Following the first analysis of the Schrems-II verdict from the Court of Justice of the European Union, delivered on 16 July 2020, it is time to take a closer look at some of the core issues discussed by the Court.
The EU law carve-out for national security legislation
The Schrems cases both have their origin in the revelations Edward Snowden made in 2013 on the existence of large-scale government surveillance programs in the United States, including PRISM and UPSTREAM. Under these programs, the U.S. intelligence and security services can collect personal data from outside the United States, and use it at their own discretion in order to protect the interests of the state. And although most countries around the world have intelligence and security services that collect and analyse large volumes of data, the scale with which this seems to happen in the United States for many came as a surprise.
In the European Union (EU) however, national security, and thus any activity by intelligence and security services, falls outside the competence of the Union. According to Article 4 of the Treaty on the European Union, “national security remains the sole responsibility of each Member State”. Thanks to this provision, we have the somewhat cynical situation that it doesn’t matter what the intelligence and security services of the EU Member States, but that it could be relevant what those in foreign countries do, at least from a data protection perspective. That is also the first question that was raised before the CJEU: why, if the EU is not competent to discuss national security, would foreign national security activity have an impact on data transfers under the GDPR.
According to the Court, the answer is relatively straightforward: the transfer from the EU to a third country is taking place between two commercial entities, in the Schrems-II case between Facebook Ireland and Facebook Inc. in the U.S., and that is a regular transfer that is covered by the provisions of the GDPR. The fact that in theory the data at some point may be intercepted by, or need to be handed over to, intelligence and security services in the U.S., does not make a difference. Since national security is not the purpose of the processing, it can also not be taken into account when deciding on the legality of the processing.
The ‘essentially equivalent’ requirement
The national security issues do become relevant when assessing if the third country to which the personal data flow (again, the U.S. were just used as an example in the case, but the judgment has an effect vis-a-vis all countries outside the European Economic Area) offers sufficient protection to personal data originating from Europe. In the judgment, the Court makes an explicit link between the various data transfer mechanisms and Article 44 GDPR, which requires that in case of cross-border data transfers “the level of protection of natural persons guaranteed by [the GDPR] is not undermined”. This means that any safeguards that are agreed for the international transfer of personal data, need to meet the same high standards.
Although Article 46 of the GDPR does not specify the nature of the requirements which flow from that reference to ‘appropriate safeguards’, ‘enforceable rights’ and ‘effective legal remedies’, it should be noted that that article appears in Chapter V of that regulation and, accordingly, must be read in the light of Article 44 of that regulation, entitled ‘General principle for transfers’, which lays down that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. That level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out. [Schrems-II, §92]
For adequacy decisions, it was not a big surprise that the Court requires high standards of data protection in third countries. Already in the Schrems-I decision, it introduced the standard of “essential equivalence” to assess if the legal regime of the third country would sufficiently protect European data.
The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. [Schrems-I, §73]
The Court confirms in the Schrems-II decision that the “essential equivalence” is also required under the GDPR. What is new however, is that the Court has extended this standard to other transfer mechanisms, in situations where no adequacy decision exists. So far, it had been widely assumed that adequacy decisions would indeed require the highest level of equivalence between EU data protection law and that in a third country, but that the use of contractual clauses – whether the standard contractual clauses or tailor-made, DPA-approved ones – a slightly lower level of data protection was acceptable. The Court now makes clear this is not the case. Also when transferring personal data on the basis of Article 46 GDPR, using appropriate safeguards like Standard Contractual Clauses (SCCs),
(…) such appropriate guarantees must be capable of ensuring that data subjects whose personal data are transferred to a third country (…) are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the European Union.
Following this argument, a similar reasoning would need to be applied to transfers based on Binding Corporate Rules, although this is not explicitly mentioned by the Court.
Using Standard Contractual Clauses
What does this mean for the use of SCCs going forward? The good thing is that they still exist, and that means that it is possible to include SCCs in your contracts when exporting personal data from the EU. It is however less straightforward than before – just signing them is not enough. The Court agrees that the SCCs can be helpful for international data transfers, but also spells out that they
(…) are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. [Schrems-II, §133]
The Court also explains that the existence of national surveillance laws in a third country in principle should not be problematic. National security is recognised as a possible necessary limitation to the fundamental right to data protection, including in the SCC decision itself (as per a footnote to the heading of Clause 5).
