Transfer of personal data to the US in the light of EU rulings
The General Data Privacy Regulation (GDPR), formally Regulation (EU) 2016/679, has served as the model for the Serbian Personal Data Protection Law. As such, rulings of EU bodies in this area are highly relevant for the application of national regulations, and have to date proven themselves to be a reliable basis for personal data controllers and processors to make decisions and act in accordance with European privacy rules.
In that context, Judgment C-311/18 of the European Court of Justice (ECJ) of 16 July 2020 that invalidated the European Commission (EC) Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield is particularly significant for multinational companies that control and process personal data.
Significance of previous decision lays in the fact that many companies operating in either Serbia or the EU face requirements to transfer personal data to the US. Our experience reveals these transfers are chiefly necessary when a multinational group of companies needs to set up a centralised database administered and controlled by its parent company located in the US. Moreover, many firms that offer cloud computing services, social media, web-based applications, and business productivity apps also house their servers in the US.
As such, the invalidation of the decision which stipulated US companies that had self-certified their adherence to the EU-U.S. Privacy Shield Framework Principles had ensured an adequate level of protection means transfer of personal data to the US is no longer possible under the least restrictive requirements, that is to say without the need to comply with additional specific conditions and limitations applicable to other legal grounds for data transfer. In addition, the ECJ ruling goes a step further and questions even the very permissibility of transferring data to the US in principle.
This is not the first time that the issue of personal data transfers and the broader topic of personal data protection in the US has proven controversial. The case that led the ECJ to cancel the EU-U.S. Privacy Shield was brought by the same person that had previously raised the issue with the Court, Maximillian Schrems, an Austrian national and a user of Facebook, one of the multinational companies we referred to above. The EC’s decision that recognised as adequate the protection afforded by the EU-U.S. Privacy Shield was made after a breakthrough in EU-US negotiations to create a personal data protection mechanism in the US that would guarantee effective protection of data transferred to that country. These negotiations proved necessary after Mr Schremssuccessfully petitioned the ECJ to overturn (in its Judgment C-362/14 of 5 October 2015) the EC’s Decision 2000/520/EC on the adequacy of the protection provided by the Safe Harbour Privacy Principles, on which Facebook had previously based its data transfers to the US.
Since the reasons set out in the ECJ judgment on the Privacy Shield are largely the same as in its previous ruling on the Safe Harbour Principles, it seems that the ECJ views EU-US efforts to strengthen protection arrangements for personal data transfers to the US as unsatisfactory. The ECJ found that the integrity of personal data processed in the US was threatened by the broad and vague powers of US authorities to process such data by means of surveillance programmes (‘PRISM’ and ‘UPSTREAM’) and the lack of effective legal remedies available to individuals outside the US.The ECJ ruled that regulations adopted by US authorities to limit the powers of intelligence services had not resulted in compliance of the US surveillance systems with the principles of proportionality and purpose limitation, which are key European individual privacy safeguards. Lastly, the ECJ found that the absence of effective legal remedies before US courts for non-US nationals could not be remedied by the newly introduced Privacy Shield Ombudsman mechanism, given that the Ombudsman’s independence remained only theoretical in view of any effective guarantees of security of tenure.
In accordance with the Serbian Personal Data Protection Law, the Serbian Government ruled (Official Gazette of the Republic of Serbia, No. 55/19 of 2 August 2019) that US organisations that are part of the EU-U.S. Privacy Shield ensured an adequate level of protection for the purposes of data transfer. This decision was based on the EC’s recognition that adherence to the EU-U.S. Privacy Shield Framework Principles constituted an adequate level of protection. As the EC’s decision has now been declared invalid, the EU-U.S. Privacy Shield is no longer deemed to provide an adequate level of protection for the purposes of Serbian Data Protection Law.As such, data controllers or processors who have been relying on this approach to transfer data to the US will now have to seek alternative arrangements that are in compliance with Serbian law. This interpretation has been confirmed by the Serbian Commissioner for Information of Public Importance and Personal Data Protection, who has written to the Serbian Government to seek alignment of its decision of 2 August 2019 with the ECJ judgment. To the best of our knowledge, the Government is yet to respond.
As noted above, invalidation of the Privacy Shield has far-reaching effects that go beyond only banning data transfers based on this arrangement. It is eminently clear that the Privacy Shield can no longer be used, but this raises the question of which legal grounds can be relied on to justify data transfers to the US in compliance with the applicable rules?
