Following the landmark CJEU’ Schrems II’ find in July, which contradicted the four-year-old EU-US Privacy Shield, European data protection regulators have today publicized 38 -pages of guidance for businesses protruded trying to navigate the uncertainty around how to( legally) send personal data out of the European Union.
The European Data Protection Board’s( EDPB) recommendations focus on measures data controllers might be able to put in place to supplement the use of another assign mechanism: so-called Standard Contractual Clauses( SCCs) to ensure they are complying with the bloc’s General Data Protection Regulation( GDPR).
The Recommendations on measures that supplement transfer implements to ensure compliance with the EU level of protection of personal data are now available now: https :// t.co/ agY2BHZVku For a quick outline of the differences between gradations data traders was also necessary take, check out the infographic: pic.twitter.com/ sYTMdNgBkn
— EDPB (@ EU_EDPB) November 11, 2020
Unlike Privacy Shield, SCCs were not struck down by the court but their consume remains shadowed with legal uncertainty. The field made it clear SCCs can only be depend on for international changes if the safety of EU citizens’ data can be guaranteed. It also said EU regulators have a duty to intervene when they suspect data is flowing to a location where it will not be safe — signify options for data transfers out of the EU have both reduced in number and increased in complexity.
One company that’s said it’s waiting for the EDPB guidance is Facebook. It’s already faced a initial line-up to stop transferring EU users data to the US. It petitioned the Irish courts to obtain a abide as it strives a judicial review of its data protection regulator’s process. It has also bring forward its lobbying big guns — former UK deputy PM and ex-MEP Nick Clegg — to try to pressure EU lawmakers over the issue.
Most likely the tech giant is hoping for a’ Privacy Shield 2.0‘ to be cobbled together and slapped into lieu to article over the gap between EU fundamental rights and US surveillance law.
But the Commission has warned there won’t be a quick fix this time.
Changes to US surveillance law are slated as needed — which signifies zero chance of anything happening before the Biden administration takes the controls next year. So the legal uncertainty around EU-US conveys is set to stretch well into next year at a minimum.( Politico intimates a new data deal isn’t likely during the first half of 2021 .)
In the meantime, legal challenges to ongoing EU-US transfers are stacking up — at the same time as EU regulators know they have a law duty to intervene when data is at risk.
” Standard contractual clauses and other displace tools mentioned under Article 46 GDPR do not operate in a vacuum-clean ,” the EDPB reminds in an director epitome.” The Court states that controllers or processors, acting as traders, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the existing legislation or pattern of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR commit tools.
” In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these divergences in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data .”
The EDPB’s recommendations set off a series of steps for data exporters to take as they go through the complex enterprise of determining whether their special transport can play nice with EU data protection law.
Six steps but no one-size-fits-all fix
The basic synopsi of the process it’s advising is: Step 1) map all intended international gives; step 2) attest the carry-over tools you want to use; step 3) assess whether there’s anything in the law/ rehearsal of the end third country which” may impinge on the effectiveness of the appropriate safeguards of the transfer implements you are “il rely on”, in situations of your specific transportation”, as it leans it; step 4) identify and adopt supplementary measure/ s to introduce the different levels of armour up to’ all-important equivalent’ with EU law; step 5) take any formal procedural gradations required to adopt the supplementary measure/ s; step 6) occasionally re-evaluate the level of data protection and monitor any relevant developments.
In short-lived, this is going to involve both a great deal of work — and ongoing slog. tl ;d r: Your duty to watch over the safety of European users’ data is never done.
Moreover, the EDPB makes it clear that there very well may not be any supplementary measures to cover a particular transfer in law glory.
” You may ultimately is my finding that no supplementary value can ensure an essentially equivalent height of terms of protecting your specific transport ,” it warns.” In such cases where no supplementary measuring is suitable, you must evaded, suspend or complete the transportation to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary values with due diligence and paper it .”
In instances where supplementary appraises could suffice the EDPB says they may have” a contractual, technical or organisational nature” — or, definitely, a combination of some or all of those.
” Combining diverse measures in a way that they support and build on each other may enhance the level of protection and may therefore contribute to reaching EU standards ,” it suggests.
