SCHREMS II has been an impediment to global data flows

Posted byGDPRsimple Leave a comment on SCHREMS II has been an impediment to global data flows

Introduction

There is a difference between making a decision on the adequacy of a country’s laws and assessing impediments in a country to enforcing contracts.  The European Commission is making a decision on whether the third country’s laws are essentially equivalent to the GDPR when making adequacy decisions under Article 45 of the General Data Protection Regulation (GDPR) of the European Union (EU).  Data exporters using Standard Contractual Clauses (SCCs) to transfer personal data to a third country are required by Article 46 of the GDPR to assess whether there are legal impediments where the data importer is located to that data importer fulfilling the requirements of the transfer contract, the SCCs (Article 46 Assessment).  Schrems II has led to confusion about the differences between these two assessments, and that confusion has impacted the free flow of personal data from the European Economic Area (EEA).  Fieldfishers

When the European Court of Justice (ECJ) issued its opinion in Schrems II in July 2020, conventional wisdom was that it required the data exporter and its attorney to make an adequacy decision in order for a transfer to be made from the EEA to a third country when the appropriate safeguard was SCCs.  Flor  This is an incorrect reading of Schrems II.  The Article 46 Assessment conducted by the data exporter (with the help of the data importer) is very different from the Article 45 Assessment conducted by the European Commission. 

Schrems II

In Schrems II, the European Court of Justice (ECJ) was asked to specify which factors need to be taken into consideration for the purpose of determining whether the level of protection required by Articles 46(1) and 46(2)(c) of the GDPR of the EU is ensured in the context of transfer of personal data to a third country based on SCCs.  Before answering this question, the ECJ reviewed the applicable provisions of the GDPR:

  • In the absence of an adequacy decision under Article 45(3) of the GDPR, a controller or processor may transfer personal data to a third country only if: (i) the controller or processor has provided appropriate safeguards (e.g., SCCs), and (ii) enforceable data subject rights and effective legal remedies for data subjects are available.
  • Although Article 46 of the GDPR does not specify the nature of the requirements which flow from the reference to “appropriate safeguards,” “enforceable rights,” and “enforceable remedies,” because Article 46 appears in Chapter V of the GDPR, it must be read in light of Article 44 of the GDPR.   Article 44 is entitled “General principle for transfers” and provides that “all provisions [in that chapter] shall be applied in order to ensure that level of protection of natural persons guaranteed by [the GDPR] is not undermined.”
  • In the absence of an adequacy decision, the appropriate safeguards to be taken by the controller or processor in accordance with Article 46(1) of the GDPR must compensate for the lack of data protection in a third country in order to ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the EU.

After reiterating the question, what factors should be taken into consideration for the purposes of determining the adequacy of the level of protection where personal data is transferred to a third country pursuant to SCCs adopted under Article 46(2) of the GDPR, the ECJ answered as follows: 

  • Although Article 46(2) of the GDPR does not list the various factors which must be taken into consideration for the purposes of assessing the adequacy of the level of protection to be observed in such a transfer, Article 46(1) of the GDPR states that data subjects must be afforded appropriate safeguards, enforceable rights, and effective legal remedies.   
  • The assessment required for that purpose in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the EU and the recipient of the transfer established in the third country and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country.  As regards the latter [access by the third country’s public authorities to the personal data transferred], the factors to be taken into consideration in the context of Article 46 of the GDPR correspond to those set out, in a non-exhaustive manner, in Article 45(2) of the GDPR:
    • The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules, and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
    • The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
    • The international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relations to the protection of personal data.
  • Therefore, the assessment of the level of protection afforded in the context of a transfer of personal data to a third country pursuant to SCCs must take into consideration both the contractual clauses between the controller or processor established in the EU and the recipient of the transfer established in the third country to ascertain whether data subject rights are enforceable and legal remedies are effective and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of the GDPR.

In so holding, the ECJ also recognized, as it had in Schrems I, that a third country is not required to ensure a level of protection identical to that guaranteed in the EU legal order.  Rather, the ECJ explained that the term “adequate level of protection” must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.  This explanation may be why Schrems II has been interpreted as requiring an adequacy-type assessment for personal data transferred from the EEA to a third country pursuant to SCCs.  A review of the Article 29 Working Party’s Adequacy Referential (Referential) shows that this interpretation is incorrect.

