The European Data Protection Board (EDPB) yesterday published its final recommendations setting out guidelines for making transfers of personal data to third countries in order to comply with EU data protection rules in light of the historic CJEU ruling last summer (aka Schrems II).
The long and short of these recommendations – which are quite long; spanning 48 pages – is that some data transfers to third countries will simply not be possible (legally). Despite the continued existence of legal mechanisms which can, in theory, be used to effect such transfers (such as standard contractual clauses; a transfer tool which was recently updated by the Commission).
However, it is up to the controller to assess the viability of each transfer, on a case-by-case basis, in order to determine whether the data can legally circulate in that particular case. (This may mean, for example, that a company makes complex assessments of oversight regimes of foreign governments and how they encroach on its specific operations.)
Companies that regularly take data from EU users outside the bloc for processing in third countries (like the US), which do not have data adequacy agreements with the EU, face significant costs and challenges in achieving compliance – at best.
Those who cannot apply viable “special measures” to ensure the security of transferred data are required to suspend data flows – with the risk, if they do not, of being ordered by a data protection authority. data (which could also apply additional penalties).
An alternative option could be for such a company to store and process EU user data locally – within the EU. But it is clear that this will not be viable for all businesses.
Law firms are likely to be very happy with this outcome, as the demand for legal advice will increase as companies strive to structure their data flows and adapt to a post-Schrems II world.
In some EU jurisdictions (such as Germany), data protection agencies are now actively performing compliance checks – so suspend transfer orders are required to follow.
While the European Data Protection Supervisor is busy scrutinizing EU institutions’ use of US giants of cloud services to see whether high-level deals with tech giants like AWS and Microsoft are successful or not.
Last summer, the CJEU rolled back the EU-U.S. Privacy Shield – just a few years after the signature of the flagship adequacy agreement. The same basic legal problems arose for its predecessor, “Safe Harbor”, although this has been going on for about 15 years. And since the disappearance of the Privacy Shield, the Commission has repeatedly warned that there will be no quick fix replacement this time around; nothing less than a major reform of US surveillance law is likely to be needed.
US and EU lawmakers are still negotiating a new EU-US data flow deal, but a viable outcome that could withstand legal challenge, as the previous two deals couldn’t, may well. require years of work, not months.
And that means EU-US data flows face legal uncertainty for the foreseeable future.
The UK, meanwhile, has just wrung a deal on data adequacy from the Commission – despite some strongly articulated post-Brexit plans for regulatory divergence in the field of data protection.
If the UK continues to tear apart the key principles of its legacy European legal framework, there is a good chance that it will also lose its adequacy status in the coming years, which means it could also collide crippling obstacles to EU data flows. (But for now, he seems to have dodged that bullet.)
Data flows to other third countries that also do not have an EU adequacy agreement – such as China and India – face the same ongoing legal uncertainty.
The backstory of the EU’s international data flow issues comes from a complaint – following the revelations of NSA whistleblower Edward Snowden about the government’s mass surveillance programs, so there is more than seven years – made by the eponymous Max Schrems on what he argued to be dangerous for the EU – Data flow in the United States.
Although his complaint specifically targeted Facebook’s activities and called on the Irish Data Protection Commission (DPC) to use its enforcement powers and suspend Facebook’s EU-US data streams.
There followed a regulatory dance of indecision that eventually saw legal issues referred to Europe’s highest court and – ultimately – the demise of the EU-US Privacy Shield. The CJEU ruling also established beyond any legal doubt that member state DPAs must step in and act when they suspect that data is flowing to a location where the information is at risk.
Following the Schrems II decision, the DPC (finally) sent Facebook a preliminary order to suspend its EU-US data feeds last fall. Facebook immediately challenged the order in Irish courts, seeking to block the move. But this challenge failed. And Facebook’s EU-US data feeds now run largely on borrowed time.
As a platform subject to Section 702 of US FISA, its options to apply “special measures” to supplement its data transfers within the EU appear limited to say the least.
It cannot, for example, encrypt data in such a way that it cannot be accessed (zero access encryption), because that is not how Facebook’s advertising empire works. And Schrems previously suggested that Facebook will need to federate its service – and store EU user information inside the EU – to resolve its data transfer problem.
Safe to say, the costs and complexity of compliance for some companies like Facebook seem enormous.
But there will be compliance costs and complexity for thousands of businesses as a result of the CJEU ruling. And in a recent open letter to lawmakers ahead of an EU-US summit earlier this month, startup associations on both sides of the Atlantic urged policymakers to find ways to come together to align regulatory standards – writing that recent developments in the digital world, such as the invalidation of the Privacy Shield, “threaten to put our ecosystems at a disadvantage in globally competitive markets ”.
Discussing the concerns with TechCrunch, Benedikt Blomeyer, Director of European Policy for Allied for Startups, added: “Startups are global from day one and as such an American startup has a lot to offer European consumers. Why, despite increasingly interconnected markets and the entry into force of more and more data protection laws, more and more trade barriers are appearing in the digital economy? “
Although he was asked whether startups backing the call for the EU and the US to work to reduce regulatory differences were pushing for something as specific as reforming US surveillance law to At this point in their campaign, Blomeyer declined to comment for now.
Commenting on the adoption by the EDPS of the final recommendations, President Andrea Jelinek said: “The impact of Schrems II cannot be underestimated: international data flows are already subject to much closer scrutiny from supervisory authorities who are carrying out investigations at their respective levels. . The purpose of the EDPS Recommendations is to guide exporters in the lawful transfer of personal data to third countries while ensuring that the data transferred enjoy a level of protection essentially equivalent to that guaranteed within the European Economic Area.
“By clarifying certain doubts expressed by stakeholders, and in particular the importance of examining the practices of public authorities in third countries, we want to make it easier for data exporters to know how to assess their transfers to third countries and to ” identify and implement additional measures where they are needed. the EDPS will continue to examine the effects of Schrems II decision and comments received from stakeholders in its future directions.
The EDPB published previous guidance on compliance with Schrems II last year.
He said the main changes between this earlier opinion and its final recommendations include: “The emphasis on the importance of examining the practices of public authorities in third countries in the legal assessment of exporters to determine whether the legislation and / or the practices of the third country infringe on – in practice – the effectiveness of art. 46 GDPR transfer tool; the possibility that the exporter takes into account in its assessment the practical experience of the importer, among other elements and with certain reservations; and the clarification that the legislation of the third country of destination allowing its authorities to access the transferred data, even without the intervention of the importer, may also infringe on the efficiency of the transfer tool ”.
Commenting on the EDPB’s recommendations in a statement, law firm Linklaters called the directive “strict” – warning of the imminent impact on business.
“There is little evidence of a pragmatic approach to these transfers and the EDPB seems entirely satisfied if the conclusion is that the data should stay in the EU,” said Peter Church, legal adviser to the global law firm. . “For example, before transferring personal data to a third country (without adequate data protection laws), companies should consider not only its law, but also how its enforcement agencies. law and national security work in practice. Since these activities are generally secretive and opaque, this type of analysis is likely to cost tens of thousands of dollars and take time. It seems that this analysis is necessary even for relatively harmless transfers. “
“It is not clear how SMEs can expect to comply with these requirements,” he added. “Since we are now operating in a globalized society, the EDPB, like King Canute, should take into account the practical limits of its power. The guidelines won’t reverse the waves of data washing around the world, but many companies will really struggle to comply with these new requirements. “
This report has been updated with additional comments