Alessandra Silveira (Editor) and João Marques (Lawyer, former member of Portuguese Data Protection Supervisory Authority)

▪

1. The feud between Maximillian Schrems and the Irish Data Protection Supervisory Authority (Data Protection Commission – DPC), with Facebook always lingering in, has been detrimental to frame the legality of data flows from the European Union (EU) to the United States of America (USA), but also to any third country that replicates the shortcomings relating to the inexistence of a “level of protection essentially equivalent to that guaranteed within the European Union (…), read in the light of the Charter of Fundamental Rights of the European Union” [in the words of the Court of Justice of the European Union (CJEU)].^[1]

2. The sole action of one man has brought down two different and sequential “transfer tools”, created in tandem by both the European Commission (EC) and the United States’ Government. In case C-362/14 the CJEU declared the Safe Harbour decision (Commission Decision 2000/520/EC of 26 July 2000) invalid, as the Court found that the USA’s legislation did not offer an essentially equivalent level of protection to that of the EU, also reminding all Data Protection Supervisory Authorities that their work is never done and that it is, in fact, upon their shoulders the task and the responsibility to constantly monitor if any given third country complies and remains compliant with the need to offer such an equivalency.

3. Subsequently, in case C-311/18, the CJEU ruled that the refurbished adequacy decision named “Privacy Shield” [Commission Implementing Decision (EU) 2016/1250 of 12 July 2016] was also invalid for roughly the same reasons put forward in case C-362/14, for there had not been sufficient evolution on the equivalence criteria by the laws of the USA. It also added that the GDPR “applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.”^[2]

4. The European Data Protection Board (EDPB) has issued several interpretative opinions, whether in the form of recommendations,^[3] statements,^[4] frequently asked questions,^[5] or the more recent Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR,^[6] which are still open to public consultation. Today the question remains on whether data flows to the USA and other third countries that presently do not offer foreign citizens an essentially equivalent level of protection to the EU’s standard are possible.

5. The intuitive response, in light of the already mentioned CJEU case law, tends to be negative – but not unreservedly. In fact, the central focus point of the Court’s understanding revolves around the possibility (or impossibility) of effectively assuring the guarantees seen as fundamental for EU law in the destined country for which the personal data is transferred to – which in the Schrems rulings was the USA, but the same conclusion is applicable to any other third country. The point that the judges of the CJEU tend to make is not centred around the legal tools that might be used to enable the transfers from the EU, although these bear a relevant formal role in creating the conditions for an “equivalent level of protection” – and thus for the independent control of the supervisory authorities and courts of the EU.

6. As it stands, the formal requirements under EU law are summed up in a relatively circumspect set of solutions, as provided by Articles 45 to 49 of the GDPR, namely: Adequacy Decisions from the European Commission (such as the two already declared invalid by the CJEU); transfers dependent on the controller’s or processor’s ability to provide for appropriate safeguards (and on condition that enforceable data subject rights and effective legal remedies for data subjects are available through legally binding and enforceable instrument between public authorities or bodies); binding corporate rules in accordance with Article 47 GDPR; standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR; standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) GDPR; approved codes of conduct or certification mechanisms, as long as these come together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or through an authorisation from the competent supervisory authority regarding, among others, contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights; derogations for specific situations that can only be admissible as last resort mechanisms and for most of them, as it stems from Article 49(1) GDPR in fine, only when the transfer is “not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data”.

7. Just as it transpires from the listed catalogue of legal tools on display, if we eliminate what we would call “institutionalized assessment mechanisms” (adequacy decisions and supervisory authorities’ authorizations), an obvious focus is left to the voluntary adhesion of third countries entities to binding bilateral (or multilateral) and sporadic commitments regarding the transfer of personal data from the EU. Such volunteerism is, at the same time, synonymous with the strength of the inter partes effect and with the weakness of the erga omnes (in)efficacy of the (private) commitments made. Dependence on the existence of a similar legal framework that provides for the essentially equivalent level of protection in a third country where the controllers or processors to which data flows are located, mandates a coincidence between the individual will (of the parties) and national sovereignty (of the States). And even when such coincidence does occur, it has to be replicated by the parties and instated in their agreed mutual commitments, so as to maintain the factual and legal framework unchanged or, at the least, always aligned with the essentially equivalent level of protection criteria.

