In order to provide some clarity to the EU Court of Justice ruling of 16th July 2020 on the rejection of the US Privacy Shield, the EDPB has come up with answers to a list of questions that is being raised by the business community.
A copy of the document is available here
In a bid to soften the business impact of the decision, EDPB has tried to highlight that the judgement has upheld the validity of the Standard Contract Clauses (SCCs) which are available for use by the business entities for personal data transfer. It has specifically highlighted that the validity of SCCs is not questioned
“by the mere fact that the standard data protection clauses in that decision do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred.”
This observation has to be taken with a pinch of salt since the principle established under the judgement can still be used to invalidate any SCC if it can be established that the destination country’s intelligence system has access to the information under a process not acceptable to the EU Court.
This is also reiterated by EDPB itself stating
In general, for third countries, the threshold set by the Court also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country.
In other words, the EU Court will stand in judgement of any powers to be exercised by other sovereign Governments in respect of the powers to be given to their intelligence agencies.
While Article 23 does give such powers to the countries of the EU, it appears that the EUCJ wants to deny such powers to other sovereign countries.
EDPB reiterates that
The Court considered that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities.
This view clearly is an interference in the affairs of another country in its sovereign duties and indicates a myopic view of the Court lacking the humbleness required in tackling international issues. This would be unacceptable to any self respecting foreign Government.
The EDPB cleverly points out that despite a valid contract,
the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer.
It is to be noted that instead of making the data exporter responsible to validate if the contract is enforceable, it makes the data importer liable for the disclosure.
This will result in the data exporters bringing economic pressure on the data importer to sign on the dotted line to either declare that their respective intelligence agencies donot have the power to demand the information, which will be a false claim or force them into a confrontation with their own intelligence agencies when such a demand is made.
In political terminology this would amount to instigating an entity in a sovereign country to raise against the powers of law enforcement of its own sovereign Government.
It would be interesting to see if the Trump Government would accept this ruling and agree to subordinate it’s legitimate national security duties to the protection of the Privacy rights of the EU Citizens as directed by the EUCJ.
This could be an opening of a major international legal conflict where the US courts may be pitched against the EU Courts.
The US courts may however come into reckoning only when the EU data protection authorities or any EU Data controller tries to impose penalties on a US entity under any SCC clause. Until such time there will be a Damocles Sword hanging over the US joint data controllers taking up US business.
Alternatively, it is for the US business to reject against this EUCJ decision and reiterate their own SCC clauses and ensure that the contracts entered into with the EU Data controllers donot expressly agree to reject the authority of the country’s law enforcement requirements.
They should also reject the “Data Importer’s Responsibility” of due diligence by an express provision in the contract stating some thing similar to the effect
“Not withstanding anything contained above, the Data Exporter recognizes that the Data Importer is subject to the jurisdiction of the laws of the Data Importer’s country and is required to abide by the provisions of such law, in particular to the context referred to under Article 23 of GDPR in the context”
(To Be Continued)
Articles in this series