Schrems II - the CJEU leaves us with more questions than answers

I am now adding some further thoughts on the many questions raised by the case, which remain largely unanswered despite the EDPB’s FAQs. These thoughts relate particularly to the position of businesses relying on the European Commission’s standard contractual clauses (SCCs) to transfer personal data outside the EEA but also examine the position of the data protection authorities (DPAs) and question the direction in which the CJEU is taking data protection in the EU.

The Data Exporter’s Assessment

The CJEU said that data exporters must ensure that data subjects whose personal data are transferred to a third country are afforded a level of protection essentially equivalent to that guaranteed in the EU. To that end, exporters must undertake an assessment of the adequacy of the level of protection provided in the destination country. The CJEU also said that this assessment must, in particular, take into consideration both the SCCs and the aspects of the legal system of the third country relating to access to the transferred data by that country’s public authorities. However, that is pretty much the extent of the guidance given by the CJEU on the nature of the assessment that is required. The Court did indicate that the assessment of the third country’s legal system should cover both whether any access by public authorities is limited to what is strictly necessary and proportionate and whether data subjects have the right to a judicial remedy in relation to such access. However, they did not pick up the suggestion, that came in the Advocate General’s preliminary opinion, that the assessment should take into account the circumstances characterising each transfer such as the nature of the data transferred and whether they are sensitive.

There are thus several unanswered questions which we can but hope either the European Commission (EC) or the European Data Protection Board will eventually provide answers to:

• How are data exporters expected to understand the legal system governing access by public authorities in the destination country. They can enlist the help of the data importer in that country but, as is illustrated by the CJEU’s discussion of the legal system in the US, this can be complex and not easy to understand. Will the EC, the EDPB or individual DPAs be researching the relevant legal systems and providing information to assist data exporters in their assessments?
• Even if they can understand the relevant legal systems how are exporters supposed to determine whether the access that they might provide to transferred data is limited to what is necessary and proportionate in a democratic society? Against what standards do they measure this? And how can they assess whether the rights of data subject are sufficient to meet the required standard?
• To what extent are exporters entitled to take into account all the circumstances of the transfer, including the nature of the transferred data? For example if the data are relatively anodyne, perhaps because they are business contact details, does it matter if access to them goes beyond what might be considered necessary and proportionate?
• Even if this doesn’t matter does the lack of a right to a judicial remedy, nevertheless mean that the SCCs cannot be relied on, regardless of the nature of the transferred data and other circumstances surrounding the transfer? In particular in the case of the US is the lack of a judicial remedy in fact not only fatal to the Privacy Shield but also fatal to reliance on the SCCs and even Binding Corporate Rules (BCR) for any transfers of personal data to the US?

Application Of The Decision To All Data Exporters And All Jurisdictions

The CJEU decision, although of general application, was based on the specific circumstances of Facebook Ireland transferring personal data to Facebook Inc in the US. These circumstances are not though typical of the circumstances of the majority of data exporters that are likely to rely on the SCCs for international transfers. There are a number of significant differences:

• The nature of Facebook’s business means that under US law they are an electronic communication service provider pursuant to the FISA Amendments Act of 2008 and so can be required, pursuant to Section 702 thereof (commonly referred to as FAA 702), to supply US public authorities with certain communications to and from specified non-U.S. persons who are reasonably believed to be located outside the United States, as authorized by the US Attorney General and the US Director of National Intelligence and overseen by the FISA Court. The identifiers that are associated with such a non-US person and that are contained in a directive given to the electronic communications service provider were referred to by the CJEU as a “selector”. The presumption is that in practice Facebook are subject to one or more such directives. Thus, Facebook will be aware, at least broadly, of the extent to which the personal data of Facebook users are accessed by US authorities. Very many exporters of personal data to the US will not though be sending their data to electronic communication service providers.