A data exporter and data importer therefore need to assess whether they consider they can meet the requirements of the SCCs in their specific situation. Do they assume they will be able to guarantee the protections enshrined in the clauses, and thus avoid undermining the level of data protection offered by the GDPR? If not, it might be possible to agree on additional safeguards – this is allowed, as long as the provisions of the SCCs themselves are not changed (they can only be included in a contract on a “as they are” basis). This additional step implies that the data exporter and data importer will need to undertake an assessment of the law of the country where the data are flowing to. Without such an assessment, agreeing on the adequate safeguards would not be possible.
The assessment of a third country’s level of data protection should take a broad look at the legal framework, but in the light of the Schrems-II decision it should in any case include an assessment of any national surveillance legislation: is the data importer subject to such legislation, are the data likely to be intercepted by intelligence and security services based on their nature, have there been requests from intelligence and security services to hand over personal data in the past, etc. If national security legislation applies, it is unlikely that contractual clauses in any form could result in the required “essentially equivalent” level of protection, meaning the data export from the EU can not (or no longer) take place.
If the data exporter and importer conclude that the transfers are not or unlikely subject to surveillance laws, and they have agreed on other additional safeguards to be included in the contract, the data transfers can likely take place without problems. It is however important to document both the assessment of the third country’s legislation, as well as the reasons for which additional safeguards have been agreed. With the Court’s decision in hand, we expect that data protection authorities will more actively look at international data transfers using SCCs or other contracts, and thus it could be that they will ask you to show your assessments. Maintaining the relevant documentation is also part of your accountability requirements under Articles 5(2) and 24 GDPR and could for example be included in your Article 30 processing activities register, which should include all information related to international transfers.
The Privacy Shield deficits
The “essential equivalence” requirement also decided the faith of the Privacy Shield. Based on his assessment of the U.S. national security legislation and the additional safeguards that were agreed as part of the Privacy Shield arrangement, the Court found that the fundamental rights to privacy and data protection of Europeans could not be guaranteed when their data would flow to the U.S.
Where for SCCs the decision whether or not to suspend data transfers needs to be taken on a case-by-case basis, for the Privacy Shield a generic decision was required. That is the distinction between a binding adequacy decision, that binds all EU Member States as well as their organs, including data protection authorities, and contracts, that only bind the parties to the contracts. You could therefore still argue an adequacy decision is still assessed against a higher standard, since the protections need to be effective under all circumstances.
In the case of the U.S. national security legislation, in particular section 702 FISA, Executive Order 12333 and Presidential Policy Directive 28, the CJEU concluded the legislation is too wide and too vague. It is therefore not possible for an individual to fully understand what might happen with their data. In addition, the U.S. surveillance laws go beyond what should be regarded as proportional or strictly necessary, at least from the EU perspective. Here, the Court refers to standing case-law, which includes the Schrems-I decision, but also decisions on massive and continuous data collections in the EU itself (e.g. Digital Rights Ireland, on the mandatory retention of telecommunications data to help fight terrorism and prevent serious crime) or in relation with other third countries (e.g. the transfer of Passenger Name Records data by airlines to the Canadian authorities).
The Court has held that the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated. The same is true of the retention of personal data and access to that data with a view to its use by public authorities, irrespective of whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference. [Schrems-II, §171]
Also the fact that the U.S. surveillance laws do not allow Europeans to file a complaint in Court meets an objection from the Court. This point was already recognised by the European Commission when drafting the Privacy Shield. The EU and the U.S. therefore agreed to create an alternative redress mechanism with the introduction of the Ombudsperson. This person would be able to review upon request the processing of personal data of a given individual, and confirm if the processing was taking place in accordance with the protections offered by the Privacy Shield, if it was taking place at all. The Court concludes the Ombudsperson is mainly a political role. Since it is not supported by a legal obligation, for example to correct or delete data from the files of an intelligence and security service, and also does not allow for a legal remedy (e.g. an appeal in Court), it cannot replace judicial redress.
