Privacy Law

WHAT FUTURE FOR CROSS-BORDER TRANSFERS OF PERSONAL DATA?

Please share:

VOLUME 1, 2024, PRIVACY LAW SECTION JOURNAL

Written by Paul Lanois

In today’s globalized world, cross-border data transfers have become a routine aspect of virtually every business operation. However, organizations that do business internationally are likely to be subject to the General Data Protection Regulation (GDPR). As a result, the organizations must comply with certain requirements, which are laid out in Chapter V of the GDPR. Since the Court of Justice of the European Union (CJEU) issued what is now known as the ‘Schrems II’ decision in July 2020[1] invalidating the EU-US Privacy Shield Framework (which was used by thousands of organizations to transfer data from the EU to the US), many organizations are struggling to figure out how they can continue to transfer personal data outside the EU while still complying with the GDPR’s requirements.

Following the ‘Schrems II’ decision, many organizations have relied on the EU Standard Contractual Clauses (SCCs)[2] to perform their data transfers–but the SCCs are not “magic bullets” and do not automatically make a data transfer legal.

Notably, in May 22, 2023, the Irish Data Protection Commission (DPC) held that Meta Platforms Ireland Limited infringed GDPR Article 46(1) (the rules requiring appropriate safeguards for international data transfers in absence of an adequacy decision) by continuing to transfer personal data to the US following the ‘Schrems II’ decision. This is even though Meta used the latest 2021 EU SCCs for the transfers and had put in place additional supplementary measures. Specifically, the DPC “found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.”[3]

This article will provide an overview of GDPR’s regulations for cross-border data transfers and discuss best practices for managing these transfers while ensuring compliance with the GDPR’s requirements.

WAIT . . . WHAT EXACTLY IS A ‘DATA TRANSFER’?

The GDPR applies to any “transfer of personal data to a third country or to an international organization.” However, such term is not defined in the GDPR. Regulatory guidance from the European Data Protection Board (EDPB)[4] indicates that there is a ‘transfer’ within the scope of Chapter V of the GDPR if each of the following three criteria are met:

  1. The data exporter (whether a controller or a processor) is subject to the GDPR for the given processing;
  2. The data exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor; and
  3. The data importer is in a country outside the European Economic Area, irrespective of whether such data importer is itself subject to the GDPR for the given processing.

The EDPB’s above second criteria specifies that a transfer must involve the transmission of data from one controller or processor to another controller or processor. Importantly, the EDPB’s guidelines specifically indicate that this “second criterion cannot be considered as fulfilled where the data are disclosed directly and on his/her own initiative by the data subject to the recipient.”[5] The term “on their own initiative” seems to cover situations where individuals, of their own accord, complete online forms or make a purchase from an online store established outside the EU. There was previously a lot of confusion on this point, as some commentators had assumed that the collection of personal data directly from individuals located in the EU required the organization to have in place a valid transfer mechanism. Since SCCs could not be signed with individuals, those organizations turned to their EU offices to transfer the data, relying on the SCCs to do so.

DOES CHAPTER V OF THE GDPR COVER INTRA-GROUP TRANSFERS?

In case there was still any doubt, intra-group transfers of data must also be considered: the EDPB confirmed that “data disclosures between entities belonging to the same corporate group (intra-group data disclosures) may constitute transfers of personal data.”[6]

What constitutes a ‘transfer’ is particularly broad, since according to the European Data Protection Board, “examples of how personal data could be “made available” are by creating an account, granting access rights to an existing account, “confirming”/”accepting” an effective request for remote access, embedding a hard drive or submitting a password to a file. It should be kept in mind that remote access from a third country (even if it takes place only by means of displaying personal data on a screen, for example in support situations, troubleshooting or for administration purposes) and/or storage in a cloud situated outside the EEA offered by a service provider, is also considered to be a transfer,”[7] provided of course that the three criteria outlined above are met.

However, not all transfers are necessarily in scope: employees who travel on business to a country outside the EU and who bring with them their laptops to work remotely would not be deemed transferring data, since employees are not separate controllers, but rather integral parts of their organization.

WHEN PERSONAL DATA CAN BE TRANSFERRED UNDER THE GDPR?

Article 44 GDPR prohibits transfers of personal data outside the European Economic Area (EEA) unless the transfer fits within one of the narrow exceptions laid out under Chapter V of the GDPR. On this basis, the first question to ask before personal data subject to the GDPR can be transferred outside the EEA is whether the European Commission has reached an “adequacy decision” about the country where the data recipient is based (Article 45 GDPR). If there are any onward transfers of personal data from one country to another country, any such subsequent transfer of data also needs to be reviewed.