However it also goes on to state moderately clearly that technological measures are likely to be the most robust tool against the threat posed by foreign surveillance. But that in turn entails there are consequently limits on the business mannequins that can tap in — anyone wanting to decrypt and process data for themselves in the US, for example,( hi Facebook !) isn’t going to find much convenience here.
The guidance goes on to include some test scenarios where it intimates supplementary bars might suffice to render an international transportation legal.
Such as data storage in a third country where there’s no access to decrypted data at the end and keys are held by the data exporter( or by a trusted entity in the EEA or in a third country that’s considered to have an adequate level of protection for data ); or the transfer of pseudonymised data — so individuals can no longer be identified( which implies ensuring data cannot be reidentified ); or end-to-end encrypted data transiting third world countries via encrypted give( again data must not be able to be decrypted in a jurisdiction that needs adequate protection; the EDPB likewise specifies that the existence of any’ backdoors’ in equipment or software must have been ruled out, although it’s not clear how that could be done ).
Another section of the document discusses scenarios in which no effective supplementary values could be found — such as commits to mass “providers “( or same) which require access to the data in the clear and where” the power granted to public authorities of the recipient country to access the transmitted data goes beyond what is necessary and proportionate in a democratic culture “.
Again, this is a bit of the document that looks very bad for Facebook.
” The EDPB is, considering the current state of the prowes, incapable of envisioning an effective technical meter to prevent that access from conflicting on data subject titles ,” it writes on that, adding that it” does not rule out that further technological development may offer measures that achieve the planned business purposes, without involving access in the clear “.
” In the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even working together, do not constitute a supplementary measure that ensures an essentially equivalent level of shelter if the data importer is in possession of the cryptographic keys ,” the EDPB further notes.
It likewise makes it clear that supplementary contractual clauses aren’t any kind of get-out on this figurehead — so , no, Facebook can’t stick a clause in its SCCs that disarms FISA 702 — with the EDPB writing:” Contractual measurements will not be able to rule out the application of the legislation of a third country which does not congregate the EDPB European Essential Guarantees standard in those cases in which the legislation impels importers is respectful of the prescribes to disclose data they receive from public authorities .”
The EDPB does discuss examples of potential riders data sellers could use to supplement SCCs, depending on the specifics of their data flow situation — alongside specifying “conditions for effectiveness”( or ineffectiveness in many cases, really ). And, again, there’s cold comfort here for those wanting to process personal data in the US( or the other third country) while it remains at risk from country surveillance.
” The exporter could compute annexes to the contract with information that the importer would supply, based on its best efforts, on the access to data by public authorities, including in relation of ability supported the legislation complies with the EDPB European Essential Guarantees, in the countries of destination. This might help the data seller to meet its obligation to paper its assessment of the level of protecting third world countries ,” the EDPB intimates in one example from a section of the guidance discussing clarity obligations.
However the degree of such a clause would be for the data exporter to put up-front preconditions on an importer to make it easier for them to avoid getting into a risky contract in the first place — or assists them with suspending/ concluding a contract if a risk is determined — rather than providing any kind of legal sticking plaster for mass surveillance. Aka:” This obligation may nevertheless neither apologize the importer’s disclosure of personal data nor give rise to the expectation that there will be no further access entreaties ,” as the EDPB warns.
Another example discussed in the document is the viability of adding clauses to try to get the importer to certify there’s no backdoors in their systems which are able to situate the data at risk.
However the EDPB alarms you are able to really be hopeless, writing:” The reality of legislation or government policies foreclosing importers from disclosing this information may make this clause ineffective .” So the illustration is able to be being included to try to kneecap dodgy legal advice that recommends contract clauses are a panacea for US surveillance overreach.
The EDPB’s full advice can be found here.
We’ve also contacted out to Facebook to ask what next steps it’ll be taking over its EU-US data transfers in light of the EDPB guidance and will revise this report with any response. Update: Facebook has now sent this statement:” The CJEU ruled that Standard Contractual Clauses are a valid legal mechanism for the transfer of data from the EU, including to the US. We note that new guidelines on supplementary measures have been submitted for consultation and, like many other fellowships, will be reviewing them carefully.”
Read more: feedproxy.google.com