When looking at the conclusions of the CJEU on the Privacy Shield, the Court provides some important guidelines in order to assess the national security legislation in other third countries. First of all, the legislation in the third country needs to be sufficiently clear, detailed and foreseeable for an individual to understand what might happen to their data once it is used for national security purposes (even if that was not the intention of the data transfer). In addition, there need to be adequate means of judicial redress available to the individual. In other words: they need to be able to have their day in court, to fight any alleged misuse of their personal data by intelligence and security services.
Important Update: CJEU Ruling on EU-US Privacy Shield and ‘Schrems-II’
Schrems-II – The Day After
Following the first analysis of the Schrems-II verdict from the Court of Justice of the European Union, delivered on 16 July 2020, it is time to take a closer look at some of the statements given by the European and American authorities in response to the verdict.
The European Commission, the body responsible for the adequacy decision establishing the Privacy Shield, as well as for the creation of the Standard Contractual Clauses, held a press conference shortly after the verdict was published. V?ra Jourová, Vice-President of the European Commission responsible for Values and Transparency, confirmed the Commission’s position: “When personal data travels abroad from Europe, it must remain safe.” She added that she and her team would continue to work to ensure the continuity of safe data flows, including by modernising the Standard Contractual Clauses (SCCs). The new SCCs, that will also take into account the requirements of the GDPR, will now be “swiftly finalised (…) in consultation with the European Data Protection Board or Data Protection Authorities.”
Commissioner Jourová continued that she is determined to work with her U.S. counterpart, Secretary of Commerce Wilbur Ross, in a constructive way in order to find “solutions that reflect the values we share as democratic societies”.
Her colleague, Commissioner Didier Reynders (Justice), added that he wants “a formal approval to modernise the Standard Contractual Clauses as soon as possible”. As to the future of the Privacy Shield, Reynders mentioned he expects the conversations with the United States to start on Friday (17 July). Once the analysis of the CJEU verdict is completed, the EU will work to develop “a strengthened and durable transfer mechanism”.
The modernisation of the SCCs was long overdue. The current clauses are still based on the old data protection legislation, Directive 95/46/EC, and do not take into account some of the additional protections created by the GDPR. The Commission has been working on the new draft model clauses for some time, but had been reluctant to release them pending the outcome of the Schrems-II case. With the case now decided upon, and the conditions for transfers using SCCs a lot clearer, the Commission will likely be able to finalise the new model clauses within a couple of weeks. We expect the new versions to become available in the early fall.
Data Protection Authorities
The European Data Protection Board discussed the Schrems-II decision during its weekly teleconference on Friday (17 July). A press statement was released after the meeting, but does not yet contain a lot of detail on the way forward. The Board did announce it will take a bit more time to fully understand the intricacies of the judgment, and provide further clarifications at a later date.
Following the Schrems-I decision in 2015, the Article 29 Working Party (the predecessor of the Board) announced a grace period during which no enforcement action would take place on international transfers to the United States, to allow both supervisory authorities and companies to take stock of the existing processing operations, to consider alternative options and to allow the European Commission to start the negotiations that in the end led to the Privacy Shield. A similar approach seems likely this second time around, but will of course have to be confirmed by the Board. In 2015, the announcement of the grace period did not come until 10 days after the verdict.
Individual data protection authorities have released statements about the judgment. The CNIL, among others, only provides a procedural response, stating that it “is currently conducting a precise analysis of the judgment, together with its European counterparts assembled within the European Data Protection Board. This joint work aims at drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States.”.
The German DPAs are especially vocal on their views. The German Federal data protection authority BfDI adds: “The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ.” His colleague from Hamburg goes a bit further and declares “Ultimately, however, this will not only affect states which, like the USA, have at least made an effort to give the impression that they are creating adequate structures for data protection. For countries like China, such data protection standards are a long way off. With regard to Brexit, too, the question of permissible data transfer will arise. Hard times are dawning for international data traffic.” In addition, the Hamburg Commissioner considers that “if the invalidity of the Privacy Shield is primarily justified by the excessive intelligence activities in the USA, the same must also apply to the standard contractual clauses. (…) At least with regard to the conclusion of the SCC with the US company in dispute, the ECJ should have come to the same conclusion.” The Berlin DPA goes even a step further. In a press release, she announces that data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection”.
Also various pundits have concluded from the verdict of the Court that it is henceforth almost impossible to rely upon SCCs in relation to data transfers to the U.S., at least where social media and cloud services are concerned.