As stated by the EDPB, “in the absence of such adequate level of protection” provided by an adequacy decision, the second step is to review the “implementation by the exporter (controller or processor) of appropriate safeguards as provided for in Article 46.”[8]

The main types of transfer instruments listed in Article 46 are:

  • Standard Contractual Clauses (SCCs);
  • Binding Corporate Rules (BCRs) in accordance with Article 47 GDPR;
  • Codes of conduct;[9]
  • Certification mechanisms;[10]
  • Ad hoc contractual clauses;
  • International agreements/ Administrative arrangements.[11]

ARE WE SAFE TO JUST RELY ON THE NEW SCCS?

On May 22, 2023, the Irish DPC issued[12] an administrative fine in the amount of 1.2 billion euros against Meta Platforms Ireland Limited after examining the basis on which the company transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.

Like many businesses, the company relied upon the standard contractual clauses (SCCs) issued by the European Commission on June 4, 2021[13] following the ‘Schrems II’ decision. The DPC nevertheless held that the company was in breach of Article 46 (1) GDPR as it is subject to U.S. surveillance laws, including the U.S. Foreign Intelligence Surveillance Act (FISA) Section 702. According to the DPC, such surveillance laws allow the U.S. government to access personal data of EU citizens even where additional safeguards are in place and, as a result, “the 2021 SCCs cannot compensate for the inadequacies in the level of protection afforded by US law.”

While the DPC’s ruling (and the fine imposed) is significant, the DPC decision does not necessarily spell doom and gloom for all organizations. The ‘Schrems II’ decision requires each exporter to assess the laws of the destination country to ensure that the use of SCCs properly protects the data transferred in that context. The DPC’s decision does not change this. Importantly, the DPC decision does not appear to exclude a “risk-based approach” that would consider the likelihood of government access pursuant to FISA Section 702. The issue in the case of Meta Ireland was that the company had received a number of government requests. An argument could be made that companies which do not receive a significant number of government requests may continue to apply a risk-based approach.

Finally, the decision notes that encryption measures implemented in respect to data in transit may provide appropriate safeguards in the context of Section 702. However, the DPC found that Meta Ireland had not implemented technical measures which would provide appropriate safeguards to data subjects from government requests for data through compelled assistance.

WHAT IS THE CURRENT US FRAMEWORK?

On October 7, 2022, President Biden signed Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities” (EO 14086).[14] EO 14086 introduces new safeguards in relation to U.S. signals intelligence activities. According to the European Commission, the framework created by EO 14086 “address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020″[15] limiting access to EU data by US intelligence services and establishing a Data Protection Review Court.

Importantly, not only do they form the basis of the adequacy decision by the European Commission[16] for transfers made under EU-U.S. Data Privacy Framework (DPF), but they also provide greater legal certainty for companies transferring personal data from the EU to the U.S. using other transfer mechanisms, such as the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). As stated by the European Commission, “all the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.”[17]

EO 14086 introduces new safeguards with respect to the collection of personal data by U.S. intelligence agencies:

  • First, it places new requirements on the collection and handling of personal data by U.S. intelligence agencies. According to EO 14086, these protections apply to “all persons, regardless of their nationality or wherever they might reside.” It further requires that signals intelligence activities must be “necessary” and “proportionate” to advance a validated intelligence priority and that such activities must be undertaken in pursuit of one of the twelve enumerated national security and intelligence objectives listed in EO 14086. By way of example, such objectives include ‘protecting against transnational criminal threats’, ‘protecting against espionage, sabotage, assassination, or other intelligence activities’, ‘protecting against terrorism’, ‘understanding or assessing transnational threats that impact global security, including climate and other ecological change, public health risks, humanitarian threats, political instability, and geographic rivalry’, as well as ‘understanding or assessing the capabilities, intentions, or activities of a foreign government, a foreign military, a faction of a foreign nation’.
  • Second, it expands the oversight of signals intelligence programs by U.S. government agencies. The Civil Liberties Protection Officer (CLPO), appointed by the Director of National Intelligence (DNI), must conduct an assessment prior to any new intelligence-gathering operations. According to EO 14086, the assessment should consider “all relevant factors” and “the privacy and civil liberties of all persons” and determine if the collection activity “is necessary to advance a validated intelligence priority”. Bulk collection may only be authorized where the intelligence cannot be reasonably obtained through targeted collection. Additionally, intelligence agencies must maintain documentation regarding their collection of personal data through signals intelligence and update their policies and procedures to ensure effective oversight of the new safeguards.
  • Third, it creates a redress mechanism for individuals from “qualifying states” who claim their personal data has been collected unlawfully through signals intelligence programs. On June 30, 2023, Attorney General Merrick B. Garland designated the European Union along with the three additional countries making up the European Economic Area (EEA) as “qualifying states” for purposes of implementing the redress mechanism established in EO 14086. The United Kingdom was subsequently designated as a “qualifying state” on September 18, 2023. Accordingly, individuals can now lodge a complaint with the CLPO, which has the power to investigate complaints and render binding decisions against intelligence agencies. Individuals can also appeal decisions by the CLPO before the Data Protection Review Court (DPRC), which has been established through regulations issued by the U.S. Attorney General. On November 14, 2023, the Office of Privacy and Civil Liberties announced the first panel of judges appointed to the Data Protection Review Court (DPRC). The DPRC will independently review determinations made by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (ODNI) in response to qualifying complaints sent by individuals through appropriate public authorities that allege certain violations of U.S. law in the conduct of U.S. signals intelligence activities. The Attorney General may not interfere with a review by a DPRC panel of a determination the CLPO made regarding a qualifying complaint, and the judges may not be removed or otherwise subjected to adverse action arising from their service. Individuals will be represented before the DPRC by special advocates and the decisions of the DPRC will be final and binding.

