On 16th July, the European Court of Justice (EUCJ) gave its ruling on whether the US Privacy Shield arrangement with EU is acceptable for “Adequacy” under Article 45. The reference for the ruling had been made by the Ireland High Court following a proceedings in Data Protection Commissioner Vs Facebook Ireland and Maxmillian Schrems.

The ruling has a far reaching impact on the Indian data market since India is a prominent data processor on the global scenario and a large part of the Indian business flows through US. In most of the cases, the Indian companies are sub contracting “Processors” and not “Data Controllers”and are therefore bound by contractual obligations of the upstream data controllers, many of whom are US firms.

These Data Controllers in US may be operating in different countries including EU and are obligated to meet the GDPR requirements. Being US companies some of them were depending on the US privacy shield to get the data transferred to US and further use the Standard Contractual Clauses to sub contract processing to India.

Such Companies will have to suspend their operations until they conclude a fresh contract with the EU Joint Data Controllers and thereafter also make suitable amendments to their Indian Contracts. This legal formality will take at least a few weeks in which the data processing may lack appropriate legal sanction. Conservative companies will therefore stop the processing activities until their legal departments and DPOs clear the continuation of the processing activity.

In view of these developments, it is necessary for Indian Data Processors to study the implications of the EU ruling and take steps to protect their interests.

The EDPB (European Data Protection Board) which is the apex regulator of GDPR has now provided its clarifications on the week old ruling which answers many of the doubts that the industry practitioners had.

The EDPB clarification is discussed here for the information of the industry.

Background

The EUCJ ruling of 16th July 2020, covers interpretations of the EU Directive dated 24th October 1995 on the protection of privacy of European citizens, the Validity of Standard Contract Clauses as per commission’s decision of 5th February 2010 and the Adequacy provided to US Privacy Shield arrangement through decision dated 12th July 2016.

It may be noted that GDPR was adopted on 14th April 2016 to be effective for implementation from 25th May 2018. The Privacy Shield arrangement was finalized immediately after the adoption of GDPR.

Prior to October 6, 2015, EU and US data transfer was governed by the International Safe harbor principles which was replaced with the Privacy shield arrangement after GDPR became effective.

“Safe harbor” was a self certification scheme in which the US data importers gave an assurance to the data protection principles. The “Safe harbor” system was accepted as “Adequate” for personal data transfer from EUs based on the European Commission’s decision in 2000 that the principles met the compliance requirements with the then existing EU directive of 1995.

Though this adhered to the 7 basic Privacy principles self certified by the US organization, it had also been over turned earlier by the EUCJ in October 2015 after which the Privacy Shield was negotiated.

The reason for rejection of the safeharbor principles was because the Court ruled that

“legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life“

The “Privacy Shield” arrangement therefore brought “Stronger Obligations” on US Companies including higher cooperation between EU data protection authorities and the US.

It was envisaged that

“The new arrangement included commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access.

Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson”.

The current EUCJ order related to the acceptability of this Privacy Shield arrangement with the EU regulations on Privacy which had been negotiated between the EU and US authorities.

The ruling refers to the several recitals and Articles to flag the objective of GDPR in terms of the scope of the regulation. It also highlighted that under the Privacy Shield arrangement, the US Government had committed to create a new oversight mechanism for national security interference, the “Privacy Ombudsperson who should be independent of the intelligence community”.

The Court observed that

“Privacy Shield Ombudsperson, although described as ‘independent from the Intelligence Community’, was presented as ‘[reporting] directly to the Secretary of State who will ensure that the Ombudsperson carries out its function objectively and free from improper influence that is liable to have an effect on the response to be provided’”

..the Ombudsperson is appointed by the Secretary of State and is an integral part of the US State Department,..”

“…there is nothing ..to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely”

…”Therefore, the ombudsperson mechanism to which the Privacy Shield Decision
refers does not provide any cause of action before a body which offers the persons
whose data is transferred to the United States guarantees essentially equivalent to
those required by Article 47 of the Charter.”

In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid.

The Court proceeded to also comment on whether this decision will create a vacuum disturbing the business by stating..

“..in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum. That article details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR.”

As a result of the above ruling all transfers to US presently based on Privacy Shield are to be considered invalid ab-initio and replaced with other alternative measures to continue the transfer.

The Court has not ruled any punitive action to be initiated for the transfers which could have occurred so far.

However, from the date of this ruling and until alternatives are in place, there has to be a stoppage of all data transfers leading to a freezing of operations of many companies.

To the extent many of the US companies would have sub contracted the processing to Indian companies, the processing in India will also have to stop forthwith.

Effect of Article 23

It may be noted that Article 23 of GDPR states as follows:

Article 23:Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims

In otherwords GDPR considers that “National Security” etc could be reasons for which GDPR provisions may be over ruled by the member states by their own laws.

This principle appears to have been ignored when the Court ruled that the US Secretary of State cannot supervise the “Ombudsperson” in a manner that could prevent its intelligence agencies access the personal data of EU Citizens transferred to US under the Privacy Shield arrangement.

Alternatives

Companies need to now explore alternative measures to continue their activities.

One such alternative would be Article 49 which refers to derogation for specific situations.

Additionally, Articles 46 which refer to transfers subject to appropriate safeguards and Article 47 regarding Binding Corporate rules or Article 48 regarding mutual legal assistance treaties between countries may also provide an alternative.

However both Article 46 and Article 47 need to conform to the principles under which the US Privacy Shield was rejected and ensure that there exists an effective judicial remedy to the Data Subjects with “independence” which was not available in the Ombdsperson scheme of the US privacy shield.

If therefore, SCC/BCR provide for judicial relief through Arbitration, the enforcement mechanism has to be still administered within the US system. Hence the effectiveness of any adverse arbitration decisions will continue to be a point of dispute.

At the same time, it is to be recognised that it is not feasible for any US based organization to ignore any demand for information from their National Security agencies. While surveillance is amenable for judicial review, to the extent that the US national interests are involved and “Intelligence” is always speculative, it is difficult to deny completely the authority of the investigative agencies for data.

The “Derogations” unde Section 49 therefore remain the only option for the companies and this includes “Explicit Consent from the data subject for transfer of data”.

It can therefore be expected that all EU data exporters need to revise their Privacy Policy to include an explicit consent for transfer of personal data from EU to US and other countries based on a reasonable assurance of safeguards from the down stream processor.

The European Data Protection Board (EDPB) has on 23rd July 2020 come up with a clarification on a series of questions that were raised in the light of the judgement which is further discussed in the continuing article.

(To Be continued…)

Naavi

Reference Articles: