16 July 2020 will go down in data protection history. On that day, the EU Courts decision in Schrems II dealt international data transfer a mighty blow.
The EU-US Privacy Shield has fallen with immediate effect.
The EUs adopted standard contract clauses survive, but can only be used where the destination countrys laws contain safeguards of a GDPR standard.
If supervisory bodies and businesses follow this decision strictly, every day activities will require burdensome due diligence and may have to be suspended.
This has the potential to disrupt business in many sectors.
Legal BackgroundAs everyone now knows, the EUs GDPR sets a gold standard for protecting personal data that applies in all EEA1 countries and to many organisations in other parts of the world.
The GDPR prevents an organization transferring personal data outside the EEA unless the destination country is on an adequacy white list or the organization adopts an adequate safeguard, except in very limited circumstances. Given the powers of EU supervisory authorities to ban unlawful data transfer and to levy large fines, up to 4% of global group turnover or 20 million, it is important to respect these rules.
Only seven major countries2 with due respect to Andorra and various small islands are on the white list. However, that list is not limited to entire countries. The EU can also white list specified sectors within countries. Using this power, in July 2016 it made the important decision that U.S. organisations certified under the EU-US Privacy Shield were also white-listed3.This replaced its 2000 Safe Harbor decision to similar effect, which the EU Court had struck down as invalid in 2015, in Schrems I.
As mentioned above, organisations transferring personal data to a non-EEA destination which is not white-listed generally have to establish an adequate safeguard. By far the most common of these safeguards, the easiest to establish and often the only one available, is the EU adopted standard contract clauses (SCC). The SCC are probably used by thousands of organisations around the world.
Schrems II challenged both the Privacy Shield and the SCC, striking at the heart of cross-border data transfer.
Background FactsIn 2013 Austrian law student, Max Schrems, asked the Irish Data Commissioner to prevent Facebook Ireland transferring his data to Facebook USA. He argued U.S. law didnt adequately protect his personal data, given the FBI and NSAs surveillance powers and activities.
Although this ultimately resulted in the 2015 Schrems I ruling that U.S. Safe Harbor was invalid, it did not end the argument because Facebook said most of its data transfer to the U.S. was under the SCC, not Safe Harbor. Accepting the Commissioners invitation to reformulate his complaint, Schrems argued that once in the U.S. his data was available to the FBI and NSA under laws incompatible with the EU Charter and was not adequately protected despite the SCC.
The Commissioner agreed and brought court action in Ireland, questioning the validity of the 2010 EU decision which adopted the SCC.
The Irish Court heard evidence on the effect of U.S. national security laws. Finding these of concern, it referred the SCC question to the EU Court of Justice. For the same reasons, it also asked the EU Court to scrutinize the validity of the EU-U.S. Privacy Shield, which had been adopted in the intervening period.
EU Courts Decision on the Privacy ShieldThe Court observed that the Privacy Shield was expressly stated to be subject to U.S. national security requirements, which enabled interference with the fundamental rights of data subjects. The Court went on to examine the EU Commissions justification for nevertheless approving the Shield. These are set out in a recital declaring:
on the basis of available information about the U.S. legal order any interference by U.S. public authorities with the fundamental rights of the persons whose data are transferred under the Privacy Shield for national security [or] law enforcement purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and there exists effective legal protection against such interference
The Court examined FISA, the U.S. Foreign Intelligence Surveillance Act, and Executive Order 12333 on Intelligence Activities and fundamentally disagreed with the Commissions justification. The Court found U.S. surveillance programs under these laws enabled agencies such as the FBI and NSA to access personal data transferred from the EU to the U.S. without limitation and without guarantees for non-U.S. individuals. Ultimately, it concluded that U.S. laws:
Consequently, it had no hesitation in finding the Privacy Shield invalid, with immediate effect.
EU Courts Decision on the SCCThe Courts decision on the SCC was more nuanced. Its key finding, which will be a relief to business, is that the EU Commission decision approving the SCC was valid. However, the Court applied a significant qualification, ruling that the SCC can only be used where data subjects are given a level of protection equivalent to GDPR in the destination country.
Applying this qualification, the judgment directs EU data protection authorities to suspend or prohibit data transfer using the SCC where the law of the destination country does not provide appropriate safeguards, rights and remedies against access by national authorities.
Organizations concluding from this that they can carry on using the SCC until an authority stops them will be disappointed. The judgment goes on to declare every entity transferring personal data out of the EEA under the SCC responsible for assessing whether the destination countrys law ensures adequate protection. They must do so on a case by case basis, before they make any further transfer.