According to the European Commission, these new safeguards “are significant improvements compared to the Privacy Shield” and “address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows.”[18]

The sharp-eyed reader may notice that EO 14086 predates the DPC’s decision mentioned above and may therefore wonder what this means for the scope of EO 14086. The DPC noted that the “DPC is under an obligation to give effect to the law as it currently stands” and that EO 14086 is “not, in fact, operational. More particularly, and as explained above, in the absence of designation of the EU as a “qualifying state”, the new scheme is not operational at all for EU citizens.” Given the fact that the various components of EO 14086 were not fully in place at the time of the decision, EO 14086 could not be relied upon yet. Those missing components are now operational, so a data protection authority may take a different approach if it were to examine similar facts today. Having said that, and as noted by the DPC, “the privacy and civil liberties safeguards introduced by EO 14086 do not appear to be intended to apply retrospectively,” meaning that transfers which took place prior to EO 14086 being fully effective would likely not be able to enjoy from its safeguards.

ENDNOTES

Paul Lanois is a Director at the European law firm Fieldfisher based in the Silicon Valley, California, where he advises clients on information technology as well as compliance with data protection, privacy, and cybersecurity law. Paul also teaches Privacy Compliance at UC Law San Francisco (Formerly UC Hastings). He regularly publishes and speaks on privacy and tech topics, and is CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT and FIP certified.

[1] Judgment of the Court (Grand Chamber) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Request for a preliminary ruling from the High Court (Ireland): https://eur-lex.europa.eu/legalcontent/ EN/TXT/?uri=CELEX:62018CJ0311

[2] EU Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, 4 June 2021: https://commission.europa.eu/publications/ standard-contractual-clauses-international-transfers_en

[3] Data Protection Commission announces conclusion of inquiry into Meta Ireland, Press Release, https://www. dataprotection.ie/en/news-media/press-releases/Data- Protection-Commission-announces-conclusion-of-inquiryinto- Meta-Ireland

[4] European Data Protection Board, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, Version 2.0, Adopted on 14 February 2023, available at: https://edpb.europa.eu/system/files/2023-02/edpb_ guidelines_05-2021_interplay_between_the_application_ of_art3-chapter_v_of_the_gdpr_v2_en_0.pdf

[5] Paragraph 18, Guidelines 05/2021

[6] Paragraph 21, Guidelines 05/2021

[7] Paragraph 16, Guidelines 05/2021

[8] Paragraph 27, Guidelines 05/2021

[9] See the EDPB’s Guidelines 04/2021 on Codes of Conduct as tools for transfers

[10] See the EDPB’s Guidelines 07/2022 on Certification as a tool for transfers

[11] See the EDPB’s Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

[12] Irish Data Protection Commission, In the matter of Meta Platforms Ireland Limited (previously known as Facebook Ireland Limited), Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation, DPC Inquiry Reference IN-20-8-1: https:// edpb.europa.eu/system/files/2023-05/final_for_issue_ov_ transfers_decision_12-05-23.pdf

[13] EU Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, 4 June 2021: https://commission.europa.eu/publications/ standard-contractual-clauses-international-transfers_en

[14] Executive Order 14086 of October 7, 2022, Enhancing Safeguards for United States Signals Intelligence Activities: https://www.federalregister.gov/ documents/2022/10/14/2022-22531/enhancingsafeguards- for-united-states-signals-intelligence-activities

[15] European Commission, Press Corner, Questions & Answers: EU-U.S. Data Privacy Framework, 7 October 2022, https://ec.europa.eu/commission/presscorner/detail/en/ QANDA_22_6045

[16] EU Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, 10 July 2023: https://commission.europa. eu/system/files/2023-07/Adequacy%20decision%20 EU-US%20Data%20Privacy%20Framework_en.pdf

[17] European Commission, Press Corner, Questions & Answers: EU-U.S. Data Privacy Framework, 7 October 2022, https://ec.europa.eu/commission/presscorner/detail/en/ QANDA_22_6045

[18] European Commission, Press Corner, Questions & Answers: EU-U.S. Data Privacy Framework, 7 October 2022, https://ec.europa.eu/commission/presscorner/detail/en/ QANDA_22_6045


Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.

Payment