SCHREMS II, un final attendu et redouté

SCHREMS II, an anticipated and dreaded finale

SCHREMS II, an anticipated and dreaded finaleOn July 16, 2020, the Court of Justice of the European Union invalidated the Privacy Shield, a key agreement that formed the legal basis for transfers of personal data between Europe and the United States.

More than 5,300 US companies used the Shield for their data processing and must now change the legal basis for their transfers.

The decision was prompted by a complaint from Max Schrems, an Austrian citizen who had already initiated the cancellation of the agreement that preceded the Shield, the "Safe Harbour Principles".

The complainant contested the conditions under which his data processed by Facebook was transmitted to the United States.

On the basis of this dispute, the Court, in its judgment often referred to as "Schrems II", has just analysed the validity of two legal instruments permitting transfers outside the European Union:

  • Standard contractual clauses, which can in principle be used with any third country, and
  • European Commission Decision 2016/1250 regarding the Privacy Shield, an agreement tailored to transfers to the United States.

The Court did not invalidate the standard contractual clauses – a scenario that gave many companies and lawyers cold sweats.

However, their use remains subject to the concrete assessment, by the data exporter, of the way in which the clauses are actually applied in the third country, taking into account in particular the possibilities for public authorities such as intelligence services to have access to the data.

In the event of access to data incompatible with the principles of the clauses, it is the responsibility of the exporter, and if it does not do so, of the supervisory authority (equivalent to the CNIL) to suspend the transfer.

 

In the case of the Privacy Shield, the Court held that, even if the principles of the agreement provided in principle a level of protection essentially equivalent to that of the European Union, the concrete requirements relating to national security, the public interest and compliance with American legislation rendered these principles ineffective.

It found that the scope of the US authorities' surveillance powers was excessive under European law, and that the rights of non-US citizens to appeal to independent courts were not guaranteed.

These findings led it to consider the decision invalid.

And now ?

Transfers to the United States can no longer be based on the Shield.

While some are turning to standard contractual clauses, this solution raises doubts: these clauses remain valid in principle, but face the same problem as the Shield when used for a transfer to the United States: the scale of surveillance measures on American soil and the insufficient means of redress for the persons concerned.

Some people are talking about the possibility of encrypting the data before transfer to prevent its use by US authorities, but this does not take into account the possibility for the authorities to legally demand its decryption.

The European Data Protection Board (EDPB) published a press release on July 17 in which it summarizes its initial findings and announces additional guidelines.

The following observations can be noted:

– The Court's decision directly affects transfers to the United States, but all international transfers are also affected;

– The use of standard contractual clauses for a transfer to any third country remains possible but must be subject, by the exporter, to specific verifications concerning the content of the clauses, the context of the transfer, and the legal regime applicable in the third country (in particular concerning national security);

– If the situation presents particular risks, additional measures will have to be taken: the EDPB is currently working to specify these measures.

– It is recalled that the importer has the duty to inform the exporter of any change in legislation which would have an impact on the application of the clauses and which could thus lead to their suspension.

The European Commission has announced that it has entered into dialogue with its American counterparts with a view to reaching an agreement providing for a higher level of data protection.

 

Meanwhile, Max Schrems' association, NOYB ("None Of Your Business"), has filed 101 lawsuits against companies operating across the European Union, including Google, Facebook, and Microsoft, or using Google Analytics and Facebook Connect without taking any action in response to the Court's ruling.

There are possibilities for transferring data, other than standard contractual clauses.

They were explained in the March editorial of this newsletter.

The alternative is to manage data on European soil rather than transferring it.

Hoping that this decision will encourage the development of such local services.

And also

France:

  • The CNIL (French Data Protection Authority) is launching an investigation into TikTok: in addition to the standoff between the Chinese company and the United States, investigations are underway in Europe regarding the app's compliance with the GDPR. The CNIL is coordinating its work with other supervisory authorities within the framework of the EDPB.
  • Still in cooperation with its European counterparts, the CNIL imposed a fine of 250,000 euros on the online sales company Spartoo on August 5 for failure to comply with the principles of data minimization, retention, information and security provided for by the GDPR.

Europe:

  • The British supervisory authority, the ICO, has been criticized by parliamentarians for its insufficient action in light of GDPR violations, particularly in the context of the COVID-19 pandemic.
  • Also in the UK, an appeals court ruled on August 11 that the use of facial recognition technology by the South Wales Police violates fundamental rights, including the right to data protection.
  • The European Commission is currently working on a regulation for digital services to strengthen these services within the internal market and clarify the legal framework for small businesses. The European Parliament is preparing a recommendation in this context, which is expected to address a range of data protection concerns, including encryption of information, auditability of algorithms, and the protection of biometric data.
  • The European Commission announced on August 4 that it is opening an investigation into Google's proposed acquisition of Fitbit. Its concerns primarily relate to the concentration of data in the hands of a dominant player, particularly health data.

International :

  • United States: In an impact analysis dated July 30, the Department of Homeland Security details practices observed for years at the country's external borders, which allow agents to copy the contents of the phones and computers of people entering the United States, and to keep them for a period of 75 years.
  • Twitter confirmed in early August that it was the subject of an investigation by the US Federal Trade Commission regarding its use of customer data for advertising purposes.
  • Brazil: The personal data protection law will come into effect on August 27. A supervisory authority has also just been established.
  • Also in Latin America, Chile is modernizing its data protection law, and regulatory projects are underway in Paraguay and Ecuador.
  • Egypt adopted a law on the protection of personal data on June 17.

 

Discover Viqtor®
en_USEN
fr_FRFR de_DE_formalDE es_ESES elEL it_ITIT hrHR pt_PTPT nl_NL_formalNL de_ATDE_AT etET fiFI lvLV lt_LTLT sk_SKSK sl_SISL en_USEN