The burden does not stop at the data exporter: the Court also pointed out that the SCC themselves require the data importer to notify the exporter if it cannot comply, including where public authorities in its country can access the data disproportionately or without redress. The Court ruled that transfer must stop if the exporter receives such notification.
Finally, the Court suggested a data exporter could take adequate additional measures to guarantee protection if the destination countrys laws did not pass the assessment. However, short of persuading that country to change its laws it is difficult to see what such measures could be: while the exporter could insist on additional contractual safeguards with the importer, these will have no effect on public authorities in the destination country, which are not party to the SCC.
Effects of the Decision
Data Transfer to the U.S.Data transfers under the Privacy Shield are now unlawful. Although authorities are unlikely to take immediate enforcement action, such as banning transfers and levying fines, businesses should find an alternative basis for transferring personal data to the U.S. as soon as possible, since any informal grace period will not last long.
Ideally, the alternative basis for transfer will involve using an adequate safeguard. The obvious solution would have been to use the SCC commonly used to transfer data to U.S. organisations not certified under the Privacy Shield. But given the EU Courts combined findings on the use of the SCC and on U.S. laws, it seems inevitable that this will not withstand further scrutiny.
Apart from the SCC, the only other adequate safeguard readily available to private organisations is to use binding corporate rules, but these apply only within a corporate group and so are of no use for transfers between independent entities. They also require bespoke drafting and regulatory approval.
In the absence of the Privacy Shield and without an adequate safeguard, organisations can generally only transfer personal data to the U.S. on a repeated basis with the explicit consent of the data subject or where necessary for a contract4. Even one-off transfers will require justification and regulatory notification.
The use of consent is therefore likely to increase. This will often be onerous and will need careful management, since the GDPR also has strict rules on consent. If data subjects refuse consent, and every data subject is entitled to refuse, one can foresee major problems.
Data Transfer to other Non EEA CountriesMost data transfers to non-white-list countries take place under the SCC. Applying Schrems II strictly, every EU data exporter using the SCC must now assess the laws of the destination country, if necessary with the help of the importer, before carrying out further transfer.
This assessment should include a focus on law regarding access by public authorities in the destination country, in particular whether their access is proportionate and whether data subjects have actionable legal rights against them.
Having assessed the relevant foreign law, unless the exporter finds it as protective as GDPR and consistent with the EU Charter, it must end the transfer. There must be a significant concern that many, if not most, countries will fail this assessment. Where that is so, the position will be the same as for the U.S.
EU data protection authorities are required to enforce the GDPR with all due diligence. Strictly applying Schrems II, they must suspend or ban personal data transfer to third countries under the SCC where it cannot be protected to EU standards, unless the data controller has already put an end to the transfer. In the coming months, we may see decisions from the authorities that the SCC cannot be used for certain named countries.
ConclusionsStrict observance of the EU Courts decision in Schrems II will disrupt current practice in international data transfer from the EU.
How many nations, other than the handful currently on the white list, have data protection laws equivalent to GDPR? How many nations circumscribe the activities of their intelligence and national security authorities and give foreign nationals individual legal rights against them? Indeed, there are doubts about the UK receiving a white listing following Brexit for that very reason. Even existing white list decisions are subject to periodic review and could be challenged at any time.
Until now, use of the SCC was the oil on the wheels of the EU data export system. If Schrems II is rigorously applied this will no longer be the case. This is problematic since swathes of businesses rely on transferring personal data from the EU to the U.S. and other major trading nations without specific authorization or individual consents. If Schrems IIeffectively prohibits this, then other countries may take a tit for tat approach, particularly since national security laws in EU Member States may not meet the standard the EU court is expecting of other countries.
The solution may have to be political, but as both Schrems cases show, political solutions may not withstand the scrutiny of a court. Ideally, Schrems II will lead to a world-wide standard of data protection equivalent to GDPR, but that seems a long way off and is probably unachievable given the primacy countries give their national security.
Until a solution is found, businesses that export or import data are likely to have to make changes to their practices and legal arrangements. The only consolation, although a poor one, is that everyone is swimming in the same choppy waters.
RecommendationWe recommend that organisations which export or import EU personal data take urgent legal advice on the best way forward.
___1 The EU countries plus Norway, Iceland and Lichtenstein. 2 Argentina, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.3 A similar decision has been made for in Canada for commercial private-sector organizations. 4 The other exceptions are extremely narrow, e.g. for legal claims or matters of life or death.