Judgment C-311/18 of the ECJ also reviewed the validity of the EC’s Standard Contractual Clauses (SCCs) ) – which can also be used to justify personal data transfers, especially in the light of the fact that the SCCs are inherently contractual and as such not binding on the public authorities of the receiving country. The ECJ ruled that the SCCs’ non-binding nature did not affect their applicability, particularly as the parties to any data transfer pursuant to them assume responsibility for data processing carried under them and guarantee it complies with EU rules and that they are able to fulfil the requirements imposed by the SCCs. What does this entail? Before transferring any data pursuant to SCCs, the parties must first assess whether they are able to meet the requirements of the SCCs themselves if the transfer is to be valid. Consequently, by entering into the an SCC contract the parties guarantee that the recipient will be able to comply with the SCCs (including that ‘it has no reason to believe that the legislation applicable to it prevents it from fulfilling its obligations under the contract entered into’). If, on the other hand, practical experience with transfers relying on SCCs makes it apparent that the guarantees are not workable and that authorities of the recipient country are able to make significant interventions, or there are limitations that preclude the fulfilment of obligations of the SCCs (which the ECJ found was a risk with transfers to the US), this will trigger the liability of parties to the SCCs. In summary, entities that transfer data to the US pursuant to SCCs must carefully weigh their ability to comply with the requirements of the SCCs, as the use of formally valid SCCs does not alone fully guarantee the transfer will be entirely lawful. Ultimately, supervisory authorities may suspend or prohibit a transfer based on the SCCs where it finds that the transfer does not meet the requirements of the SCCs and that the safeguards available in EU law cannot be ensured. In view of the above, and in particular given the ECJ’s assessment of the US data privacy system, it seems that SCCs are not suitable legal grounds for transfers to the US.
These risks make it worthwhile to explore whether a particular transfer may be subject to what the GDPR terms ‘derogations for specific situations’, such as where the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. These situations greatly restrict the ability to transfer data, by requiring either the subject’s consent (which may be revoked at any time, rendering any continued processing unauthorised) or the existence of important reasons (in practice applicable to very few cases) that override an individual’s right to privacy. In this context, apart from explicit consent, two attractive data transfer justifications merit exploring: the transfer that is necessary for the performance of a contract between the data subject and the controller, or the implementation of pre-contractual measures taken at the data subject’s request, and the transfer that is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
Even though the Serbian Data Protection Law is patterned after the GDPR in that it authorises the Commissioner for Freedom of Information and Personal Data Protection to adopt standard contractual clauses that govern the relationship between the controller and processor and that may constitute legal grounds for transferring data abroad – an authorisation the Commissioner has exercised – the current iteration of the Serbian SCCs differs somewhat from the EU SCCs in that it lacks the express guarantees applicable to parties to the data transfer that are contained in EU SCCs. At first glance it may appear that the Serbian SCCs may be used to ensure transfer of personal data to the US which complies with Serbian law with less risk of making the parties liable for non-compliance due to the actual state of privacy system in the US. Yet, it is worth noting that Article 10 of the Serbian SCCs stipulates that ‘data may be transferred to another country, a territory or one or more specified sectors within that country, or an international organisation, provided such transfer fully complies with regulations and ensures an adequate level of protection of personal data, exercise of all rights, and effective legal remedies for data subjects.’ An identical clause appears in the section of the Serbian Data Protection Law that regulates transfers pursuant to national SCCs. Finally, in common with the GDPR, Serbian law authorises the Commissioner to suspend personal data transfer to another country or an international organisation. As such, even though the Serbian SCCs differ to some extent from the EU version, their actual effects seem to be virtually identical: the formal validity of these clauses does not guarantee the controller is automatically assured the transfer is legal. At any rate, since the investigations and findings of EU bodies are not formally binding on Serbian authorities, only an official opinion of the Serbian Commissioner for Information of Public Importance and Personal Data Protection will provide clarity in this regard.
On a note of caution, the Serbian law also provides ‘derogations for specific situations’ that are identical to the exemptions in the GDPR cited above (consent, contractual requirements, etc.), which should certainly be examined given the uncertainty created by the ECJ judgment.
In conclusion, entities subject to both the GDPR and the Serbian law will no longer be able to use the Privacy Shield Frameworkto justify data transfers to the US. The state of data protection system in the US means the use of both EU and Serbian SCCs is also disputed, so controllers should consider seeking other legal grounds for transferring personal data. In view of the frequency of data transfers to the US and the legitimate business interests of companies operating in or with the US, and, consequently, the importance of these transfers, EU authorities are expected to work with their US counterparts to overcome these obstacles, and we expect that Serbian bodies will likely follow the EU’s example.