On the 11 November, the EDP adopted two sets of recommendations giving our a total of 10 steps to ensure safe data transfer (whether these steps are easy or not, remains to be seen):
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (version for public consultations)
- Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (hereinafter “Recommendations 02/2020”) on which I would like to focus mine (and hopefully yours) attention. They offer less steps but I would argue they may have be a longer ones, requiring to sometimes stand pretty much astride.
Both sets of recommendations are an attempt to deal with the situation of outside EEA data transfers after Schrems II ruling. One of the issues raised in this judgement (and the Schrems I ruling before it) was the question of personal data tranfers to the third country which is under legal obligation to share them with its authorities.
The European Essential Guarantees (hereinafter “EEGs”) developed in the EDPB's Recommendations 02/2020 should be considered as a (four-step) guide to assess if the interference with the fundamental rights to privacy and data protection, based largely on rulings of the CJEU and the European Court of Human Rights. The EEGs are as follows:
A. Processing should be based on clear, precise and accessible rules meaning:
1) the legal basis should determine clear and precise rules regarding the scope and application of the measure in question and imposing minimum safeguards;
2) individuals (data subjects) should be able to enforce (“invoke and rely on”) the applicable third country law before a court;
3) the applicable law needs to determine in what circumstances and under which conditions a measure providing for the processing of such data may be adopted;
4) legal basis of processing should determine (as minimum):
- a definition of the categories of people that might be subject to surveillance,
- a limit on the duration of the measure,
- the procedure to be followed for examining, using and storing the data obtained, and
- the precautions to be taken when communicating the data to other parties;
5) the interference must by forseeable as to its effect for the individual in order to give him/her adequate and effective protection against arbitrary interference and the risk of abuse.
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated which comes down to:
1) measuring the seriousness of the interference entailed by a limitation of the rights to privacy and to data protection and verifying the importance of the public interest objective pursued by that limitation is proportionate to that seriousness (principle of proportionality);
2) surveillance measures should determine objective criteria of differentiation and/or limitation of processing personal data in light of the purpose of such processing (principle of necessity). Laws authorizing storage of the personal data transferred from the EU without any criteria limiting such storage based on the objective pursued (such as laws permitting public authorities to have access on a generalized basis to the content of electronic communications) are regarded by the CJEU as contrary to the principle of necessity.
C. An independent oversight mechanism should exist, meaning the prior judicial authorization of surveillance measures, important as it is, is not the only one possible measure compliant with the EU law. The actual operation must also be regarded through the lenses of checks and balances of the exercise of power, and the existence or absence of actual abuse. If taken the measure is caused by “duly justified urgency”, it does not require the prior review. However, it should still be subject to the subsequent review within a “short time”. The EDPB does not precise this two terms, although they seem rather pertinent to use of the surveillance measures by a third country authorities.
D. Effective remedies need to be available to the individual meaning that data subjects must have the possibility of bringing legal action before an independent and impartial court (or other body if it offers guarantees required by Article 47 of the Charter of Fundamental Rights of the EU, and has the power to adopt decisions biding on the intelligence services) in order to have access to their personal data or to obtain the rectification or erasure of such data.
The EDPB points out itself that “these guarantees require a certain degree of interpretation, especially since the third country legislation does not have to be identical to the EU legal framework” which begs the question: who would be responsible for that interpretation? The outcomes of Schrems I and Schrems II, undermining first Safe Harbour and then Privacy Shield do not exactly make us very optimistic. On the bright side: the EEGs are addressed both to data exporters and Commission issuing adequacy decisions. On the dark side: practices developed by the data exporters may be verified by DPAs and courts. However, we are 4 (or even 10) steps closer to developing practice on the EU level that helps us if it ever comes to the Schrems III (which is probably not unlikely).
All in all, we got some more tools to work with on our international data transfers. EEGs along with measures presented in Recommendations 01/2020 may help us to elaborate a little the already famous ja und nein response of one of DPAs given to the question of whether transfers outside EEA are possible after Schrems II. We can say “ja” – if you fulfilled 6 steps and implemented 4 guarantees and “nein” – if you did not.
By Ewa Bugajska, Junior Associate, Penteris