For many exporters the risk is not so much that the recipient will be ordered to make the transferred personal data in its stored communications accessible to US public authorities. Rather it is that it is that the communications will be accessed while they are in transit on their way to or from the importer. This “upstream” collection can happen under FAA 702 as well, whereby telecommunications companies can be compelled to provide US public authorities with access to certain communications as they pass through the “backbone” of the internet. It can also happen under Executive Order 12333 (E.O.12333), which allows US public authorities to conduct foreign intelligence surveillance outside of the United States against non-US persons, such as might take place by accessing underwater cables in the Atlantic. Although the parties might have some general awareness of the existence of the upstream component of FAA 702 and, perhaps to a lesser extent, E.O.12333, they will not know whether the data that they are transferring in their communications are actually being accessed whilst in transit. Furthermore, it is unclear how they might be prevented from fulfilling their obligations to process personal data in accordance with the terms of the SCCs when they are not themselves making the transferred data accessible to public authorities unless it could be by failing to keep the data sufficiently secure.

There is thus a question as to how far the CJEU decision relates to the circumstances of what are likely to be the majority of data exporters to the US that are vulnerable to having their communications accessed whilst in transit but are not, unlike Facebook, potentially required to provide US public authorities with direct access to the communications that they hold. Then, if the decision is relevant to the circumstances of such exporters, how can they reasonably be expected to make the assessment referred to above when it concerns aspects of the US legal system that target telecommunications undertakings operating the backbone of the internet, or even foreign intelligence surveillance that does not require the compelling of US companies and is conducted outside the United States under E.O.12333 rather than undertakings like their own?

• Facebook’s transfers that were under consideration by the CJEU were transfers to the US but businesses transfer personal data all over the world. Although the US provides for wide ranging access by its public authorities to transferred personal data there is a degree of transparency about these arrangements, they are subject to the rule of law and their impact has been analysed in some depth, not least by the CJEU and the Irish High Court in their recent judgments, such that the resulting analysis is readily available to data exporters. Even though the CJEU may have taken a different view presumably the US, as a democratic society, believes that the arrangements that it has in place satisfy the test of being necessary measures in a democratic society to protect important national interests.

However many countries in the world would not even get off the starting block of being a democratic society. Even if they do their arrangements for access by their public authorities may be obscure or may not be subject to the rule of law in practice even if in they are on paper. How are data exporters meant to understand let alone assess the relevant aspects of the destination country’s legal system in such cases? Does this mean that the SCCs can never be relied on for transfers to countries like these?

• Facebook is a very large, well-resourced undertaking. Nevertheless, it might well find the prospect of assessing the relevant legal systems in all the countries to which it exports personal data from the EU to be a daunting one. It will be though much less onerous for Facebook than it is likely to be for many other exporters. How much effort can they reasonably be expected to expend themselves on such an assessment even if the necessary information were to be available to them? Alternatively, how much can they reasonably be expected to have to pay if they outsource the work? Of course they can enlist the help of the importer, which might be expected to know something of the relevant legal system of the country in which it is located, but how far will they be able rely on information and advice from the importer which is likely to have an economic interest in the data exporter coming up with a favourable assessment.

Safeguards And Other Alternatives

The CJEU refers to the possibility of the data exporter, where appropriate in collaboration with the importer, providing additional safeguards that supplement the SCCs where the exporter’s assessment indicates that the SCCs alone do not afford a level of protection to the transferred data essentially equivalent to that guaranteed in the EU. However, the Court is silent on what those safeguards might be. What might be the options? The EDPB has said that it is looking into possibilities but little has been suggested so far apart from the use of encryption. Might this be encryption of the data in transit, encryption of the data at rest in the destination country or both? Encryption of the data in transit might provide some protection against public authorities accessing the data whilst it is travelling through the “backbone” of the internet, as is the case with the upstream component of FAA 702, or through underwater cables or other telecommunications infrastructure, as is the case with E.O.12333, but how much protection will it provide? Public authorities clearly have some capacity to get around encryption but how much capacity do they have and how is the exporter expected to know about this and then take it into account in making the necessary judgement?

