consider alternative instruments such as providing Binding Corporate Rules (“BCR”) or depending on applicable derogations or entering into SCCs. Yet, choosing to use BCRs require long and costly process for only eligible companies. On the other hand, as stated by the European Data Protection Board (“EDPB”) derogations is exceptional and not compatible for continues data transfers. (See our latest article on Data Transfer and COVID-19: Applicable Derogations; http://herdem.av.tr/data-transfer-and-covid-19-applicable-derogations).
However, regardless of the data transfer instrument preferred by parties, the U.S. based organizations which are subject to the requirements of the FISA and the E.O. 12333 such as internet service providers or telecommunications carrier are deemed to not provide the level of protection that is essentially equivalent to the GDPR. If applicable, in regard to the surveillance programmes of the U.S. which include mass surveillance of data in transit, parties have to prevent such surveillance by way of additional measures such as encryption of personal data in transit.
With the adaptation of the relevant data transfer instrument, parties should consider to update their privacy policies and notices regarding the change in data transfer instrument.
Case By Case Assessment
In regard to feasible and quick nature of SCCs, parties may choose to enter into relevant SCCs for their data transfers. Yet, it has to be taken into consideration that the full achievement of SCCs’ requirements will be assessed in a more diligent way by supervisory authorities with effect of the Judgment. Accordingly, such authorities will be more likely to suspend or prohibit a data transfer based on SCCs in cases where they assume that provisions of SCCs are not likely to be fulfilled by parties.
As underlined by the EDPB, while entering into SCCs, data exporter and importer are under the responsibility to assess whether the third country to which data to transferred offer adequate protection or not (See for the full statement; https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en). Accordingly, data importers who are not in EEA should identify regulations and obligations which they are subjected to in detail and advise data exporter in such matters. Data importers, not only the ones in U.S. but also the ones in any other country which is not subject to an adequacy decision should assess its legal obligations within the scope of data protection and report their obligations to data exporters. In light of required assessments, if necessary, parties have to provide appropriate additional measures to the ones stipulated in SCCs to ensure the level of protection that is essentially equivalent to the GDPR.
In the same vein, it needs to be underlined that although the Judgment handled SCCs within the scope of controller to processor version of Decision 2010/87/EU, parties of controller to controller versions of SCCs also should assess suitability of their safeguards for their transfers in a case by case basis. If such safeguards are not capable of compensating lack of remedies, parties need to provide additional ones in this respect.
Furthermore, the need of supplementary measures due to the third country’s legal system have to be fulfilled not only in cases where the relevant data transfer instrument is SCCs but also BCR. Since providing BCR would not compensate the lack of effective and enforceable data subject rights and effective administrative and judicial redress, the requirement to provide additional safeguards in that respect is also applicable for BCR users (See for full statement; https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf).
What to expect?
In the upcoming days, the EDPB and supervisory authorities are expected to be providing guidance on how to provide appropriate additional measures in a case by case manner and how the suspension or prohibition processes of data transfers will proceed.
The German supervisory authority, Federal Commissioner for Data Protection and Freedom of Information, also has stated that each single data processing operation have to be checked regarding the high requirements of the Judgment and companies, authorities as well as supervisory authorities now have the complex task of applying the Judgment in practice (See for the full statement; https://www.bfdi.bund.de/EN/Home/Press_Release/2020/17_Schrems-II-ECJ.html).
In light of the Brexit, United Kingdom (UK) may approach the Judgment in a different manner. Information Commissioner’s Office of UK has published its alert on the Judgment stating that until it publishes its updated guidelines on the EU- U.S. Privacy Shield, ongoing data transfers may continue, yet, it is not recommended to start using the EU- U.S. Privacy Shield in this period (See for the EU- U.S. Privacy Shield page of Information Commissioner’s Office; https://ico.org.uk/make-a-complaint/eu-us-privacy-shield/).
As has been stated by the Irish supervisory authority, Data Protection Commission, even though SCCs are still valid as international data transfer instrument, the application of the SCCs for data transfers of to the U.S. is now questionable (See for the full statement; https://www.dataprotection.ie/en/news-media/press-releases/dpc-statement-cjeu-decision). Following the Judgment, Data Protection Commission will investigate the effectiveness of SCCs signed between Facebook Ireland and Facebook Inc. and decide if the required criteria set out in the Judgment is met.
Aslı Naz Ünlü