Model Contracts and Privacy Shield: Why the AG Opinion in Schrems II Suggests that Belt and Braces Is a Good Strategy for Data Transfers from the EU
The December 19 opinion of the CJEU Advocate General in Schrems II represents a qualified approval of the EU standard contractual clauses (SCCs or “model contracts”) for transferring personal data outside the European Economic Area. It is not the final word: the Court itself will rule in 2020. And the AG raises concerns about the companion case challenging the EU-US Privacy Shield. US Privacy Shield companies would be well advised to continue to use SCCs in appropriate cases and be prepared to shift to SCCs (and possibly Article 49 derogations), mindful of any new conditions suggested by the Court, if the US and EU do not meet the Court’s standards for Privacy Shield.
On December 19, the Advocate General of the Court of Justice of the European Union (CJEU) published his opinion in Schrems II, the case initiated by Austrian privacy advocate Max Schrems and the organization None of Your Business to challenge the use of EU-approved Standard Contractual Clauses under the EU General Data Protection Regulation (“GDPR”) Art. 46(2)(c) to protect personal data transferred outside the EU and other European Economic Area countries. Thousands of companies rely on SCCs to transfer data to countries with dissimilar legal privacy regimes, for example to affiliates or vendors in the US that are not enrolled in the Privacy Shield program, or to branch offices or partners in Eastern Europe and the Middle East, business process outsourcing firms in India, customer support centers in the Philippines, or technical support operations in China. These amount to massive daily flows of information that depend on contractual confidentiality and agreed security measures.
Schrems and his associates complained to the Irish Data Protection Commissioner (which then brought the issue to the CJEU), not that the companies using SCCs are careless or abusive but that their governments might be spying on them. The argument stems from Edward Snowden’s disclosures in 2013 that the US National Security Agency (and allied intelligence services in other countries) routinely intercept trans-Atlantic voice and data communications. Thus, Schrems argues, data exporters and importers cannot ensure the promised confidentiality of transmitted personal data. This is the same argument that prevailed in Schrems I, challenging the former EU-US Safe Harbor privacy framework, which the CJEU declared invalid in 2015. The Safe Harbor was then replaced with the Privacy Shield framework welcome, including an undertaking to establish a US Privacy Shield Ombudsperson and provisions for transparency and remediation. The sufficiency of that arrangement is under scrutiny in a companion case to Schrems II brought by another privacy advocacy group, La Quadrature du Net , which will also be decided in 2020.
The AG accepted that unfettered government surveillance could compromise the privacy of data transmitted from Europe to another country, but he put the responsibility on the contracting parties in the first instance to determine whether the data is at risk. The AG based this obligation on privacy rights in the Charter of Fundamental Rights of the European Union, as well as mandates stemming from the GDPR and its predecessor, the Data Protection Directive, under which the SCC decisions were adopted.
Those decisions place an obligation on the data importer to inform the data exporter if the former cannot meet its responsibilities, for example because of national laws and government practices, and the data exporter also has a due diligence obligation in dealing with data importers. The AG cautioned that the parties should each assess “all of the circumstances characterising each transfer, which may include the nature of the data and whether they are sensitive, the mechanism employed by the exporter and/or the importer to ensure its security, the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country …” (para. 135)
The AG’s concept is that the parties first assess the risks and have a duty to act responsibly, and then a data protection supervisory authority, on its own initiative or because of complaints, may reexamine that assessment and determine whether they have infringed the rights of European residents by transferring their personal data to a country where the public authorities engage in surveillance that does not meet the standards of the Charter. The AG expressed this view:
“The factors characterising the processing activities carried out by the public authorities and the safeguards applicable in the legal order of that third country may, in my view, overlap with those set out in Article 45(2) of the GDPR.” (para. 135)
Article 45(2) lists factors to consider in making an “adequacy” determination concerning a third country’s level of data protection, including such matters as “the rule of law, respect for human rights and fundamental freedoms, relevant legislation … the access of public authorities to personal data, as well as the implementation of such legislation … case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred; … the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject …”
That is a serious “due diligence” responsibility to place on a data exporter in Europe or a data importer in, say, China, Russia, Malaysia, India, or the United States. How far are they expected to go in trying to ascertain the procedural adequacy of the local legal regime and the practical extent of “access of public authorities” to the personal data they handle?
