Data Privacy

---

 Abstract

The article considers the last resolution of the Court of Justice on privacy and data transfer between EU and USA under the G.D.P.R., pronounced on the 12 July 2020.

The decision has been made in the proceedings between the Data Protection Commissioner Ireland, on the one hand, and Facebook Ireland Ltd and Maximillian Schrems, on the other, regarding a complaint brought by Mr Schrems concerning the transfer of his personal data by Facebook Ireland to Facebook Inc. in the United States.

In particular, decision n. 2016/1250 invalidates the adequacy of the protection provided by the EU-USA Data Protection Shield.

However, it considers that Commission Decision 2010/87 on standard contractual clauses for transferring personal data to processors established in third countries is valid. 

The decision will impose a review of most  agreements between those two continent. 

1. Introduction 
2. The case Maximillian Scherms Vs Facebook
3. Conclusion
4. Standard Contractual Clauses
5. How Corporate React to the decision

1. Introduction

With the aim to protect the privacy of an individual around the globe in cross-border operation that imply a data transfer, the G.D.P.R. restricts the transfer of personal data to countries outside the E.E.A., or international organisations. 

These restrictions apply to all transfers, no matter the size of transfer or how often are carry out.

For this reason, the E.U. legislature has established three mechanisms whereby personal data may be transferred from the European Union to another State extra EU:

1. based on an ‘adequate protection’ 

2. authorised by ‘appropriate safeguards’

3. ‘standard protection clauses’ accepted by Commission

EU Commission “adequacy decision”

‘Adequate decision’ are pronounced by the Commission when the legal framework in place in country, territory, sector or international organisation provide ‘adequate’ protection for individuals’ rights and freedoms for their personal data, pronounce an ‘adequate decision’. 

Often, crucial to the decision is the reassurance that the citizen can find adequate protection to his right by filling a complaint in front a specific Tribunal or Panel to address any concern about how his data are managed.

In presence of an adequacy decision, a Company may go ahead with the restricted transfer. Of course, accordingly with the rest of the G.D.P.R..

Decisions made prior to G.D.P.R. remain in force unless there is a further Commission resolution which decides otherwise. 

The Commission review these decisions at least once every four years, and it be the case after the pronunciation made in the case ‘Facebook Ireland Ltd Vs Maximillian Schrems’.

Eu authorisation by appropriate ‘safeguard’

In the absence of a ‘adequacy decision’, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided ‘appropriate safeguards’, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

• a legally binding and enforceable instrument between public authorities or bodies
• binding corporate rules in accordance with Article 47
• standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2)
• standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2)
• an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights
• an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

standard protection clauses accepted by Commission

In any case the Commission suggest the adoption of contract clauses that regulated the matter. Those clauses for the most are recognised at the international level, in particular:

• contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
• provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

However, before making a restricted transfer should be consider whether the transfer can be achieved without sending personal data.

In the absence of an adequacy decision, or of appropriate safeguards, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

• the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
• the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
• the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Finally, if a Company makes the data anonymous so that it is never possible to identify individuals, even when combined with other information which is available to receiver, it is not personal data. 

This means that the restrictions do not apply, and you are free to transfer the anonymised data outside the E.E.A..

Said that, in the case we are analysing the European Court of justice has revised its previous adequacy decision on U.S.A., based on the new information acquired. 

2. The case between Maximillian Scherms and Facebook 

The European Court has been summon after considering the request submitted in the proceedings brought by the Data Protection Commissioner(D.P.C.) Ireland against Facebook Ireland Ltd and Mr Maximillian Scherms in respect of a complaint settled by Mr Scherms before the D.P.C. concerning the transfer of personal data relating to him by Facebook Ireland to Facebook, Inc., its parent company, established in the United States of America.

In the case between Maximillian Scherms and Facebook, the European Court of Justice has declared invalid the previous ‘adequacy decision’ (1) made by the commission on the data transfer between Europe and USA. 

The Court reach that conclusion considering the adequacy of the level of protection guaranteed by the United States not sufficient to automatically consider USA a state with an adequate protection of personal data. 

The Court holds that, contrary to the view taken by the Commission in Decision 2016/1250, the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services. 

On all those grounds, the Court declares Decision 2016/1250 invalid.

The opportunity for intelligence authorities to interfere with the exercise of the fundamental rights of the individuals related to the data transferred without any authorisation do not guarantee an ‘adequate level of protection’. 

This means that any transaction implying a personal transfer data between U.E. and U.S.A., based on the adequacy decision previously made is now invalid and can be considering in breach of the G.D.P.R. rules and regulation, because the United States protection of personal data is not sufficient to automatically consider USA a state with an adequate protection of those.

However, the Court has also stated that In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. 

Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority.

In any case, Corporate shall follow the same principle applicable when the Commission has taken no decision on the adequate level of data protection in a third country: 

“the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.”

Fundamental for the validity of those agreement is that the supervisory authorities should have the power to prohibit or suspend a data transfer or a set of transfers based on the standard contractual clauses in those exceptional cases where a transfer of data is likely to have a substantial adverse effect on the warranties and obligations providing adequate protection for the data subject.

The new scenario could be approach by following what stated in Decision 2010/87, particular art. 7:

“A contract concluded between a data exporter and a data importer pursuant to Decision 2002/16/EC before 15 May 2010 shall remain in force and effect for as long as the transfers and data-processing operations that are the subject matter of the contract remain unchanged and personal data covered by this Decision continue to be transferred between the parties. 

Where contracting parties decide to make changes in this regard or subcontract the processing operations that are the subject matter of the contract they shall be required to enter into a new contract which shall comply with the standard contractual clauses set out in the Annex.”

3. In conclusion

‘Supervisory authorities of the Member States play a key role in this contractual mechanism in ensuring that personal data are adequately protected after the transfer. 

In exceptional cases where data exporters refuse or are unable to instruct the data importer properly, with an imminent risk of grave harm to the data subjects, the standard contractual clauses should allow the supervisory authorities to audit data importers and sub-processors and, where appropriate, take decisions which are binding on data importers and sub-processors.

4. Standard Contractual Clauses

The annex to the SCC Decision, provided fundamental guidance for a redaction of a contract, and  under the heading ‘Standard Contractual Clauses (Processors)’ is comprised of 12 standard clauses. 

5. How Corporate react to the decision

Accordingly  with a survey  conducted by Fieldfisher hasfound that more thanhalf of enterprises have no intention of ceasing or reducing their reliance on US-based or non Eu Area data processor despite the Schrems II ruling.

The survey was created on SurveyMonkey and made publicly available online.  It comprised 9 multiple choice questions in total. Participants were invited to respond to the survey through LinkedIn and through the firm blog. 

In short, the 138 responses received from enterprises, about 75% indicated that half or more of their data processors were based in US or on EEA territories. 

Only 12% reply that they would reduce their reliance on US-based or non EEA processors (30% were undecided), and only 5% said they intended to halt their data exports completely (just under 20% were undecided).

However, three-quarters said they would not cease their data export to the US or non EEA jurisdictions, while 57% said they had no intention of reducing their reliance on the processors, indicating that many firms could be open to non-compliance with Schrems II decision.

Updated on September  2020 

by Daniele Lupi