In the wake of yesterday’s landmark ruling by Europe’s high court docket — hanging down a flagship transatlantic information switch framework referred to as Privacy Shield, and cranking up the authorized uncertainty round processing EU residents’ information within the U.S. within the course of — Europe’s lead information safety regulator has fired its personal warning shot on the area’s information safety authorities (DPAs), primarily telling them to get on and do the job of intervening to cease individuals’s information flowing to 3rd nations the place it’s in danger.
Countries just like the U.S.
The unique grievance that led to the Court of Justice of the EU (CJEU) ruling targeted on Facebook’s use of a knowledge switch mechanism referred to as Standard Contractual Clauses (SCCs) to authorize transferring EU customers’ information to the U.S. for processing.
Complainant Max Schrems requested the Irish Data Protection Commission (DPC) to droop Facebook’s SCC information transfers in mild of U.S. authorities mass surveillance packages. Instead, the regulator went to court docket to lift wider issues concerning the legality of the switch mechanism.
That in flip led Europe’s high judges to nuke the Commission’s adequacy resolution, which underpinned the EU-U.S. Privacy Shield — that means the U.S. now not has a particular association greasing the circulation of private information from the EU. Yet, on the time of writing, Facebook continues to be utilizing SCCs to course of EU customers’ information within the U.S. Much has modified, however the information hasn’t stopped flowing — but.
Yesterday the tech large stated it could “fastidiously take into account” the findings and implications of the CJEU resolution on Privacy Shield, including that it seemed ahead to “regulatory steering.” It definitely didn’t provide to proactively flip a kill change and cease the processing itself.
Ireland’s DPA, in the meantime, which is Facebook’s lead information regulator within the area, sidestepped questions over what motion it could be taking within the wake of yesterday’s ruling — saying it (additionally) wanted (extra) time to review the authorized nuances.
The DPC’s assertion additionally solely went as far as to say using SCCs for taking information to the U.S. for processing is “questionable” — including that case by case evaluation can be key.
The regulator stays the main focus of sustained criticism in Europe over its enforcement report for main cross-border information safety complaints — with nonetheless zero selections issued greater than two years after the EU’s General Data Protection Regulation (GDPR) got here into drive, and an ever-growing backlog of open investigations into the information processing actions of platform giants.
In May, the DPC lastly submitted to different DPAs for overview its first draft resolution on a cross-border case (an investigation right into a Twitter safety breach), saying it hoped the choice can be finalized in July. At the time of writing we’re nonetheless ready for the bloc’s regulators to succeed in consensus on that.
The painstaking tempo of enforcement round Europe’s flagship information safety framework stays an issue for EU lawmakers — whose two-year overview final month referred to as for uniformly “vigorous” enforcement by regulators.
The European Data Protection Supervisor (EDPS) made an identical name at the moment, within the wake of the Schrems II ruling — which solely appears to be like set to additional complicate the method of regulating information flows by piling but extra work on the desks of underfunded DPAs.
“European supervisory authorities have the obligation to diligently implement the relevant information safety laws and, the place acceptable, to droop or prohibit transfers of knowledge to a 3rd nation,” writes EDPS Wojciech Wiewiórowski, in an announcement, which warns in opposition to additional dithering or can-kicking on the intervention entrance.
“The EDPS will proceed to attempt, as a member of the European Data Protection Board (EDPB), to attain the required coherent strategy among the many European supervisory authorities within the implementation of the EU framework for worldwide transfers of private information,” he goes on, calling for extra joint working by the bloc’s DPAs.
Wiewiórowski’s assertion additionally highlights what he dubs “welcome clarifications” concerning the tasks of knowledge controllers and European DPAs — to “keep in mind the dangers linked to the entry to private information by the general public authorities of third nations.”
“As the supervisory authority of the EU establishments, our bodies, workplaces and businesses, the EDPS is fastidiously analysing the implications of the judgment on the contracts concluded by EU establishments, our bodies, workplaces and businesses. The instance of the current EDPS’ own-initiative investigation into European establishments’ use of Microsoft services and products confirms the significance of this problem,” he provides.
Part of the complexity of enforcement of Europe’s information safety guidelines is the dearth of a single authority; a diversified patchwork of supervisory authorities chargeable for investigating complaints and issuing selections.
Now, with a CJEU ruling that requires regulators to evaluate third nations themselves — to find out whether or not using SCCs is legitimate in a specific use-case and nation — there’s a danger of additional fragmentation ought to completely different DPAs bounce to completely different conclusions.
Yesterday, in its response to the CJEU resolution, Hamburg’s DPA criticized the judges for not additionally hanging down SCCs, saying it was “inconsistent” for them to invalidate Privacy Shield but enable this different mechanism for worldwide transfers. Supervisory authorities in Germany and Europe should now rapidly agree find out how to cope with corporations that proceed to rely illegally on the Privacy Shield, the DPA warned.
