Privacy Shield is a legal mechanism that has been used since 2016 as a basis for data transfer from the EU to the US. Controllers subject to the Serbian Law on Personal Data Protection (“LPDP”) could also use the benefits of this arrangement given the relevant provisions of the LPDP and special decisions of the Government of the Republic of Serbia.
On 16 July 2020, the European Union Court of Justice declared invalid the decision of the European Commission 2016/1250 on the EU-US Privacy Shield arrangement. This decision had significant consequences, notably regarding the entities subject to GDPR, including the entities with seat or residence in the Republic of Serbia due to its extraterritorial application. However, this court decision has wider scope as stated above.
What is Privacy Shield?
In 2016, the Privacy Shield arrangement replaced the Safe Harbour Privacy Principles, a legal document adopted by the EU and the US, which alike the Privacy Shield enabled the controllers with seat in the US to certify as safe controllers under certain terms for data originating from the EU. Based on the complaint filed by Austrian activist Maximillian Schrems to the Irish Data Protection Commission (DPC) against company Facebook Ireland Limited, dissatisfied that his data were transferred to the US and stored on servers owned by company Facebook Inc, a dispute was instituted before the Court of Justice. In 2015, this dispute resulted in invalidation of the European Commission decision on adoption of the Safe Harbour principle (Schrems I).
After that, Schrems continued his legal battle in order to prevent Facebook from processing his data in the US, considering that this, as well as many other companies, fall under the scope of application of US legislation that are very restrictive as regards privacy protection, such as e.g. Foreign Intelligence Surveillance Act (FISA).
Schrems was again successful in his fight and it resulted in invalidation of the European Commission decision on adoption of the Privacy Shield (Schrems II).
Position of the Court of Justice in case Schrems II
Basically, the court found that the extensive powers of the authorities as established by the US Surveillance regulations are in direct conflict with fundamental rights guaranteed in the EU.
The court also found that the mechanism of legal protection established by the European Commission decision 2016/1250 (Ombudsperson Mechanism) does not provide data subjects with protection before the authority that provides the guarantees equivalent to those requested by the EU law, such as independence in work and legal force of decisions that would be binding for the US intelligence services.
The court also reflected on the application of Standard Contractual Clauses (“SCCs”) (also referred to by Facebook during the proceedings), but their validity and further application was not denied. Namely, the court found that their validity was not questionable only for the fact that they were not binding upon the authorities of the state where the data were transferred, particularly considering their contractual nature and consequently the inter partes effect.
However, the court underlined that both exporter and importer of data were nevertheless obliged before data transfer to check the degree of data protection in the state where data were transferred to, and that the data importer was obliged to notify the exporter on every failure to act according to SCCs, in which case the exporter was obliged to suspend the transfer and terminate the agreement with the importer.
The court therefore clearly confirmed that it was not sufficient for the companies only to sign the SCCs, but they also had to check whether the latter could be applied in practice. This also stands for general application of SCCs and not only for transfers to the US.
There is a similar situation with the Binding Corporate Rules (“BCRs”). Namely, the court underlined that if the level of protection required under the EU law could not be ensured by application of SCCs or BCRs, it would be necessary to check whether it was possible to apply additional measures to ensure equal level of protection to that in the EU, whereas the regulations of a third country may not affect such additional measures so as to reduce their efficiency.
According to the announcements, the European Data Protection Board (EDPB) is already analysing the ruling of the Court of Justice in order to determine additional measures – legal, technical, organizational, in cases where SCCs and BCRs do not provide sufficient guarantees.
However, it should be noted that Schrems II did not set a deadline for harmonisation with the new data transfer requirements, wherefore it is necessary for all controllers who exported data to the US under the Privacy Shield arrangement to adjust as soon as possible. Although one would reasonably expect certain degree of understanding from data protection authorities, the Commissioner in Berlin already suggested the controllers to return the data stored in the US to the EU and not to transfer them further until new legislative reform has taken place.
What does this mean for controllers in the Republic of Serbia who transfer data to the US when there is no space for extraterritorial application of GDPR?
With regard to transfer of data abroad on basis of appropriate level of personal data protection, the LPDP contains legal presumption that the appropriate level of protection is ensured in countries and international organisations that are members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”), as well as in countries, parts of their territories, one or several sectors of activities in such countries or international organisations that ensure the appropriate level of protection according to the European Union.
The LPDP further prescribes that the list of countries, parts of their territories, one or several sectors of activities in such countries or international organisations that are deemed to ensure appropriate level of protection shall be published in the “Official Gazette of the Republic of Serbia”.
Such list was established by the Government of the Republic of Serbia by the Decision on the List of countries, parts of their territories, one or several sectors of certain activities in such countries and international organisations that are deemed to ensure appropriate level of personal data protection (Official Gazette of RS no. 55/2019, “the Decision”).
Interestingly enough, the Government does not have a clear legal power to “establish” such (positive) list since in this case the legal provision clearly specifies such scope of countries i.e. territories. In accordance with the powers from the subsequent paragraph of the same article, the Government may only specify the (negative) list of countries i.e. parts of their territories that do not ensure the appropriate level of data protection, whereas these cannot include the members of the Convention 108.
Setting aside this legal/technical omission, the Decision specifies that the list of countries that are considered by the European Union to ensure the appropriate level of protection also includes the United States, with remark: limited to the Privacy Shield framework.
Therefore, by 16 July 2020 transfer of data from Serbia to the US was allowed without Commissioner’s permission within application of Privacy Shield arrangement, which implied that the importer of data from the US was accordingly certified.
Since Privacy Shield was declared invalid, does that mean that all controllers with seat in Serbia who transferred data to the US starting from 17 July 2020 were in breach of the LPDP and subject to fines?
It will be interesting to hear the official interpretation from the Commissioner for Information of Public Importance and Personal Data Protection as regards this issue. What is certain is that the Decision will have to be amended in the near future so as to exclude the reference to the Privacy Shield. Until then, it will be necessary to hear the official position of the institutions as regards sanctions for controllers if they fail to individually stop transferring data to the US before the Decision is amended.
In relation thereto, it should be noted that neither the Privacy Shield arrangement nor the decision of the European Commission or the Court of Justice are part of the legal system of the Republic of Serbia and they are not binding for the controllers in Serbia since Serbia is not an EU member state. On the other hand, the still-valid decision of the Serbian Government explicitly referring to the application of the Privacy Shield is still binding upon these controllers.
Finally, one should not forget that the ruling Schrems II has no effect on mechanisms such as those in Article 49 of the GDPR or Article 69 of the LPDP, wherefore transfer will still be allowed in case of explicit consent of data subjects or for the purpose of enforcing agreements between data subjects and controllers, under specified terms.
This article is to be considered as exclusively informative, with no intention to provide legal advice.
If you should need additional information, please contact us directly.
By Ivana Ruzicic, Managing Partner, PR Legal