The Referential

The Referential sets forth the core data protection principles that have to be present in a third country legal framework or an international organization in order to obtain an adequacy decision.  These principles are: (a) the basic content and procedural/enforcement data protection principles and mechanisms a third country’s system must contain, and (b) essential guarantees in third countries for law enforcement and national security access to limit interferences to fundamental rights.

The content principles are:

  • Basic data protection concepts and/or principles should exist.  They do not have to mirror the GDPR terminology but should reflect and be consistent with the concepts in European data protection law.
  • Lawful, fair, and legitimate principle. Data must be processed in a lawful, fair, and legitimate manner.  The European framework sets out several legitimate grounds under which personal data may be lawfully, fairly, and legitimately processed (e.g., consent of the data subject, performance of a contract or legitimate interest of the data controller or of a third party which does not override the interests of the individual). 
  • Purpose limitation principle.  Data should be processed for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of the processing.
  • Data quality and proportionality principle.  The data should be adequate, relevant, and not excessive in relation to the purposes for which they are processed.
  • Data retention principle.  As a general rule, data should be kept for no longer than is necessary for the purposes for which the personal data is processed.
  • Security and confidentiality principle. Any entity processing personal data should ensure that data are processed in a manner that ensures security of the data using appropriate technical or organisational measures. 
  • Transparency principle.  Each individual should be informed of all the main elements of the processing of his/her personal data in a clear, easily accessible, concise, transparent and intelligible form.
  • Right of access, rectification, erasure, and objection.  The data subject should have the right to:
    • Obtain confirmation about whether or not data processing concerning him/her is taking place as well as access to his/her data
    • Obtain rectification of his/her data as appropriate for specified reasons and erasure of his/her personal data
    • Object on compelling legitimate grounds relating to his/her particular situation, at any time, to the processing of his/her data under specific conditions established in the third county legal framework
  • Restrictions on onward transfers.  Further transfers of personal data by the initial recipient of the original data transferred should be permitted only where the further recipient (i.e., the recipient of the onward transfer) also is subject to rules affording an adequate level of protection and following the relevant instructions when processing data on behalf of the data controller.

The procedural and enforcement mechanisms set forth the elements that must exist in order for a third country’s system to be consistent with that in the EU:

  • One or more competent independent supervisory authorities, tasked with monitoring, ensuring, and enforcing compliance with data protection and privacy provisions, should exist.
  • The data protection system must ensure a good level of compliance, i.e., it should ensure a high degree of accountability and of awareness among data controllers and those processing personal data on their behalf of their obligations, tasks, and responsibilities, and among data subjects of their rights and the means of exercising them.
  • The data protection framework must require accountability, i.e., it should oblige data controllers and/or those processing personal data on their behalf to comply with it and to demonstrate such compliance.
  • The data protection system must provide support and help to individual data subjects in the exercise of their rights and appropriate redress mechanisms.

The essential guarantees, which must be respected for access to data, whether for national security purposes or for law enforcement purposes, by all third countries in order to be considered adequate, are:

  • Processing should be based on clear, precise, and accessible rules (legal basis)
  • Necessity and proportionality with regards to legitimate objectives pursued need to be demonstrated
  • The processing has to be subject to independent oversight
  • Effective remedies need to be available to the individuals

The Referential requires an in-depth assessment of both the substantive and procedural law of the third country.  After the conduct of the Article 45 Assessment, the European Commission will be able to determine whether the third country in fact ensures, by reason of its domestic law or its international commitments, a level of protection that is essentially equivalent to that guaranteed within the EU.   The scope of the Article 45 Assessment is broader than the Article 46 Assessment called for by Schrems II – whether the data subject rights set forth in the SCCs are enforceable in the third country and whether the legal remedies set forth in the SCCs are effective in the third country.

Standard Contractual Clauses

The SCCs issued by the European Commission in June 2021 provide that they “set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of” the GDPR and, “with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of” the GDPR.  The organization of the SCCs support this effect of the SCCs.  The SCCs consist of four sections.  Section I is untitled but consists of introductory provisions (e.g., purpose and scope, interpretation, description of the transfer(s)).  Section IV consists of final provisions (e.g., governing law, choice of forum and jurisdiction).  Section II is Obligations of the Parties, and Section III is Local Laws and Obligations in Case of Access by Public Authorities.