In the assertion, Hamburg’s information commissioner, Johannes Caspar, added: “Difficult occasions are looming for worldwide information visitors.”
He additionally shot off a blunt warning that: “Data transmission to nations with out an ample stage of knowledge safety will… now not be permitted sooner or later.”
Compare and distinction that with the Irish DPC speaking about use of SCCs being “questionable,” case by case. (Or the U.Okay.’s ICO providing this naked minimal.)
Caspar additionally emphasised the problem dealing with the bloc’s patchwork of DPAs to develop and implement a “widespread technique” towards coping with SCCs within the wake of the CJEU ruling.
In a press observe at the moment, Berlin’s DPA additionally took a troublesome line, warning that information transfers to 3rd nations would solely be permitted if they’ve a stage of knowledge safety primarily equal to that supplied inside the EU.
In the case of the U.S. — residence to the most important and most used cloud companies — Europe’s high judges yesterday reiterated very clearly that that isn’t the truth is the case.
“The CJEU has made it clear that the export of knowledge is not only concerning the financial system however individuals’s basic rights have to be paramount,” Berlin information commissioner Maja Smoltczyk stated in an announcement [which we’ve translated using Google Translate].
“The occasions when private information may very well be transferred to the U.S. for comfort or price financial savings are over after this judgment,” she added.
Both DPAs warned the ruling has implications for using cloud companies the place information is processed in different third nations the place the safety of EU residents’ information additionally can’t be assured too, i.e. not simply the U.S.
On this entrance, Smoltczyk name-checked China, Russia and India as nations EU DPAs should assess for comparable issues.
“Now is the time for Europe’s digital independence,” she added.
Some commentators (together with Schrems himself) have additionally recommended the ruling may see corporations switching to native processing of EU customers’ information. Though it’s additionally attention-grabbing to notice the judges selected to not invalidate SCCs — thereby providing a path to authorized worldwide information transfers, however solely supplied the required protections are in place in that given third nation.
Also issuing a response to the CJEU ruling at the moment was the European Data Protection Board (EDPB). AKA the physique made up of representatives from DPAs throughout the bloc. Chair Andrea Jelinek put out an emollient assertion, writing that: “The EDPB intends to proceed taking part in a constructive half in securing a transatlantic switch of private information that advantages EEA residents and organisations and stands prepared to offer the European Commission with help and steering to assist it construct, along with the U.S., a brand new framework that absolutely complies with EU information safety regulation.”
Short of radical modifications to U.S. surveillance regulation, it’s robust to see how any new framework may very well be made to legally stick, although. Privacy Shield’s predecessor association, Safe Harbour, stood for round 15 years. Its shiny “new and improved” substitute didn’t even final 5.
In the wake of the CJEU ruling, information exporters and importers are required to hold out an evaluation of a rustic’s information regime to evaluate adequacy with EU authorized requirements earlier than utilizing SCCs to switch information there.
“When performing such prior evaluation, the exporter (if essential, with the help of the importer) shall take into accounts the content material of the SCCs, the precise circumstances of the switch, in addition to the authorized regime relevant within the importer’s nation. The examination of the latter shall be completed in mild of the non-exhaustive components set out below Art 45(2) GDPR,” Jelinek writes.
“If the results of this evaluation is that the nation of the importer doesn’t present an primarily equal stage of safety, the exporter could have to think about putting in extra measures to these included within the SCCs. The EDPB is wanting additional into what these extra measures may include.”
Again, it’s not clear what “extra measures” a platform may plausibly deploy to “repair” the gaping lack of redress afforded to foreigners by U.S. surveillance regulation. Major authorized surgical procedure does appear to be required to sq. this circle.
Jelinek stated the EDPB can be finding out the judgement with the purpose of placing out extra granular steering sooner or later. But her assertion warns information exporters they’ve an obligation to droop information transfers or terminate SCCs if contractual obligations will not be or can’t be complied with, or else to inform a related supervisory authority if it intends to proceed transferring information.
In her roundabout manner, she additionally warns that DPAs now have a transparent obligation to terminate SCCs the place the security of knowledge can’t be assured in a 3rd nation.
“The EDPB takes observe of the duties for the competent supervisory authorities (SAs) to droop or prohibit a switch of knowledge to a 3rd nation pursuant to SCCs, if, within the view of the competent SA and within the mild of all of the circumstances of that switch, these clauses will not be or can’t be complied with in that third nation, and the safety of the information transferred can’t be ensured by different means, specifically the place the controller or a processor has not already itself suspended or put an finish to the switch,” Jelinek writes.
One factor is crystal clear: Any sense of authorized certainty U.S. cloud companies had been deriving from the existence of the EU-U.S. Privacy Shield — with its flawed declare of knowledge safety adequacy — has vanished like summer season rain.
In its place, a way of déjà vu and much more work for attorneys.