If access to communications containing personal data takes place once the transferred data are in the hands of the importer, as is the case with FAA 702, the data importer would be required to provide public authorities with access to the stored data in unencrypted form if the data importer has access to the encryption keys. If the importer does not have access to the keys it can probably be doing little more anyway than providing storage for the encrypted communications and the data they contain. Even then, the public authorities might still have the capacity to decrypt the data once they have gained access. Again, how are the exporter and importer expected to know about these capabilities and make the necessary judgements?

In any case, it is hard to see how encrypting the transferred data can make up for any lack of a judicial remedy for EU data subjects against the public authorities of the destination country. How could any legal, technical or other arrangement that is in the exporter or importer’s hands compensate for such a lack? Some mention has been made of the new SCCs that the European Commission has said that it is developing but these will still only be contractual arrangements and so cannot be binding on the third country’s public authorities or provide judicial remedies for matters going well beyond the scope of the contract. Perhaps the idea is that if the data are encrypted before they leave the EU and the key continues to be held only by the EU exporter there actually isn’t any international transfer of personal data taking place on the basis that the data won’t be identifiable in the destination country. Would the DPAs be likely to buy such an argument? It seems improbable given the broad definition of personal data in the GDPR and their previous pronouncements on the subject.

The CJEU went on to say that the annulment of an adequacy decision such as the Privacy Shield Decision, and presumably also any restriction in the availability of the SCCs, is not liable to create a legal vacuum around international transfers because of the existence of the derogations in Article 49 of the GDPR. However, as the GDPR itself makes clear and the EDPB has emphasised, these derogations, covering matters such as contractual necessity, are for the most part only available for use on an occasional basis and so do not solve the problem. The exception is transfers that take place with the data subject’s explicit consent. Might the CJEU see individual consent as the solution here? If so they are not only paying little heed to the stringent conditions that have to be met to ensure that any consent is valid. They are also failing to recognise that a situation in which data subjects consent to the transfer of their personal data without appropriate safeguards being in place actually provides them with substantially less real protection than if their data were transferred under the SCCs, even if the protection provided by those SCCs might be less than 100% perfect.

The Data Protection Authorities

The CJEU has drawn attention to the responsibility of the DPAs to monitor the application of the GDPR and to ensure its enforcement. The Court has then gone on to say that the exercise of this responsibility is of particular importance where personal data are transferred to third countries. Why should this be the case? The Court justifies its observation by referring to the GDPR recitals which indicate that, when personal data move across borders, the ability of individuals to exercise their data protection rights, in particular to protect themselves from the unlawful use or disclosure of their information, may be put at increased risk. Whilst this may be true individuals face increased risks in a wide variety of situations, and not necessarily foremost in relation to international transfers. For example in the UK the ICO’s complaint caseload does not suggest that international transfers and their consequences rate particularly highly amongst the risks that individuals see themselves facing. Indeed the low numbers of complaints on the subject do not even warrant reporting as a distinct category in the ICO’s latest annual report. Is there be any reason to suppose that the position is significantly different in the EU member states?

The GDPR places a general responsibility on the DPAs to monitor its application. Although the CJEU draws attention to this responsibility and says that it is of particular importance in relation to international transfers, it does not seek to place any particular obligations on the DPAs to proactively monitor international transfers. What will be worrying for the DPAs though will be what the Court says about enforcement. Here it does not say that a DPA enjoys the discretion to use its enforcement powers where it considers it appropriate and proportionate to do so. Rather it says that the DPA must use its enforcement powers to suspend or prohibit a transfer under the SCCs where, in the DPA’s view, the protection that is required by EU law cannot be ensured and the exporter has not itself suspended or put an end to the transfer. This not only places the DPAs in the same difficult position as exporters and importers in having to understand and assess the legal systems of third countries in so far as they apply to access to transferred data by public authorities. It also obliges the DPAs to use their enforcement powers when they otherwise might choose not to do so.

