Today we continue our Guest Blog with Data Protection Expert, Owen Sayers.
Max Schrems continued…
When Max Schrems raised his complaints with the Irish DPC, he was mainly focussed on Safe Harbor and then Privacy Shield as the mechanisms used by Facebook. He was of course aware of and broadly described the actions of other companies in his presentations to the courts; but it was Facebook who were the main defenders.
He did not lead much evidence for other matters, but the Irish High Court decided to include 11 additional questions into the case when they referred it to the CJEU, and one area they asked about was the use of Model Clauses in contracts that had been defined by the ECin 2001 – often called the “Standard Contractual Clauses” for data export to third countries, or just ‘SCCs’ for short.
It surprised quite a few folks that the Irish High Court opened these up for review by the CJEU, and surprised folks even more when the CJEU ruled that – in general – they felt the SCC’s probably could still be used. But any relief US companies might have had at this apparent lifeline were immediately dashed when the CJEU caveated this ruling by saying that the domestic regime of any country where the SCC’s were going to be used had to be aligned to EU legal expectations. You may have already guessed from what we discussed before that the US was singled out as NOT being a 3rd country regime that the CJEU felt was in fact sufficiently well aligned.
This was the real bombshell of Schrems II. Whilst not many folks expected Privacy Shield to be upheld by the CJEU, nearly all the major companies and US based Cloud providers were expecting to be able to continue to rely upon SCC’s – a quick find and replace of ‘Privacy Shield’ for ‘SCCs’ was the extent of most anticipated work to restore business as usual.
The Complexity of Data Protection Law
Its therefore in July 2020 that our analysis of the complexity we face today around DP law really begins, because with Privacy Shield struck down, and significant doubt about what the CJEU ruling meant for SCC’s, we entered a period of 6 months or so where US companies receiving and processing the personal data of EU citizens (data importers) – like Facebook, Salesforce.com, Microsoft, Google and AWS – tried very hard to just continue on a business as usual basis, with even the US Dept of Commerce playing down the CJEU ruling to keep data flowing; or began to push those sending the data (data exporters) towards various technical solutions – most commonly using some form of encryption, which they believed would be sufficient to continue operating their global and 3rd Country based businesses.
This might have continued on for an indefinite period, had the European Data Protection Board (EDPB) which is a group formed of all the EU DP Authorities across the Member States, not taken on board the instructions of the CJEU and published their guidance on what additional steps US companies would have to apply to satisfy the CJEU ruling.
These ‘supplementary measures’ were published on 10th November and finally put to rest the last chances of the US data importing companies to do nothing but carry on.
EDPB 6 Step Process
The EDPB measures begin with a clear 6-Step process to be followed by any EU based Data Controller who is using data that they might end up passing to a non-EU based recipient (i.e., a processor in a 3rd Country), meaning that there should be no need for complex interpretations of the measures, or the process needed to properly assess them by a Controller.
Steps 1-3 require the Controller to identify the data that may be transferred, the legal basis of the transfer (which they call ‘the tools’), and whether the legal regime in the destination country is in fact suitable to rely upon those tools.
If they are not – and we’ll cover how we decide that in a second – then Steps 4 & 5 allow the Controller to select a range of technical or contractual ‘supplementary measures’ that in combination MAY be sufficient to allow the controller to make the transfer regardless.
This is really important to understand – Supplementary Measures do not make everything A-OK; they just give additional assurance that may be enough to justify the transfer of data that you want to make in some cases.
Step 6 is just a ‘keep doing Steps 1-5 every so often’ reminder…
The Supplementary Measures can be divided into Technical Measures and Contractual Obligations – the latter being some clauses required in any contract that created legally enforceable conditions that the EDPB believe are necessary and may be sufficient to meet the CJEU ruling.
These are not the only measures that could be taken, and all of them need to be assessed against the specific complexities of the target 3rd Country, the basis on which you are transferring the data and what the data itself actually is.
If by now you’re thinking this doesn’t sound like a simple process, then you’re right – you cannot just rely on assurances from a service provider or data importer that they have taken measures to meet the EDPB guidance (though it’s pretty certain that Cloud providers and others will very quickly take steps to present this option to you); you’ll need to do the groundwork on these measures yourself.
Tomorrow we conclude our guest blog with Owen Sayers, where we look at the EDPB Supplementary Measures and sending data outside of the UK & EU.