Section II – Obligations of the Parties

Section I contains a Third-party Beneficiary Clause pursuant to which data subjects may invoke and enforce the SCCs, as third-party beneficiaries, against the data exporter and/or the data importer, and this third-party beneficiary right is without prejudice to the rights of data subjects under the GDPR.  Under Section II:

  • on request, the data exporter must make a copy of the SCCs, including the Appendix as completed by the data exporter and the data importer, available to the data subject free of charge
  • if the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it must inform the data exporter without undue delay
  • after the end of the provision of the processing services, the data importer must, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter or return to the data exporter all personal data processed on its behalf and delete existing copies
  • the data importer must promptly notify the data exporter of any request it has received from a data subject
  • the data importer must assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under the GDPR
  • the data importer must inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints.
  • In case of a dispute between a data subject and either the data importer or the data exporter regarding compliance with the SCCs, best efforts must be used to resolve the issue amicably in a timely fashion
  • Where the data subject invokes a third-party beneficiary right, the data importer must accept the decision of the data subject to lodge a complaint with the appropriate supervisory authority or refer the dispute to the competent courts
  • The data importer is liable to the data subject, and the data subject is entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under the SCCs
  • The data exporter is liable to the data subject, and the data subject is entitled to receive compensation for any material or non-material damages, the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under the SCCs
  • Where more than one party to the SCCs is responsible for any damage caused to the data subject as a result of a breach of the SCCs, all responsible parties are jointly and severally liable and the data subject is entitled to bring an action in court against any of these parties

Section III – Local Laws and Obligations in Case of Access by Public Authorities

With respect to local laws and practices affecting compliance with the SCCs:

  • The parties to the SCCs warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the SCCs
  • The data importer warrants that, in carrying out the assessment, it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with the SCCs
  • The data importer agrees to notify the data exporter if, after having agreed to the SCCs and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with its warranty; following such a notification or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under the SCCs, the data exporter must promptly identify appropriate measures to be adopted by the data exporter and/or data importer to address the situation

Obligations of the data importer in case of access by public authorities:

  • The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:
    • receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to the SCCs
    • becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs in accordance with the laws of the country of destination
  • If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible.
  • Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received

With respect to legality and data minimization,

  • The data importer agrees to review the legality of the request for disclosure and to challenge it if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law, and principles of international comity
  • The data importer must, under the same conditions, pursue possibilities of appeal, including seeking interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on the merits
  • The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based upon a reasonable interpretation of the request

The provisions of the SCCs support the conclusion that the scope of the Article 46 Assessment called for by Schrems II is the enforceability in the third country of the data subject rights set forth in the SCCs and the effectiveness in the third country of the legal remedies set forth in the SCCs.

The EDPB Final Recommendations

The Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (EDPB Final Recommendations) issued by the European Data Protection Board (EDPB) in June 2021 provide in Step Three that the data exporter in collaboration with the data importer should assess if there is anything in the law and/or practices in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the GDPR Article 46 transfer tool relied on in the context of the specific transfer. 