The CJEU was addressing international transfers in its decision but there is nothing in its reasoning that clearly confines, to the field of international transfers, its conclusion, that, when a DPA is made aware of a breach of GDPR requirements that has not been corrected the DPA is obliged to use its enforcement powers to prevent the breach continuing, Does the CJEU really mean that a DPA is obliged to take enforcement action whenever it comes across a breach that hasn’t been corrected regardless of the circumstances and the nature of that breach or any harm caused? If so, the implications for the DPAs and the allocation of their resources could be huge. For example, the ICO’s annual report shows that of the almost 40,000 data protection complaints that it received in the last year around 10,000 revealed an infringement. However, the ICO used its enforcement powers in less than one in 200 of these cases. Enforcement action is resource intensive for DPAs. Does the CJEU really want the DPAs to shift their limited resources so much more further in the direction of enforcement action even if they do not consider that this is necessarily the most effective way of driving a high standard of data protection? Or, is the CJEU saying, by implication, that the DPAs need more resources.

Perhaps most worrying for DPAs is that everyone now seems to be expecting then to fill the vacuum that the CJEU’s decision has created. It is they who are expected to come up with the safeguards that data exporters and data importers are being required to put in place in addition to the SCCs. The difficulty of identifying these, apart from perhaps encryption which anyway has limitations, has already been discussed and is particularly acute in so far as safeguards might compensate for any lack of a judicial remedy rather than simply compensate for any disproportionate rights of access by public authorities. Will the DPA’s be able to come up with solutions that are both practical and consistent with the Court’s decision? They have said that they will take on the task and we can but hope that they will surprise us. Should they be so willing to do so though?

The problems are essentially with the GDPR and with the CJEU’s interpretation of it. They are not of the DPAs making and cannot necessarily be solved by them. The concept of adequacy, as the level of protection appropriate for international transfers, has been with us for a long time and is basically a sound one. International transfers, which are an inevitable and increasing feature of globalisation, can be perfectly manageable when the term “adequate level of protection” is given its natural meaning. That is a satisfactory or sufficient level of protection. The problem has come with the CJEU, in its first Schrems decision determining that an “adequate level of protection” must instead be interpreted as meaning an “essentially equivalent level of protection” to that pertaining in the EU and not just in relation basic data protection standards but also in relation to national security and law enforcement arrangements. The GDPR is far from being a perfect legal instrument. Perhaps this needs to be more clearly recognised without the DPAs necessarily being expected cover up its shortcomings simply through the provision of more guidance. Maybe the DPA’s should be more willing to pass the problems back to the EU’s lawmakers to resolve rather than, as the expression goes, trying themselves to make a silk purse out of a sow’s ear. Immediately following the CJEU’s decision the EDPB issued a statement saying that “The EDPB welcomes the CJEU’s judgment”. Oh really!

Brexit Implications

Some commentators have suggested that the CJEU’s decision will make it harder to transfer personal data from the EU to the UK after the end of the year when the Brexit transitional period comes to its conclusion. Is this necessarily the case? Certainly, it will be harder to transfer data to the UK if there is no EU adequacy finding for the UK or some comparable, further temporary arrangement put in place. The EC has made clear that in considering UK adequacy it will be looking at the powers of the UK’s public authorities to access transferred data. The UK’s surveillance regime is certainly open to criticism, and this could yet prove to be a barrier to an adequacy finding. Nevertheless, the UK’s system does not suffer from the same failings that the CJEU majored on in the US arrangements. The UK does not treat the personal data of non-UK persons and their rights any differently from the way it treats the personal data and rights of UK persons. There is an Investigatory Powers Commissioner in place whose job is to ensure independently that access by public authorities is both lawful and proportionate. Furthermore individuals, whether UK persons or otherwise, have the right to a judicial remedy before the Investigatory Powers Tribunal and ultimately before the European Court of Human Rights. If there is no adequacy finding for the UK and EEA exporters have to fall back on the SCCs for transfers to the UK there may still be some additional safeguards that they will need to put in place in line with the CJEU’s decision but these won’t necessarily need to make up for the same deficiencies that the Court identified in the relevant US legal system.

