In a long awaited decision (C-311/18), delivered on 16 July 2020 and already widely publicised, the Court of Justice of the European Union had to rule on the validity of the standard contractual clauses for the transfer of personal data to processors established in third countries (Decision 2010/87, as amended by Decision 2016/2297, more commonly referred to as the “Model Clauses”), respectively on that of the EU-US Data Protection Shield (Decision 2016/1250, more commonly referred to as the “Privacy Shield”).
While the model clauses were narrowly saved, this ruling does, however, sound the death knell for “Privacy Shield”.
As a preliminary point, it should be recalled that the transfer of data from an EU Member State to a third country requires either that the recipient country has been recognised by the Commission as offering a level of protection considered adequate (Article 45 GDPR; for a list of these countries, of which Switzerland is currently a member, see here), or that the controller has provided appropriate safeguards (Article 46 GDPR).
In addition to the model clauses, expressly accepted as an appropriate form of guarantee allowing transfer to the United States (Art. 46 para. 2 lit. c GDPR), the United States had hitherto been recognised as offering an adequate level of protection with regard to companies that had decided to voluntarily submit to the “Privacy Shield” (for a list of such companies, see here).
In substance, Maximillian Schrems, an Austrian national, argued that the transfer of his personal data by Facebook Ireland to Facebook Inc. in the United States did not offer the necessary insurance guarantees as the US surveillance legislation violated Articles 7 (right to respect for private and family life), 8 (protection of personal data) and 47 (right to an effective remedy and to have access to an impartial court) of the Charter of Fundamental Rights of the European Union.
Two particular acts are at issue: first, Art. 702 FISA (Foreign Intelligence Surveillance Act), under which the Attorney General and the Director of National Intelligence may jointly authorize the surveillance of non-U.S. nationals outside the United States for the purpose of obtaining “foreign intelligence information”; This provision forms the basis for the PRISM (which directs Internet service providers to provide the NSA, and to some extent the FBI and the CIA, with all communications sent and received by a particular individual) and UPSTREAM (which directs telecommunications companies operating the Internet “backbone” to allow the NSA to copy and filter Internet traffic flows to collect communications sent by or received by the particular non-U.S. national) surveillance programs. Second, E.O. 12333, which allows the NSA to access data “in transit” to the United States, by accessing submarine cables laid on the Atlantic floor, and to collect and store its data before it arrives in the United States and is submitted to FISA.
As a preliminary point, the Court had to rule on the question whether data processing carried out for security reasons was not excluded from the scope of the GDPR, more particularly in the light of Article 2(2)(a), which, when interpreted, excludes the application of the GDPR when the data processing is carried out by authorities for reasons of national security. The Court answers in the negative, considering that it is not the possible processing by the US authorities that is at issue here, but rather the transfer between two economic entities (namely Facebook Ireland on the one hand, and Facebook Inc. on the other). The possibility that personal data transferred between two economic operators for commercial purposes may, during or as a result of such transfer, be processed for public security purposes does not have the effect of removing such transfer from the scope of the GDPR.
With this preliminary issue settled, the Court turns to the question of whether the Model Clauses can be considered an “appropriate safeguards” permitting transfer to the United States as provided for in Art. 46 GDR. In essence, its reasoning is as follows:
In other words, incorporating a Model Clause is not sufficient to ensure that the transfer has adequate safeguards. The legislation of the recipient country must also provide effective means for individuals to complain about a possible violation of their rights under Art. 47 of the Charter. If this is not the case, then recourse to the Model Clauses without any kind of supplement must be considered insufficient. In such a case, the supervisory authority may then intervene directly on the basis of Art. 58 GDPR to suspend or prohibit the transfer.
Art. 4 lit. a of the Model Clause in fact requires the controller to ensure that the legislation of the recipient country allows the recipient to comply with the obligations contained in the Model Clause. However, Art. 5 lit. a of the Model Clause is a welcome help to the controller in this context, since the importer must inform him as soon as possible of his possible inability to comply with his obligations contained in the said Clause, while Art. 5 lit. b reinforces this obligation by providing that the importer must also confirm that he has no reason to believe that the applicable law prevents him from complying with these obligations.
If, on the other hand, the importer is unable to comply with its obligations, the Court considers that Art. 4 lit. a of the Model Clause then requires the controller to suspend or prohibit any transfer, it being specified that Art. 12 additionally requires that data already transferred be returned or destroyed. In the event of a change in the law, of which the importer should inform the controller, the controller may decide to continue the processing, but must then inform the supervisory authority, in accordance with Art. 4 lit. g of the Model Clause. Again, it will then be open to the supervisory authority to suspend or prohibit any processing, in accordance with Art. 58 GDPR.
