Privacy and Schrems II
Updated: Nov 20, 2020
On July 16, 2020, the Court of Justice of the European Union (CJEU) handed out its decision on Case C311-18 Data Protection Commission vs. Facebook Ireland, Max Schrems (known as Schrems II). This ruling invalidated the EU-U.S. Privacy Shield framework due to the over-reach of the US's security laws and set conditions on the use of either Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) that organisations can normally use when exporting EU citizens’ data to a third country. US laws, particularly FISA 702 and EO 12.333, permit the US government to order the surrender under warrant of personal data from any US-owned ‘electronic communication service provider’, whether that data is held in the US or not.
The court found that the EU organisations relying on SCCs and BCRs must take a proactive approach in evaluating, prior to any transfer, whether there is an adequate level of protection for personal data in the data importer’s jurisdiction. The court also said that organisations can implement additional safeguards to ensure an “adequate level of protection” for personal data transfers, although it did not specify what form those additional safeguards might take. In addition non-EU organisations importing data from the EU based on SCCs or BCRs must inform data exporters in the EU if they are unable to comply with the SCCs. When non-EU data importers are unable to comply with the SCCs and there are no additional safeguards in place to provide an adequate level of protection, the EU data exporter must suspend the transfer of data or terminate the contract.
In a nutshell: there is no LEGAL way to transfer a European citizen's data to a US-owned service provider, even if the data is hosted in the EU, without explicit consent. According to Article 7 and recital 32 of the GDPR this specific consent must be freely given, specific, informed, unambiguous and voluntary. Any pressure or influence renders the consent invalid. Explicit consent is a huge area which would take up this blog by itself.
The implications of this judgement are far-reaching and negatively impact not just the USA and the EU, but also the UK. The impact on EU-based organisations, and particularly users in the criminal justice system, is that they are unable to legally use what in many cases are the most efficient or even the only cloud-based service providers available.
Richard Dutton, co-founder of specialist data advisory business ELIAS Partnership, said “There are a number of circumstances under Article 49 GDPR which are unaffected by the Schrems II ruling, including where the informed consent of the data subject has been obtained. These are likely to be very case specific and can't be relied on for transferring data at scale. Nonetheless, organisations have been dealing with necessary exports of personal data to genuinely problematic countries using consent (e.g. where there is no independent judiciary to allow enforcement of contractual obligations, for example) for some time now.”
On LinkedIn, Owen S. who is a senior partner at Secon Solutions LLP advising on “UK Data Protection Act 2018 obligations (& implications) to Law Enforcement Competent Authorities” has stated that the Criminal Justice organisations cannot lawfully use ANY service operated by a US-based cloud provider or on their platform for the discussion or sharing of any personal data that is not processed for a specific law enforcement purpose. Owen S. uses the specific example of Microsoft Teams, a widely-used application.
Organisations such as AWS, Google and Microsoft have issued statements stating that customers could continue to rely on SCCs, but this is not the case. The only companies that can continue to use SCCs are ones that can provide assurances that private data is protected from third party surveillance either at rest (protected from FISA 702) or in transit (protected from FISA 702 and/or EO 12.333).
The European Data Protection Board has considered the implications of this judgement and issued the following statement. https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en. It came to the conclusion that "While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.
If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of."
On August 24th the German Data Protection Authority issued its guidance on international data transfers. https://www.linkedin.com/pulse/german-data-protection-authority-publishes-guidelines-dr-carlo-piltz/ . It states:
"The further procedure of the LfDI Baden-Württemberg will focus on the question whether there are reasonable alternative offers without transfer problems in addition to the service provider/contract partner you have chosen. If you cannot convince us that the service provider/contract partner with transfer problems you are using is irreplaceable in the short and medium term by a reasonable service provider/contract partner without transfer problems, the LfDI Baden-Württemberg will prohibit the data transfer”. And also: "The LfDI will base its further actions on the principle of proportionality.”
In the short term we can expect the Data Protection Authorities to act with proportionality on use of existing service providers. However, there will be a push to both strengthen existing legal provisions and to move EU citizen's data to 'reasonable alternative' solution providers.
However, this will not be left solely to the Data Protection Authorities to resolve. Further litigation is already underway. The Privacy Collective, a non-for-profit consumer privacy group has brought a class action claim for at least €10bn in damages against Oracle and Salesforce, funded by the litigation financier Innsworth, claiming that these companies are using Dutch customer data without their explicit consent. A similar case, also fully funded by Innsworth, is set to be filed in England and Wales. https://www.dutchnews.nl/news/2020/08/consumer-privacy-group-files-privacy-breach-court-case-against-oracle-and-salesforce/.
Schrems has also filed 101 cases in 30 EU states against companies that use Facebook and Google analytics https://noyb.eu/en/101-complaints-eu-us-transfers-filed. This helps point the litigation funders at the cases with the highest value that are the easiest to win. If Facebook and Google continue to insist that they are compliant with GDPR for advertising you should ask if they will agree to cover your legal costs and fines.
The Schrems II judgement has serious implications for the UK from January 1st when the UK becomes a 3rd country. All countries that are not EU or EFTA states are called 3rd countries. At that point the UK will require an Adequacy Judgement from the European Commission in order for UK businesses to continue to process EU citizens’ data. https://www.instituteforgovernment.org.uk/explainers/data-adequacy
"The ECJ, which can strike down any adequacy decision approved by the Commission, has already ruled twice that the UK’s handling of personal data is not in line with EU law. One of these judgments was in response to a legal challenge originally brought by David Davis, before he was appointed Secretary of State for Exiting the EU."
This means, on the basis that Schrems II was struck down, that it is almost certain that the UK will not get the necessary Adequacy Judgement, which will have a big impact on the UK's data processing and application services industry.
There are three ways to solve the problems this judgement identifies: a political solution, a commercial solution and a technological solution.
A political solution, while possible, looks unlikely, particularly under the current US administration. Either the EU would have to give way on personal data protection or the USA would have to reduce the reach of FISA warrants.
The commercial solution is for US service providers to set up legally-separated entities in the EU not subject to US jurisdiction to run EU services from. A few already exist in both the storage-as-a-service and infrastructure-as-a-service areas, although these need to be augmented. https://www.pinsentmasons.com/out-law/news/boosting-presence-of-eu-based-cloud-providers-would-improve-business-take-up-of-cloud-services-says-eesc
A technological solution may be possible. While encryption of data at rest and in motion is insufficient, a 3rd-party service based in the EU that authenticated users to the service providers and held all PII could be possible. This would take some time to develop and bring to market, however. Even with encryption of data in transit and at rest, a HSM (high security module) owned by the 3rd-party service would probably be necessary to allow private data to be processed by a US-owned business.
For most businesses GDPR compliance only becomes a problem if data is lost, at which time it becomes a very expensive problem. However, the largest businesses will become targets for eye-wateringly large class action lawsuits - and the litigation funders don't take on difficult cases. In the meantime data owners in the EU must double their efforts to ensure that any services they use are as compliant as possible and, where possible, confirm those choices with their regulator.