Of course, the UK has now left the EU and will no longer be bound by the EU’s GDPR after the end of the year. How far will the UK follow the CJEU’s decision in relation to transfers from the UK to non-EEA third countries? UK law will continue to have an adequacy requirement but might the UK courts and the ICO revert to the original concept of adequacy as being more about ensuring sufficient or good enough protection rather than ensuring an essentially equivalent level of protection? If so, could this limit the prospect for an adequacy finding for the UK? And if it does what might be implications for the EC’s review of its existing adequacy findings and any new ones that are in the pipeline?

Is Data Protection In Danger of Becoming A Largely Academic Exercise?

When I was at the ICO one of the incoming Information Commissioners referred to the ICO that he found as the University of Data Protection. This wasn’t meant as a compliment! What he meant, with considerable justification, was that we were spending too much time and effort debating fine points of data protection law and developing overly legalistic guidance at the expense of addressing the real data protection concerns of ordinary people and providing guidance that could be understood and put into practice by the average business. Arguably, the CJEU, and perhaps the GDPR itself, are taking us back in that same direction. This is where we want to or should be going?

Clearly international transfers are of concern to Max Schrems and other privacy activists but, as discussed above, this is not reflected in the complaints that the DPAs receive. The average person appears to be rather more concerned about inaccurate information held about them by credit agencies, disclosure of their police record, a failure to respond properly to their subject access request or the consequences for them of a security breach than with whether a foreign public authority might gain access to their data. This is not to suggest that the protection of international transfers is unimportant. It does though suggest that the issue needs to be kept in proportion. The problem with the CJEU’s decision, as with any narrowly focused inquiry, is that it does not look at data protection obligations in the round or at the duties of DPAs as a whole. It necessarily gives undue prominence to just one aspect of data protection and risks creating disproportionate obligation for both businesses and DPAs in relation to that aspect. It may be an intriguing academic and legal exercise but how far does it advance the cause of data protection given the many challenges that we are all facing whether from the deployment of facial recognition by the police or the use of data analytics to profile us for financial services or medical treatment. Maybe some rebalancing is required.

Perhaps not surprisingly, given that it was delivered by a court, the CJEU’s decision arguably risks pushing us too far along the road of looking on a high standard of data protection as more a matter of law than of practice. Is this the direction that we should be going in? The CJEU places a great deal of emphasis on the lack of a judicial remedy in the US for non-US persons whose personal data is accessed by US public authorities but is this a real remedy or more of a theoretical or an academic one? How, in practice, is the average EU person, who is not Max Schrems or some other experienced and well-resourced advocate, expected to bring a case before the US courts. The Privacy Shield Ombudsman undoubtedly has its shortcomings but it seems much more likely to provide, in practice, an accessible and meaningful remedy, even if not a perfect one, to a concerned EU person than access to the US courts is ever likely to do.

Furthermore, we are left by the CJEU with the situation where the SCCs apparently provide EU persons with better protection for transfers of their personal data to the US than does the Privacy Shield. Perhaps looked from an academic legal perspective this is true but is it true in reality? The SCCs may remain valid but can contractual commitments entered into by a data exporter and a data importer, under which the data subject has third party rights, ever be an entirely satisfactory way of delivering ongoing, high level data protection in practice rather than merely on paper? This is the reason why the DPAs have always championed binding corporate rules, which can much more effectively embed high quality data protection within a business than contractual commitments alone are ever likely to do. Similarly the Privacy Shield, with clear and public data protection commitments that participants enter into, an accessible complaints mechanism and oversight and enforcement by the Federal Trade Commission is, despite its shortcomings, almost certain to provide better protection and rights for individuals whose personal data is transferred to the US that any SCCs, with or without additional safeguards, are ever going to do. Simply because legal protection and rights exist on paper does not necessarily mean that they exist in practice. Arguably, the CJEU is pushing the DPAs and others to turn data protection into too much of an academic legal exercise striving to find the best possible data protection on paper rather than simply looking to deliver good, albeit sometimes less than perfect, data protection in practice. Should the DPAs be trying to stand their ground against this? Are they willing to do so? Can the rest of us encourage them in the right direction?