8. It is therefore pointless to contractually agree to commitments that, as soon as they enter into force, are contradicted by the imperative rules of the States which, in practice, prevent them from ever producing effects. The constant case law of the CJEU to which we have made reference mentions this particular point and underlines how USA’s legislation is incompatible with the requirements of protection provided by the EU to every person whose personal data is at some point processed in the 27 Member States (and also the EEA countries where the GDPR applies). As a result, we should emphatically shout “It’s the laws, stupid!”, paraphrasing a well-known political slogan from the USA.

9. It should be noted that, in line with paragraph 1 of Article 3 GDPR, and as is dully noted by the EDPB – both in the Guidelines on the territorial scope of the GDPR (Guidelines 3/2018) and in Recommendation 2/2020 on the European Essential Guarantees for surveillance measures –, the territory or place where the processing activity occurs is not the determining factor to understand whether or not to apply the rules of the GDPR. And that such application is, moreover, indifferent to the nationality of the data subjects that are targeted by the processing activities, disregarding the fact that they may or may not be EU citizens, subsequently increasing the chances that foreign legislations are incapable of guaranteeing an essentially equivalent level of protection to that on offer in the EU. It is not enough for the laws of those third countries to recognize a similar degree of protection to EU citizens as they do to their own nationals and that the protection on hand is levelled with the one that the CJEU has stated to be mandatory within the EU. It is also necessary to broaden that level of protection to everyone who is subject to the processing of their data in the EU (namely through its collection) which is afterwards transferred to a given third country (for instance on the account of an existing processing agreement with a company located in that country).

10. The specific case of transfers of personal data to the USA allows us to reflect on how the legal framework of a given country can be a determining factor when evaluating the admissibility of data flows from the EU.

11. The palliative recommendations by the EDPB that we have mentioned, although certainly valid and useful, do not respond nor allow us to overcome the basic assumption put forward by the CJEU as to the indispensability of significant changes to the laws of a (non essentially equivalent protecting) country – as those laws must enable the access by foreigners to administrative and (especially) judicial redress mechanisms that by themselves tend to ensure an essentially equivalent exercise of their rights to that existing in the EU. This view is recognized by the EDPB which has, very recently, opened the public consultation procedure of its Guidelines 4/2021, on codes of conduct as tools for transfers, where the need for a thorough check for conflicts of norms between the third countries legislations and those of the EU is duly highlighted.

12. So, we must admit that, as long as the obligation on “data importers” in the USA to allow competent authorities access to or disclosure of personal data remains instated in section 1881a of Foreign Intelligence Surveillance Act (FISA) as broadly as it is, any sort of acknowledgement of the existence of an essentially equivalent level of protection on the other side of the “pond” will continue to be difficult, if not impossible.

13. We do not ignore how technological developments and the existence of certain technical tools may open the possibility for “data importers” to increase the complexity and even render impossible for national authorities to access the content of personal data that is or comes to be in their custody after being transferred to the USA or any other third country for that matter. Nevertheless, such tools are not only suitable to increase the security, confidentiality and resilience of systems used to process personal data, but they also serve less noble purposes, threatening and compromising that same security, confidentiality and resilience, sometimes to an even greater extent. On the other hand, we should not feel satisfied by the capabilities a new technology may bring to the table, especially having regard of a legal imperative linked to the very idea behind democratic States under the rule of law, according to which there is a great deal of importance in preventing hypothetical breaches of unsurpassable presuppositions. On this note, we remind that CJEU has already concluded that “(…) the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated. The same is true of the retention of personal data and access to that data with a view to its use by public authorities, irrespective of whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference” (recital 171, judgment C-311/18).

14. One clear example of a palpable stance in line with this assumption that the guarantees provided by EU’s data protection regime must be upheld regardless of the degree of concreteness of the threat or danger posed by the transfer of data to the USA is that of the Portuguese Data Protection Supervisory Authority [Comissão Nacional de Proteção de Dados (CNPD)]. In the recent case of the population census in Portugal (“Censos 2021”, a statistical operation designed to account for the population living in Portugal, the families residing in the country and its housing stock) Deliberation 2021/533 was made public. In it CNPD demanded Portugal’s National Statistic Institute (INE) to cease any data flows to the USA and any other third countries that did not ensure an essentially equivalent level of protection as that set in the EU. Such potential data flows were the possible outcome of the use of a Content Delivery Network service (CDN), which, to summarize it, is used to counter the latency that sometimes is experienced when multiple and simultaneous accesses are happening to online content. CDN uses a geographically distributed network of servers to redirect web traffic resulting in faster user experience.