Go here to read the rest:
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption - The Register - September 5th, 2021
- Opportune moment for indigenous development of 5G NSA & SA by C-DOT: Prakash - United News of India - September 5th, 2021
- A Softening Economy Will Be Buffeted By Stimulus Withdrawal And Delta-Variant Surge - Forbes - September 5th, 2021
- Actions of IT giants pave the way for states to monopolize data Snowden - TASS - September 5th, 2021
- Microsoft's Azure Government Top Secret Cloud: All you need to know - TechHQ - September 5th, 2021
- The Scandalous History of the Last Rotor Cipher Machine - IEEE Spectrum - September 5th, 2021
- The NSA Does Not Deny Reading Tucker Carlsons Emails - July 12th, 2021
- Home, but Not Free: NSA Whistleblower Reality Winner Adjusts to Her Release From Prison - The Intercept - July 12th, 2021
- Congress newest subcommittee is focusing on cyber troops and JEDI - Federal News Network - February 11th, 2021
- End the war on whistleblowers - The Week - February 11th, 2021
- NSA Warned Russia to Stay Out Of 2020 Election And Got SolarWinds Hack Instead - NPR - February 1st, 2021
- Biden administration will build on the Quad: NSA Jake Sullivan - The Hindu - February 1st, 2021
- William P. Crowell, Former Deputy Director of the National Security Agency, Joins LookingGlass Advisory Board - HSToday - February 1st, 2021
- SolarWinds Is Not the 'Hack of the Century.' Its Blowback for the NSA's Longtime Dominance of Cyberspace - Common Dreams - February 1st, 2021
- NSA fumes over the violation of coronavirus safety protocols - GhanaWeb - February 1st, 2021
- A Top Biden Cybersecurity Aide Donated Over $500000 to AIPAC as an NSA Official Mother Jones - Mother Jones - February 1st, 2021
- What to expect from NASS and NASED conferences - Politico - February 1st, 2021
- Companies Pay Criminal Penalties And Compensation For Undermining Competition - JD Supra - February 1st, 2021
- Split Up NSA and CYBERCOM - Defense One - December 28th, 2020
- Edward Snowden Pardon and the SolarWinds Hack | - City Journal - December 28th, 2020
- Edward Snowden and wife share photos of newborn son amid push for Trump to pardon NSA leaker - Washington Times - December 28th, 2020
- NSA Year in Review: Election Security, Cybersecurity, and More - HSToday - December 28th, 2020
- No, the United States Does Not Spend Too Much on Cyber Offense - Council on Foreign Relations - December 28th, 2020
- The US has suffered a massive cyberbreach. It's hard to overstate how bad it is - The Guardian - December 28th, 2020
- Satoshi Nakamoto from NSA, AntiChrist and Other Bitcoin Conspiracy Theories - Cryptonews - December 28th, 2020
- How A Cybersecurity Firm Uncovered The Massive Computer Hack - NPR - December 28th, 2020
- Snowden and Assange Deserve Pardons. So Do the Whistleblowers Trump Imprisoned. - The Intercept - December 28th, 2020
- National Security Agency - Wikipedia - October 10th, 2020
- Talks with China will not help says USA NSA on situation on Ladakh - Oneindia - October 10th, 2020
- How to choose the right multifactor authentication program - Federal News Network - October 10th, 2020
- UofL to launch health care cybersecurity curriculum with $6.3 million from National Security Agency, pilot focused on veterans and first responders -... - October 10th, 2020
- National Storage Affiliates Trust Announces Date of its Third Quarter 2020 Earnings Release and Conference Call - Business Wire - October 10th, 2020
- NSA announces new Autumn webinar series 'Feeding the flock and getting it right' - The Scottish Farmer - October 10th, 2020
- How the NSA is disrupting foreign hackers targeting COVID-19 vaccine research - TechCrunch - September 18th, 2020
- Crime Prevention and Community Outreach, Common Goals for NSA and NYPD Commissioner - Abasto, Food and Beverage Industry News - September 18th, 2020
- Deputy NSA gets one year extension - The Hindu - September 18th, 2020
- Exceeding All Expectations: A Journey of Adversity, Triumph and Eternal Optimism - Worth - September 18th, 2020
- Huge threat to national security as hackers attack NIC computers, steal sensitive information - DNA India - September 18th, 2020
- Police: 2 more held in Agra boys kidnap-murder, NSA to be invoked - The Indian Express - September 18th, 2020
- NSA to be invoked against miscreants involved in killing Malihabad farmer: Lucknow DM - Outlook India - September 18th, 2020