In view of the system thus established by the operation of Art. 4 and 5 of the Model Clause, the Court considers that the clause provides for effective means that meet the requirements of Art. 7, 8 and 47 of the Charter. In so doing, the Court thereby confirms the validity in principle of the Model Clauses.
While the combination of Art. 4 and 5 of the Model Clause saves its validity, such a mechanism is not provided for in the Privacy Shield. In the Court’s view, the Privacy Shield does not offer appropriate guarantees of protection in two respects:
In the light of the foregoing, the Court declares Decision 2016/1250 invalid.
What should one think about the outcome of this case?
With regard to the transfer to the United States, it is difficult to see how the legislation could devote effective means in the light of Art. 47 of the Charter when the controller uses a Model Clause, whereas this provision would be violated in the light of the Privacy Shield. Unless the data are anonymized, the transfer of data to the United States is therefore likely to give stakeholders a hard time from now on, unless they are willing to accept the resulting risk-taking. A careful analysis will therefore be necessary here.
This beinig said, this approach applies not only to the United States, but to all countries that do not offer an adequate level of protection, in fact a very large majority of States. Thus, the data controller will have to assess the risks by asking himself in particular about : (i) the scope of the processing, (ii) the manner in which the data are processed, (iii) the powers of the authorities likely to want to access the data, and (iv) the possibility of opposing such a request (if necessary in court).
Should this risk assessment lead to the conclusion that the legislation in question does not offer sufficient guarantees, the controller should then endeavour to complete the Model Clauses to remedy these shortcomings.
At this stage at least, it must be admitted that it is difficult to see how legislative shortcomings could, by contractual means, make it possible to remedy State interference…More precise clauses and additional obligations on the importer are probably at least likely to reflect the efforts made by the controller to identify and remedy problems and thus reduce the adverse consequences that any lack of assessment could have on him. The European Data Protection Board is expected to provide some guidance in this respect in the near future.
In the end, however, embarking on such a risk assessment seems to be the prerogative of the largest market players. Although understandable in some respects, however, the arguments put forward by the ECJ fail to take into account the economic reality and the enormous costs that a systematic risk assessment for any country that does not offer an adequate level of protection will lead to for the vast majority of companies. Will “third country” providers agree to swallow the costs of this analysis, which data controllers will very often invite them to carry out in order to offer them the necessary guarantees, or to integrate them commercially in their pricing model?
Assuming that such an assessment is systematically necessary, as the Court’s reasoning leads us to believe, does such a burden not contravene the very purpose of the Model Clause and the ease of implementation sought in order to dispense with the prior agreement of the supervisory authority? It goes without saying that the performance of any risk assessment and the resulting decision will have to be documented, which adds another layer of burden from a management and governance standpoint. In this case, would it not be better to seek prior approval by the supervisory authority, which is precisely what the Model Clauses were intended to avoid?
Admittedly, times have changed since the adoption of the Model Clauses, and interference with national security is, for many States, a means of excessive surveillance. In its effects, the Court’s judgment is thus likely to encourage a re-nationalisation of markets, a vision that is certainly possible, but which is still far from the reality of an economy that is, and will certainly remain for a long time to come, largely globalised. Does this mean that this ruling will remain largely impracticable unless the Model Clauses are revised to bring them up to date? That remains to be seen.
In any event, in the light of the above, unless it is possible to completely anonymise the data processed, which is an increasingly difficult task, it seems reasonable to assume that the vast majority of stakeholders will prefer for the time being to adhere to the Model Clauses without further analysis and take the resulting risks rather than systematically embarking on such a risk assessment. In any case, this position is likely to prevail as long as the European Data Protection Board and the supervisory authorities have not worked together to issue guidelines on how this judgment will now be applied in practice.
Let us bet that the attitude of the supervisory authorities will be a vector here as elsewhere as to the attitude to be adopted: if the ICO already seems willing to show a certain pragmatism, it is not the same in Berlin, where the Commissioner has informed that the data controllers must now comply with the ruling and seek, particularly with regard to the use of cloud providers, alternatives allowing data to be migrated back to Europe.
In a future article, we will examine how transfers to the United States can, potentially, take place.
Do you have questions about his topic?