On 25 March, the European Commission and the United States of America announced that they had reached a new framework agreement on the cross-border transfer of personal data (the “Trans-Atlantic Data Privacy Framework”) that will be the basis for an adequacy decision by the European Commission. The new agreement was announced less than two years after the European Court of Justice ruled that the Privacy Shield was invalid. It ensures that the GDPR-guaranteed levels of data protection are not undermined by being transferred to the US and when European citizens’ data is processed. The agreement’s crucial points will be represented by binding rules and safeguards to limit the access to data by the US authorities, which assumed considerable importance in the cited Court of Justice decision. The authorities will be allowed to access and process personal data only to the extent that this is necessary and proportionate to protect and pursue the defined objectives of national security. The communiqué stated that this will be achieved by establishing an independent two-level review mechanism, to establish corrective measures and improve the strict and layered oversight of intelligence activities by ensuring compliance with limitations during surveillance. The Trans-Atlantic Data Privacy Framework will provide a basis for transatlantic data flows that is fundamental to protecting data subject rights. The communiqué confirmed that teams from the US government and the European Commission will continue their cooperation to turn this agreement into legal documents to be adopted by both sides. Once this process is completed, European and US data controllers and processors must comply with the framework agreement provisions.
Other related insights:
Based on the principles in the Court of Justice Schrems II judgement of 16 July 2020, with Decision no. 2021/914 of 4 June 2021, the European Commission has approved two new sets of Standard Contractual Clauses (“SCCs“) which, from 27 September, must be included in contracts to regulate a transfer of personal data to non-EU countries or international organisations. For contracts signed before this date, there will be a transition period ending on 27 December 2022, provided that the processing operations covered by the contracts remain unchanged and the “old” clauses ensure that the transfer of personal data is subject to adequate safeguards. After this deadline, these contracts will need to be updated based on the new SCCs. The new SCCs will cover cases where personal data is transferred to non-EU countries or international organisations that do not offer a system of protection equivalent to that provided by the Data Protection Regulation (EU) 2016/679 (the “GDPR“). The new SCCs must be adopted for personal data transfers: (i) between data controllers; (ii) between a controller and its processor; (iii) between a processor and its (sub) processor; and (iv) between a processor and its controller where the latter is not subject to the GDPR scope.
Other related insights:
On 16 July 2020, the Court of Justice of the European Union (“CJEU” or “Court”) in its ruling “Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems C-311/18”, invalidated Decision no. 2016/1250 and the Agreement between the European Union and the United States of America on the protection and regulation of the European citizens’ personal data transfer to recipients located in the United States (“Privacy Shield”).
The European Data Protection Board or “EDPB”) has prepared “Frequently Asked Questions” (“FAQ“) which the Italian Data Protection Authority (“Garante”) translated into Italian.
These FAQs underlined that the other tools provided for by EU Regulation 2016/679 on the protection of personal data (“Regulation“) such as the “Standard Contractual Clauses” or “SCC“ and “Binding Corporate Rules” or “BCR” can still be considered adequate to legally transfer personal data to recipients outside the European Union. It is highlighted that it was the parties’ responsibility to assess transfers on a case-by-case basis with the clarification that: “The European Data Protection Board is analysing the Court’s judgement to determine additional measures whether legal, technical or organisational, could be provided with SCC or BCR, to transfer data to third-party countries where SCC or BCR cannot provide sufficient guarantees.”
The FAQs refer to an additional tool as the legal basis for such transfers – data subject consent. It is reiterated that consent language must be simple and clear and must transparently inform data subjects about the possible risks that a transfer to the US or other foreign jurisdictions could entail.
Further tools provided by the Regulation as legal bases to legitimise transfers abroad are: (i) an adequacy decision on European requirements on personal data protection and (ii) compliance with Codes of Conduct or certification mechanisms which must be applied by the party to whom the data are transferred.
In the light of the Court’s ruling and the EDPB’s FAQs, it will be the task of any organisation that transfers data to recipients outside the EU to carry out processing assessments and identify related risks, and the appropriate tool to legitimise the transfer.
Others Insights correlati:
With judgment dated 16 July 2020, “Data Protection Commisioner v Facebook Ireland Limited, Maximilian Schrems C-311/18”, the Court of Justice of the European Union (hereinafter, the “CJEU” or the “Court”) has declared Decision No. 2016/1250 invalid and, along with it, the agreement signed between the European Union and the United States of America aimed at protecting and governing the transfer of the personal data of European citizens to the recipient located within the US territory (the so-called “Privacy Shield”).
The Court has ascertained that any potential transfer made by US public authorities in respect of all personal data transferred to the US territory shall prevail over the limitations foreseen by the fundamental rights of the European citizens concerned (“data subjects”), which the EU regulations aim at protecting.
At present, the EU regulations of reference on the protection of personal data are included in Regulation (EU) 2016/679 (hereinafter, the “Regulation”), based on which the personal data of data subjects, if transferred to Countries outside the European Union, must be protected by equal guarantees to those provided for under EU law.
In invalidating the Privacy Shield, the CJEU states again the lawfulness of the tool consisting in the so-called Standard Contractual Clauses (“SCC – Standard Contractual Clauses”) adopted by the European Commission, but instructs the supervisory authorities of each single EU Member Country to check as well as, if necessary, to suspend and ban the transfer of personal data to Third Countries having a legal system not in compliance with the requirements included in any such Clauses.
The decision at issue does not set a total ban to the transfer of personal data towards the US, but imposes that the parties and the organisations making any such type of transfer identify alternative tools justifying the exchange, thus ensuring appropriate levels of protection for the data subjects.
In this respect, please note that the Regulation provides for different tools and procedures to be used in order to implement a correct transfer of data outside the European Union. In particular:
In light of the rulings of the Court of Justice with the judgment under examination, the organisations engaged in transferring the personal data of data subjects towards the USA are under an obligation to revise the procedures on which they have grounded any such transfers, by identifying alternative tools in the cases in which, up to now, the Privacy Shield has been used.
As clarified by the Court, should the Standard Contractual Clauses tool be used, it shall be necessary to identify the risks, even potential, by analysing both the organisation of the party receiving any such data and factors such as the context, the sector or the legal system of the Third Country in which the latter does business.