It is not clear that a European company would know how to answer those questions about its own public authorities. According to Snowden, the UK and Dutch intelligence agencies share surveillance results with the US NSA for counterterrorism and national security purposes and in criminal investigations, and it appears from public announcements and media stories that French, German, Italian, and other national agencies conduct communications surveillance for such purposes as well, under procedures that are not always transparent. That is the subject of sometimes contentious debate in Europe, heightened by the recurring fear of terrorist attacks.
The GDPR itself, in Article 23, recognizes national security, defense, public security, law enforcement, and “general public interest” exceptions to data protection requirements within the EU. What Article 23 demands is that such exceptions under Member State laws include a risk assessment, limitations as to the purposes of processing, specification of the controllers or categories of controllers, the categories of personal data, data storage periods, safeguards to prevent abuse or unlawful access or transfer, the scope of the restrictions on privacy rights, and procedures to inform the data subjects unless that would defeat the purpose.
If such elements appear in the pertinent legal instruments in the data importer’s country (such as the US federal Privacy Act and amended PATRIOT Act), that could suggest a comparable “rule of law, respect for human rights and fundamental freedoms” and “relevant legislation.” The standard cannot be the same as a full Article 45 adequacy determination, because the point of Article 46(2)(c) is that it is an alternative contractual safeguard employed when transfers are made to a country that is sufficiently dissimilar that it does not obtain an EU adequacy determination. This may suffice for companies using SCCs to transfer data to the US, but the AG’s proposed standard may be very difficult to apply for transfers to some countries with even less transparency and recourse regarding government surveillance of communications.
The AG opinion goes on to suggest that the companion case challenging Privacy Shield indicates that the Privacy Shield program in its current form is lacking because the US Privacy Shield Ombudsperson is not sufficiently independent and there is not an “effective remedy” for abuses by the national security bodies. The Court cancelled a scheduled hearing on that case, preferring to consider Schrems II first.
The Court will issue decisions in 2020 in both cases, deciding the future course of SCCs and Privacy Shield. In some 80% of cases, the CJEU follows the AG’s opinion, and the Court might quickly adopt a decision aligned with the AG opinion in Schrems II and move on to address the Privacy Shield challenge, but this is not assured.
If Privacy Shield is invalidated, as the Court invalidated its predecessor, Safe Harbor, US companies must be prepared to shift to SCCs. Companies should already be using SCCs for transfers directly from the EEA to countries other than the US, and on other occasions where Privacy Shield is not preferred (some European customers or vendors, for example, insist on using SCCs). A data protection officer or person with equivalent responsibilities should review the organization’s Privacy Shield certification and GDPR Article 30 summary record of data processing activities and see where there are affiliates, vendors, or business partners currently receiving data from the EEA under Privacy Shield or SCCs, and be prepared to make adjustments. The company may have to examine alternatives to SCCs in some countries, if the local legal regime is indefensible or the practices of local authorities entirely lack transparency. These alternatives might include derogations under GDPR Article 49, such as processing grounded on express consent or the necessity to fulfill a contractual obligation, although these must be handled with care. It is possible that the Court will decide that Privacy Shield is deficient for reasons that also cast doubt on the use of SCCs for transfers to the US, if it finds that US government surveillance is not ultimately subject to effective challenge and remedy. In that case, US companies would be scrambling to use Article 49 derogations while petitioning Congress for a legislative fix in an election year.
“Belt and braces” is the fashion tip for cross-border data protection in 2020.