*This publication has utilised Google translate for the purpose of analysis
The case of Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (‘Schrems II’), which invalidated the European Union (‘EU’)-United States (‘US’) privacy shield agreement, has left many Data Protection Authorities (‘DPAs’) and various organisations to reconsider their legal procedures for cross border transfer of data into the EU. Recently, the Data Protection Authority of the German federal state of Baden-Württemberg (‘German DPA’), on August 24, 2020, has released guidance on how to proceed with data transfer after the Court of Justice of the European Union (‘CJEU’) decision on Schrems II (‘Guidance’). The Guidance provides for a background as to how US security services had access to personal data under Section 702 of the Foreign Intelligence Surveillance Act (‘FISA’). Hence, an adequate level of protection cannot be guaranteed for non-US citizens. Moreover, the ombudsman as provided in Privacy Shield does not have enough independence from the executive branch. The CJEU retained the validity of the Standard Contractual Clauses (‘SCCs’), however, organisations utilising SCCs, must ensure a level of protection for personal data corresponds to that of the European Union. This affects all data transfers to the US as organisations will have to revisit their legal procedures to ensure that an adequate level of protection corresponding to the EU standards and ‘adequacy’ under the General Data Protection Regulation (‘GDPR’) is ensured. A question arises as to whether the US data transfers shall pass the test of ‘adequacy’ under EU standards now?
The Guidance by the German DPA
The guidance provides for a checklist and emphasises the fact that if organisations are still relying on the Privacy Shield for data transfers then they are risking liabilities and fines. Interestingly, the US Department of Commerce (‘DoC’) had issued a statement immediately after the CJEU judgment stating that they will “continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List”. This is a cause of concern for the German DPA and may also not be in total compliance with the conditions as provided under ‘transfer of personal data to third countries, Chapter V’ of the GDPR. The Guidance has been summarised with key points as under:
When using SCCs to the US
The German DPA has outrightly provided that the data transfers through Privacy Shield may be declared illegal resulting in fines and damages. However, data transmissions through SCCs are conceivable, under ‘additional guarantees’. Persons in charge shall ensure the protection of rights of the data subject through:
a. encryption in which only the data exporter has the key and the security services cannot be break either; and
b. anonymisation or pseudonymisation, in which only the data exporter can make the assignment.
However, the data encryption part provided under the Guidance should pose a cause of concern for US organisations. This is pursuant to the fact that recently, as also reported by us previously, the Lawful Access to Encrypted Data Act (‘LAEDA’) is under discussions in the US Congress. If passed, organisations may not create ‘warrant proof’ technologies as the LAEDA requires controllers and other telecommunications providers to provide a decryption tool to US security services when served with a warrant. Hence, extending the surveillance mechanism of the US agencies.
Data Transfers to other non-EU states
The CJEU’s decision all third countries with regards to maintaining adequacy under Article 45 of the GDPR. In this regard, the German DPA emphasise data importers ensuring the legal context for access of personal data of EU data subjects by any security agencies and what rights are being guaranteed to EU data subjects in the importing jurisdictions. The Guidance also provides that a data transfer under Article 49 of the GDPR is conceivable, however, derogations provided under it shall be interpreted restrictively.
The German DPA provides that organisations should rely on mechanisms of transfer or select a contractual service provider that reduces the risks that may be associated with such transfers. In this regard, the Guidance also states that the German DPA may restrict or prohibit data transfers if it is not convinced that the controller has not taken the necessary steps to mitigate any risks.
Compliance checklist as provided by the German DPA
The Guidance states that controller and importers check the legal situation in the jurisdiction, in particular the access option of security agencies. Importers shall also include the additions to guarantees as provided in the checklist under:
creation of an inventory of cases where the data is being exported to third countries which may include remote access to data;
informing the service provider’s of data exporters and making them realise the implications of the CJEU judgment;
availing sufficient information about the laws applicable in third countries which may include surveillance mechanisms, DPAs;
assessment of whether there is an adequacy decision for third countries to which data is being transferred as per the checklist provided by the European Commission;
if SCCs are being relied upon for data transfers, to assess whether there are additional safeguards required; and
SCCs should not be used if the authorities of the importing jurisdiction can interfere with the rights of the data subject and if there is no legal protection guaranteed as per EU standards.
Additional Measures
The Guidance also provides that the exporting organisation shall contact the recipient of the data, in order to show a willingness to comply with the law, and agree to amendments in the clauses of the SCCs. Interestingly, the Guidance does not state that the measures proposed by the German DPA shall be able to demonstrate an appropriate level of protection but should be followed for demonstrating willingness.
With regards to the amendments proposed by the German DPA, there is a manner of clarity required as to the execution of such amendments since amending the clauses of the SCCs shall require the approval of DPAs. However, it could be conceived that such amendments could form a data processing agreement pursuant to Article 28(3) of the GDPR amounting to additional obligations undertaken by the parties. Such amendments are as follows:
· Amendment of annex to clause 4 f
If a data transfer is carried out to third countries that do not have an adequate level of protection as per the GDPR, then such information shall be provided to the data subject. Such information shall be provided, before or as soon as possible after the transfer, for the transmission of any data and not just special categories of data.
· Amendment of annex to clause 5d i
The data importer has an obligation to inform not only the data exporter but also the data subject if any authority has issued a legally binding request for the transfer of personal data to the authority. If in a circumstance, the providing of such information to the data subject is prohibited, for example, data request for criminal prosecution to maintain the secrecy of the investigation, then the organisation must contact the German DPA for clarity on how to proceed.
· Amendment to annex 5 d
The data importer shall have an obligation to take legal action against the disclosure of personal data to authorities and shall refrain from disclosing personal data to authorities until a competent court of the last instance has issued a final judgment for the course.
· Amendment to clause 7(1)
Only inclusion of (b) shall be made: referring the dispute to the courts of the Member States in which the data exporter is established if a dispute arises where the data subject exercises third party beneficiary rights towards the data importer.
Authored by Shivani Agarwal, Founder, and Samaksh Khanna, Co-Founder.
Comments