Thursday, July 16, 2020

Europe’s top court strikes down flagship EU-US data transfer mechanism

A highly anticipated ruling by Europe’s top court has just landed — striking down a flagship EU-US data flows arrangement called Privacy Shield.

The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield,” it writes in a press release.

The CJEU’s finding is that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that mechanisms in the EU-US Privacy Shield ostensibly intended to mitigate this interference (such as an ombudsperson role to handle EU citizens’ complaints) are not up the required legal standard of ‘essential equivalence’ with EU law.

In short, boom.

The case — known colloquially as Schrems II (in reference to privacy activist and lawyer, Max Schrems, whose original complaints underpin the saga) — has a long and convoluted history. In a nutshell it concerns the clash of two very different legal regimes related to people’s digital data: On the one hand US surveillance law and on the other European data protection and privacy.

Putting a little more meat on the bones, the US’ prioritizing of digital surveillance — as revealed by the 2013 revelations of NSA whistleblower, Edward Snowden; and writ large in the breadth of data capture powers allowed by Section 702 of FISA (Foreign Intelligence Surveillance Act) and executive order 12,333 (which sanctions bulks collection) — collides directly with European fundamental rights which give citizens rights to privacy and data protection, as set out in the EU Charter of Fundamental Rights, the European Convention on Human Rights and specific pieces of pan-EU legislation (such as the General Data Protection Regulation).

The Schrems II case also directly concerns Facebook, while having much broader implications for how large scale data processing of EU citizens data can be done. It does not concern so called ‘necessary’ data transfers — such as being able to send an email to book a hotel room; but rather relates to the bulk outsourcing of data processing from the EU to the US (typically undertaken for cost/ease reasons). So one knock on effect of today’s ruling might be for companies to switch to regional data processing for European users.

The original case raised specific questions of legality around a European data transfer mechanism used by Facebook (and many other companies) for processing regional users’ data in the US — called Standard Contractual Clauses (SCCs).

Schrems challenged Facebook’s use of SCCs at the end of 2015, when he updated an earlier complaint on the same data transfer issue related to US government mass surveillance practices with Ireland’s data watchdog.

He asked the Irish Data Protection Commission (DPC) to suspend Facebook’s use of SCCs. Instead the regulator decided to take him and Facebook to court, saying it had concerns about the legality of the whole mechanism. Irish judges then referred a large number of nuanced legal questions to Europe’s top court, which brings us to today. It’s worth noting Facebook repeatedly tried and failed to block the reference to the Court of Justice. And you can now see exactly why they really wanted to derail this train.

The referral by the Irish High Court also looped in questions over a flagship European Commission data transfer agreement, called the EU-US Privacy Shield. This replaced a long standing EU-US data transfer agreement called Safe Harbor which was struck down by the CJEU in 2015 after an earlier challenge also lodged by Schrems. (Hence Schrems II — and now strike two for Schrems.)

So part of the anticipation associated with this case has been related to whether Europe’s top judges would choose to weigh in on the legality of Privacy Shield — a data transfer framework that’s being used by more than 5,300 companies at this point. And which the European Commission only put in place a handful of years ago.

Critics of the arrangement have maintained from the start that it does not resolve the fundamental clash between US surveillance and EU data protection — and in recent years, with the advent of the Trump administration, the Privacy Shield has looked increasingly precariously placed as we’ve reported.

In the event, the CJEU has sided with critics who have always said Privacy Shield is the equivalent of lipstick on a pig. Today is certainly not a good day for the European Commission (which also had a very bad day in court yesterday on a separate matter).

We reached out to the EU executive for comment on Schrems II and a spokesman told us it will be holding a press briefing at noon. (We’ll dial in so stay tuned for more.)

Privacy Shield had also been under separate legal challenge — with the complainant in that case (La Quadrature du Net) arguing the mechanism breaches fundamental EU rights and does not provide adequate protection for EU citizens’ data. That case now looks moot.

On SCCs, the CJEU has not taken issue with the mechanism itself — which, unlike Privacy Shield, does not contain an assessment on the quality of the protections offered by any third country; it’s merely a tool which may be available to use if the right legal conditions exist to guarantee EU citizens’ data rights — but judges impress the obligation on data controllers to carry out an assessment of the data protection afforded by the country where the data is to be taken. If the level is not equivalent to that offered by EU law then the controller has a legal obligation to suspend the data transfers.

This also means that EU regulators — such as Ireland’s DPC — have a clear obligation to suspend data transfers which are taking place via SCCs to third countries where data protections are not adequate. Like the US. Which was exactly what Schrems had asked the Irish regulator to do in the first place.

It’s not immediately clear what alternative exists for companies such as Facebook which are using SCCs to take EU citizens’ data to the US, given judges have invalidated Privacy Shield on the grounds of the lack of protections afforded to EU citizens data in the country. US surveillance law is standing in the way of their EU data flows.

“In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies,” the court writes in today’s press release — pointing to Article 49 of the GDPR, which sets out conditions “under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards”. (These conditions are narrow — and include the explicit consent of the data subject; or for necessary transfers or transfers in the public interest or the interest of the data subject.)

Here’s more on the court’s reasoning from the press release:

The Court considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR.

Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.

Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.

Commenting on the ruling in a statement, a jubilant Schrems said: “I am very happy about the judgment. At first sight it seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.”

We’ve also reached out to Facebook and the Irish DPC for comment.

This is a developing story… 



from TechCrunch https://ift.tt/2CBIWgX

No comments:

Post a Comment