  • This assessment must be based on legislation publicly available and must address access to data by public authorities of the importer’s third country.  Examining the practices in force in the third country is especially important in the assessment of the following situations:
    • Practices of public authorities (e.g., accessing personal data held by the private sector or when enforcing -or not- legislation as supervisory or judicial bodies) may clearly indicate that they do not normally apply/comply with the legislation that governs, in principle, their activities.
    • Relevant legislation in the third country (e.g., on access to personal data held by the private sector) may be lacking.
    • Relevant legislation in the third country might be problematic and transferred data and/or the importer fall or might fall within the scope of the problematic legislation. 
  • The scope of the assessment is limited to the legislation and practices relevant to the protection of the specific data transfer, in contrast with the general and wide encompassing adequacy assessment the European Commission carries out in accordance with Article 45 of the GDPR.  Specific attention should be paid to relevant laws, in particular laws laying down requirements to disclose personal data to public authorities or granting to public authorities powers of access to personal data (e.g., criminal law enforcement, regulatory supervision, or national security purposes).   If these requirements or powers restrict the fundamental rights of data subjects while respecting their essence and being necessary and proportionate in a democratic society to safeguard important objectives as also recognized in EU or EU Member States’ law, they may not impinge on the commitments contained in the GDPR Article 46 transfer tool being relied on. 
  • Documented practical experience of the importer with relevant prior instances of requests for access received from public authorities in the third country may be taken into consideration.  The experience of the importer will be able to be used only if the legal framework of the third country does not prohibit the importer from providing information on requests for disclosure from public authorities or on the absence of such requests.  The absence of prior instances of requests received by the importer can never be considered, by itself, as a decisive factor on the effectiveness of the GDPR Article 45 transfer tool that allows the transfer to proceed without supplementary measures.  This information will be able to be considered, together with other types of information obtained from other sources, as part of the overall assessment of the laws and practices of the third country in relation to the transfer.    

Thus, according to the EDPB, a third question needs to be asked.  The questions that the Article 46 Assessment should ask are limited to: (1) whether data subject rights set forth in the SCCs are enforceable in the third country, (2) whether legal remedies set forth in the SCCs are effective in the third country if personal data of data subjects transferred to the third country are subject to access by public authorities in that third country, and (3) does anything in the law or practices of the third country impinge on the effectiveness of the appropriate safeguard, the SCCs?

Conclusion

The Article 46 Assessment called for by Schrems II, the EDPB Final Recommendations and the SCCs is not an adequacy assessment.  Rather, the Article 46 Assessment assesses: (1) the provisions of the appropriate safeguards, the SCCs, and (2) the enforceability in the third country of data subject rights set forth in the SCCs and the effectiveness in the third country of legal remedies set forth in the SCCs.  When SCCs are the appropriate safeguard, effectiveness of legal remedies is assessed by looking at the relevant aspects of the legal system of the third country to determine whether public authorities of the third country can access the personal data transferred.  What comprises the relevant aspects of the third country’s legal system is set out in a non-exhaustive manner in Article 45(2) of the GDPR.  Finally, whether there is anything in the law or practices of the third country that may impinge on the effectiveness of the appropriate safeguard, the SCCs, is assessed.

The Article 46 Assessment conducted by the data exporter (with the help of the data importer) is very different from the Article 45 Assessment conducted by the European Commission to determine whether a third country’s laws are essentially equivalent to those in the EU.  The Article 45 Assessment compares the laws in the third country to those in the EU to determine whether the third country in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.  The Article 46 Assessment assesses whether there is anything in the laws or practices of the third country which will interfere with the data subject rights set forth in the SCCs being enforced and with the legal remedies set forth in the SCCs being effective and which will impinge on the appropriateness of the SCCs. 

The difference between the Article 46 and Article 45 Assessments is important for policymakers, regulators, and privacy professionals to understand.  There is a difference between who conducts each assessment: the European Commission conducts the Article 45 Assessment, and the data exporter (with the help of the data importer) conducts the Article 46 Assessment.  As discussed above, the scope of the Article 45 Assessment (equivalency of third country law) and Article 46 Assessment (enforceability of contracts under third country law) is different. If the distinctions between these two assessments are not understood, then data exporters may think that they must do the more complex Article 45 Assessment which is more expensive and time consuming and which either may lead them not to transfer the data and or may lead them to transfer the data without doing the assessment.  Fieldfishers  If the wrong assessment is conducted, unnecessary expense is incurred (especially by small and medium sized companies), which ultimately leads to reduction in data flows.  ITIF  All this confusion adversely impacts global data flows.  ITIF   

Although this paper sets forth the factors that should be taken into consideration when conducting an Article 46 Assessment for the purposes of transferring personal data to a third country when SCCs are the appropriate safeguard, the same factors should apply to the other appropriate safeguards in Article 46 of the GDPR (legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, standard data protection clauses adopted by a supervisory authority and approved by the European Commission, approved code of conduct, and approved certification method).  All of the other appropriate safeguards in Article 46 are contractual in nature, and therefore, the same analysis should apply.

Leave a comment

Your email address will not be published. Required fields are marked *