15. In INE’s case, 2021’s census operation was mainly conducted online and so, given the expected overflow of accesses to the Census form’s website, a CDN service provider was chosen (Cloudflare) to speed up the delivery of the content. Consequently, all content relating to the filling of the form, including all the personal data about the persons and the families living in Portugal were redirected through the company’s servers. On top of that, this well-known provider had servers located in several countries, including the USA, raising the danger of international data flows to a level of almost certainty – even if such flows had a transitory and therefore precarious nature. This danger was considered enough to determine the suspension of all data flows to third countries affected by the lack of an adequacy decision or an essentially equivalent level of protection as that of the EU. Presently it is not yet known whether INE will face any sanctions following CNPD’s further investigations.

16. This example seems to be fully in line with the recently published EDPB’s guidelines on the interplay between Article 3(2) and Chapter V of the GDPR. There a three-tier threshold is proposed by the EDPB to assess whether a processing activity qualifies as a transfer of personal data. The three cumulative criteria are as follows:

1) A controller or a processor is subject to the GDPR for the given processing.

2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).

3) The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.

17. If we apply these items to CNPD’s deliberation, there’s no doubt (1) INE is a controller subject to the GDPR (2) disclosing the personal data to a processor (Cloudflare) and (3) the importer is in a third country, as the company clearly acknowledges the use of servers worldwide and is legally present in different countries. Notwithstanding the outcome of the public consultation process, these criteria are sufficiently developed to immediately offer some light on how supervisory authorities in the EU address the difficult issue of the definition of international transfers. This is a significant step towards the clarification on the post-Schrems era of when and how controllers and processors subject to the GDPR should deal with data transfers.

18. From all that was said, do we consider there’s a definitive and clear-cut answer to the problem of the legality of data flows to countries where an essentially equivalent level of protection is not guaranteed? Not quite, as the GDPR^[7] itself leaves room for doubt. On the one hand, it allows for the possibility of such transfers to happen in specific situations and [i.e., Article 49(1) GDPR] to destinies where the level of protection of any data subject is considerably lower than that of the EU. But, at the same time, recital 114 emphatically claims that “In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards”. How can those solutions be accepted if the third country’s legislation simply abrogates any meaningful effect they may entail?

19. This is not the place to discuss the legal value of EU law’s recitals, but we can safely say that they cannot reflect or allow for meanings that do not bare a minimal correspondence with the legal text which they aim to help to interpret. CJEU’s stance on how to match such (apparent) contradiction in unknown and is yet to be raised with the court. However, we feel that in its case law – and also in EDPB’s recommendations – the point we are trying to make transpires in a rather straightforward way. And that point is simple: the lawfulness of a given tool or mechanism used to justify or support data flows to third countries – as is the case with standard contractual clauses – does not directly or indirectly imply or assure that the country to which data is to be transferred provides for a set of rules (laws and international commitments) that translate into an essentially equivalent level of protection as that available in the EU. And this is the true decisive factor in evaluating whether or not a certain data flow or set of data flows to those third countries are allowed by EU law.

---

[1] See recital 97, judgment C-311/18.

[2] On cases C-362/14 and C-311/18 see Alessandra Silveira and João Marques, Sobre a compatibilidade da transferência de dados pessoais para os EUA à luz do direito da UE, in “Revista EthikAI – Ethics as a service”, Instituto EthikAI, No. 1, November 2021 (ethikai.com.br)

[3] See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en).

[4] See Statement on the Court of Justice of the European Union Judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (https://edpb.europa.eu/our-work-tools/our-documents/other-guidance/statement-court-justice-european-union-judgment-case-c_en).

[5] See Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (https://edpb.europa.eu/our-work-tools/our-documents/other/frequently-asked-questions-judgment-court-justice-european-union_en)

[6] Available online at https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en

[7] It is also very interesting to note that the CJEU itself has made use of “precarious” transfer tools, as provided by Regulation (EU) 2018/1725 (mirroring the GDPR), such as contractual clauses with Cisco for transfers of personal data in the Court’s use of Cisco Webex and related services (duly authorised, albeit only “temporarily“ and despite the shortcomings identified,  by the European Data Protection Supervisor, in https://edps.europa.eu/system/files/2021-11/17-11-2021-edps_decision_authorising_temorarily_use_of_cjeu-cisco_ad_hoc_clauses_for_transfers_cisco_webex_1.pdf).

Picture credits: Tumisu.