A few quick comments on today´s CJEU ruling on Schrems II.
First of all, I stand corrected: This is a ground-breaking decision, and probably the most important data protection decision of this year.
First of all, I stand corrected: This is a ground-breaking decision, and probably the most important data protection decision of this year.
The court decision deals with two major topics:
1) The validity, interpretation and enforcement of Standard Contractual Clauses (SCC)
2) The validity of the EU/US Privacy Shield
1) The validity, interpretation and enforcement of Standard Contractual Clauses (SCC)
2) The validity of the EU/US Privacy Shield
1) The first topic is the validity and interpretation of the SCCs.
With respect to the validity, the CJEU holds that the SCCs are valid. SCCs *can* be invalid if they do not provide "effective mechanisms" against inadequate data transfers. However, this is not the case here.
With respect to the validity, the CJEU holds that the SCCs are valid. SCCs *can* be invalid if they do not provide "effective mechanisms" against inadequate data transfers. However, this is not the case here.
The Court bases this conclusion on clauses in the relevant SCC that oblige the (non-EU) data importer to inform the EU data exporter about domestic laws that lead to infringements of the SCC. The exporter then is obliged to suspend or terminate the data transfer.
In such an event, data that has already been transferred to the third country must even be erased or returned, and affected data subjects might have a claim to damages.
Interestingly, this line of argumentation is quite similar to a paper published 2015 by the German Schleswig-Holstein DPA (ULD) in the wake of the "Schrems I" decision. datenschutzzentrum.de/uploads/intern…
With respect to the interpretation and enforcement of the SCC, the CJEU clarifies that the EU DPAs are authorised to investigate whether the SCC are complied with. If case of non-compliance, they have the power and authority to take corrective measures.
The Court also explains that there may be cases where SCC alone are not sufficient to ensure that the level of protection in the country of the importer is 'adequate'.
In such a case, the data exporter can be required to add own (custom) clauses or other "supplementary measures" to increase the level of protection.
It seems as if the CJEU thinks that such measures would be required in case of EU/US transfers, but the decision is a bit vague.
It seems as if the CJEU thinks that such measures would be required in case of EU/US transfers, but the decision is a bit vague.
The duty to ensure that the SCC do not only in theory, but also in practice ensure adequate protection in the third country rests primarily on the data exporter (i.e. the party in the EU that transfers the data). Secondarily, it rests on the competent DPA.
Interestingly, with regard to corrective measures of the DPAs, the CJEU uses (thrice) the word 'required'. This indicates that the Court thinks that the DPAs might not have discretion on whether they act against inadequate SCC implementation or not.
In this respect, however, I think that this single word should not be overstretched. Articles 57 and 58 GDPR clearly leave the DPAs some leeway on whether and how to act against GDPR infringements. This is also acknowledged by the CJEU in para. 112.
In summary, though, it is likely that the DPAs will interpret the decision as meaning that most (if not all) EU/US transfers based on SCC will need to be complemented with additional safeguards to ensure adequate protection in the USA. Which safeguards exactly remains to be seen:
Except of an almost incomprehensible sentence in para. 154 of the judgment, the CJEU is mostly silent on the topic.
(I gladly accept any ideas on what the Court means here: What exactly is "relevant" or "binding" for what "purpose" or "obligation" here?)
(I gladly accept any ideas on what the Court means here: What exactly is "relevant" or "binding" for what "purpose" or "obligation" here?)
3) The third topic is the EU/US Privacy Shield.
Confirming its 'Schrems I' decision, the CJEU states that DPAs cannot declare Commission adequacy decisions invalid. They can take the matter to court and eventually to the CJEU. The CJEU then can invalidate the adequacy decision.
Confirming its 'Schrems I' decision, the CJEU states that DPAs cannot declare Commission adequacy decisions invalid. They can take the matter to court and eventually to the CJEU. The CJEU then can invalidate the adequacy decision.
The CJEU consequently then declares the Privacy Shield as invalid, because (i) it has too many loopholes for US surveillance programmes and (ii) there are not enough legal safeguards to prevent abuse - especially no judicial remedies. The Ombudsperson cannot compensate for this.
--
All in all, today´s judgment is a significant blow to EU/US data transfers. The CJEU has invalidated one of the important transfer mechanisms (the Privacy Shield), and dealt a significant blow to the other (the SCC).
All in all, today´s judgment is a significant blow to EU/US data transfers. The CJEU has invalidated one of the important transfer mechanisms (the Privacy Shield), and dealt a significant blow to the other (the SCC).
With regard to the SCC, I find the judgment a bit unclear on how exactly SCC still can be used from now on, especially for data transfers to the US or to other countries with strong surveillance programmes. I am looking forward to comments from other practitioners and the DPAs.
Statement by the Irish DPA: dataprotection.ie/en/news-media/…
Statement by the Hamburg DPA (German): datenschutz-hamburg.de/pressemitteilu…
Statement by the German Federal Data Protection Commissioner (BfDI) (English): bfdi.bund.de/EN/Home/Press_…
Statements by EU Commissioners Jourová and Reynders: EU Commission is "advanced" in project of creating new SCC, and companies should rely on "other mechanisms" for EU/US transfers in the meantime.
ec.europa.eu/commission/pre…
ec.europa.eu/commission/pre…
Now, FAQ by the DPA of Rhineland-Palatine (German). These FAQ explicitly state that SCC can still be used for EU/US transfers, but that companies now have to analyse, case-by-case, whether level of protection is adequate in practice. datenschutz.rlp.de/de/themenfelde…
@gvoisin
@omertene
@gvoisin
@omertene
US Department of Commerce: commerce.gov/news/press-rel…
Microsoft: blogs.microsoft.com/eupolicy/2020/…
Very brief statement by the ICO: ico.org.uk/about-the-ico/…
Statement of German DPA of Thuringia: Doubts that SCC will be usable for US transfers.
tlfdi.de/mam/tlfdi/pres…
tlfdi.de/mam/tlfdi/pres…
Now the EDPB:
"the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of."
edpb.europa.eu/news/news/2020…
"the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of."
edpb.europa.eu/news/news/2020…
And the CNIL:
Berlin DPA fighting hard to become the most hard-line DPA of the EU - advises all Berlin-based data controllers to pull "their" data out of the USA.
datenschutz-berlin.de/fileadmin/user… (German)
(Via @Lawchenmann)
datenschutz-berlin.de/fileadmin/user… (German)
(Via @Lawchenmann)
Rather vague statement of the EDPS. But: EDPS mentions it's investigation of Microsoft products.
edps.europa.eu/press-publicat…
(Again, thanks @Lawchenmann)
edps.europa.eu/press-publicat…
(Again, thanks @Lawchenmann)
