In its July 2020 Schrems II judgment, the Court of Justice of the European Union invalidated the Privacy Shield for EU-US personal data transfers for commercial purposes. In a case concerning data transfers by Facebook Ireland to the US, the court concluded that because of its mass surveillance programs, the US does not provide the adequate – that is, a sufficient – level of personal data protection that is guaranteed by EU law. What conclusions may be drawn from Schrems II for personal data transfers to Russia almost one year later?
EU Personal Data Export Rules
Under EU law, personal data transfers to third countries lacking adequacy decisions, including the US and Russia, require that appropriate safeguards be put in place, unless specific exceptions apply. In practice, the most widely used safeguard (which is also used for transfers to Russia), is Standard Contractual Clauses – a set of pre-approved legal provisions to be included in the contract with a data importer outside the EU.
Unfortunately, from Schrems II it follows that the mere conclusion of SCCs may not be sufficient to legitimize the transfer, where local laws and practices in the country of the data recipient hinder or make standard clauses ineffective. In Schrems II, the court held that US surveillance legislation allows authorities access to personal data beyond what is necessary and proportionate, and that EU individuals are not afforded redress. As result, the court concluded that US law does not require minimum safeguards equivalent to the ones required under EU law. In conjunction with the inherently contractual nature of SCCs, making them non-binding for authorities, in the post-Schrems II era, having SCCs in place is not enough for EU-US personal data transfers.
Another, a more general conclusion is that prior to transfer, an EU data exporter should always ensure that the domestic law of the importer does not undermine the effectiveness of SCCs. Specific attention should be focused on the rules for the access of public authorities to personal data for national security purposes.
Russian Surveillance Legislation
So then, is Russian surveillance legislation compliant with EU data protection and privacy standards? Compliance would mean meeting, among others, the following requirements: (1) that the data processing be limited to what is necessary and proportionate for the objective pursued; (2) the existence of independent, preferably judicial, oversight mechanisms; and (3) the existence of effective rights of redress for individuals.
Meanwhile, Russia’s Yarovaya Law requires Russian telecoms and Internet companies to retain copies of all contents of communications – including text messages, voice, data, and images – for six months, and related metadata for up to three years. All information must be disclosed to the Russian police and intelligence services upon request, even without a court order. This approach is unlikely to meet the proportionality and oversight requirement.
Moreover, in the landmark case Roman Zakharov v. Russia, the European Court of Human Rights concluded that Russian legislation on data interception for law enforcement purposes does not provide adequate and effective guarantees against arbitrariness and the risk of abuse. One of the reasons was the lack of effective remedies.
Consequently, if the Schrems cases had involved transfers to Russia instead of the US, the conclusions of the CJEU would almost certainly be the same, and for the very same reason – intrusive surveillance legislation. As a result, SCCs alone are also no longer sufficient for EU-Russia personal data transfers.
What Can be Done?
The rules are simple: where SCCs cannot guarantee EU data protection standards, additional measures must be adopted. If a level of protection essentially equivalent to the EU still cannot be secured, transfers must not take place.
The problem is that with respect to countries like Russia, in most instances there may be no effective and reasonable safeguard. After all, what could two private companies effectively do to prevent Russian authorities from intercepting data? Accordingly, one year after Schrems II, almost all personal data transfers to Russia remain in the risk zone. What then may be recommended to EU data processors for whom termination of all transfers to Russia is not an option?
First, EU data processors should evaluate the actual need for personal data transfers to Russia, and avoid unnecessary transfers. Second, data exported to Russia should be minimized. Third, in addition to SCCs, adopting relevant contractual, organizational, and technical measures on a case-by-case basis is a must. With respect to Russia, parties should particularly consider data pseudonymization, encryption, and split or multiparty processing.
Though taking these steps may be costly, and they do not guarantee compliance, they may help mitigate potential liability.
By Eldar Mansurov, Head of Data Protection, and Marcin Kryszko, Senior Associate, Peterka & Partners Moscow