- Did the NSA spy on Congress? RT The World According to Jesse - RT - September 5th, 2020
- Nebraska native, 101, defied convention: She served in South Pacific, with MacArthur and at NSA - Omaha World-Herald - September 5th, 2020
- NSA Ajit Doval reviews situation at India-China border - The New Indian Express - September 5th, 2020
- NSA Webinar Part 3: Skills Development and the future of learning during and post the Covid-19 pandemic - Mail and Guardian - September 5th, 2020
- ICE Robotics Expands Offering With NSA Partnership - CleanLink - September 4th, 2020
- National Security Agency | History, Role, & Surveillance ... - August 16th, 2020
- The NSA and FBI Expose Fancy Bear's Sneaky Hacking Tool - WIRED - August 16th, 2020
- NSA and FBI Expose Russian Previously Undisclosed Malware Drovorub in Cybersecurity Advisory FBI - Federal Bureau of Investigation - August 16th, 2020
- Shah Faesal reached out to NSA before he quit party; open to IAS return - Hindustan Times - August 16th, 2020
- How has the pandemic impacted work at the NSA? - C4ISRNet - August 10th, 2020
- Election interference efforts have shifted, NSA and Cyber Command election threats leads say - CyberScoop - August 10th, 2020
- Did Hedge Funds Make The Right Call On National Storage Affiliates Trust (NSA)? - Yahoo Finance - August 10th, 2020
- National Speakers Association Inducts Mary Kelly, Ph. D. into the Speaker Hall of Fame - The Grand Junction Daily Sentinel - August 10th, 2020
- For 2020 Election, Threat is Bigger than Russia > US DEPARTMENT OF DEFENSE - Department of Defense - August 10th, 2020
- The White House reportedly quashed part of an intelligence report that showed Russia is helping the Trump campaign - MSN Money - August 10th, 2020
- GFA Express Appreciation To NSA | General Sports - Peace FM Online - August 10th, 2020
- NSA O'Brien Says US Has 'Sanctioned The Heck Out Of Russia' - Newsmax - August 10th, 2020
- DHS Warns of a Persistent Cyber Threat Targeting Critical Infrastructure in the U.S. - CPO Magazine - August 10th, 2020
- Money Explodes; Gold Glitters; The Recovery Slows - Forbes - August 10th, 2020
- NSA Reports on New Cyber Vulnerability in Computers - ExecutiveGov - August 10th, 2020
- The Trump administration reportedly quashed an intelligence report that showed Russia is helping him win the 2020 election - MSN Money - August 10th, 2020
- There Will Be Blowback - Forbes - August 10th, 2020
- What and how are you thinking? Anything is possible - Martins Ferry Times Leader - August 10th, 2020
- TikTok and National Security: The Need for a Comprehensive U.S. Privacy Law - Security Boulevard - August 10th, 2020
- Buhari to overhaul the nation's security apparatus, says NSA - TheCable - August 10th, 2020
- Trump quashed report section showing Russia is helping him win 2020 - Business Insider - Business Insider - August 9th, 2020
- NSA Sheep 2020 to be a virtual sheep show - South West Farmer - August 8th, 2020
- All you need to hijack a Mac is an old Office document and a .zip file - TechRadar - August 8th, 2020
- Silicon Valley's Vast Data Collection Should Worry You More Than TikTok - Jacobin magazine - August 8th, 2020
- T-Mobile Is The First Carrier Globally To Launch Nationwide Standalone (SA) 5G - Forbes - August 7th, 2020
- The Room Where It Happened: Former US NSA exposes the frailties of the Trump administration - The Financial Express - August 4th, 2020
- NSA Sheep 2020 to go virtual over two days - FarmingUK - July 31st, 2020
- Protect Our Power Urges Vigilance in Response to NSA and CISA Warning on Critical Infrastructure - PRNewswire - July 31st, 2020
- A "Time of Heightened Tensions": Homeland Security and National Security Agency Issue Joint Cybersecurity Alert - JD Supra - July 31st, 2020
- Amid 'heightened tensions,' US government issues warning to critical infrastructure providers - Utility Dive - July 31st, 2020
- Garmin Hack, Glitch in Flight Navigation and an NSA Warning: The Massive Threat of WastedLocker - News18 - July 31st, 2020
- Netflix is looking to Splinter Cell for its next big video game adaptation - The Verge - July 31st, 2020
- US real GDP to expand by 15% in Q3 TDS - FXStreet - July 31st, 2020
- Two Rebels Against the Establishment: Oliver Stone and Edward Snowden - CounterPunch - July 31st, 2020
- Orange announces it will launch 5G later this year - Explica - July 31st, 2020