The European Data Protection Supervisor in his statement welcomed the verdict of the Court, which reaffirms “the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries”. He expects the “United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements” of the Court. As to the SCCs, the Supervisor announces he has already started a review of the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. And he may not be the only supervisory authority undertaking such a review.
As to the United Kingdom, which since 1 February 2020 no longer forms a part of the European Union, the ICO declared it stands “ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”. The Swiss data protection authority stated that the Switzerland – U.S. Privacy Shield will remain valid for the time being, but that it will examine the judgment and provide comments in due course.
As was to be expected, the U.S. government expressed disappointment with the verdict of the Court. Secretary Ross stated he and his team were still studying the verdict, while announcing at the same time that “the Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. [The Court’s] decision does not relieve participating organizations of their Privacy Shield obligations.” This means that even though the Privacy Shield can no longer be used as a mechanism to transfer personal data from the EU to the U.S., companies that have processed personal data under a Privacy Shield certification so far, will need to continue to do so. This way, the U.S. government likely intends to facilitate a new version of the Privacy Shield to be put in place at some point in the future, while in the meantime ensuring that companies show that their business practices remain privacy friendly, also without the added benefit of easy data transfers.
Important Update: CJEU Ruling on EU-US Privacy Shield and ‘Schrems-II’
Schrems-II: Further Analysis of the Core Elements of the Verdict
On the Schrems-II decision
Earlier today, the Grand Chamber of the Court of Justice of the European Union delivered the verdict in the case Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, more commonly known as the Schrems-II decision. In short, the Court ruled that the system of Standard Contractual Clauses, allowing for data transfers from the European Union to third countries, is valid. In turn, it decided that the Privacy Shield is to be invalidated. In this blog, we’ll take a look at the two main elements of the case and look ahead at what’s next.
What is the case about?
The court case is part of a long-running battle in various European courts between the Austrian privacy advocate, Maximilian Schrems, and U.S. tech giant Facebook. It goes back to 2015, when Mr. Schrems also stood before the CJEU in a case dealing with the validity of the EU-U.S. Safe Harbor Agreement (allowing for the transfer of personal data from the EU to the U.S. under specific conditions). The Court at the time decided to nullify Safe Harbor, since it was not deemed to offer an adequate level of protection, not being essentially equivalent to the European Data Protection Directive. In its ruling, the CJEU basically concluded that the U.S. legislation related to surveillance of electronic communications, as revealed by Edward Snowden and since confirmed by the U.S. administration, had too large an impact on personal data of people in the EU whose data were transferred to the U.S.
Given this conclusion, Mr. Schrems raised his concern that a data transfer using so-called Standard Contractual Clauses (SCCs, an alternative legal arrangement to export personal data from the EU) would have a similar effect to a transfer under the Safe Harbor Agreement: no adequate protection would be offered. He therefore filed an updated complaint against Facebook – as a use-case – with the Irish Data Protection Commissioner (DPC), requesting that the transfer of personal data from Facebook Ireland to Facebook Inc. in the U.S. using SCCs would be suspended. Suspension is one of the possibilities under data protection law for enforcement of the SCCs in case insufficient safeguards are available. Instead, the Irish DPC decided to file a separate case in court trying to suspend or invalidate the use of SCCs altogether. Today’s verdict, which offers a response of the CJEU to the High Court in Ireland on a series of preliminary questions on the interpretation of EU law, is part of this case.
Standard Contractual Clauses
One of the main questions of the Schrems-II case was if the use of Standard Contractual Clauses to guide international data flows should be possible at all. The Court confirms this should be possible, although it has tightened the rules for the use of SCCs quite a bit. In the Schrems-I case, the CJEU had explained that data transfers outside the EU based on an adequacy decision, would require a level of protection in the third country that could be seen as “essentially equivalent” to the level of protection in Europe. The Court now basically extends the “essential equivalence” requirement to all international transfers. According to Article 44 GDPR, the general principle for transfers, the level of protection of natural persons when their personal data is transferred abroad, cannot be undermined. This is irrespective of the method used to transfer personal data, from adequacy decisions to contractual safeguards and possibly, although not explicitly mentioned, Binding Corporate Rules. The guarantees that are included in a contract should therefore also be “essentially equivalent” to the level of protection that is guaranteed within the EU. In case the SCCs are deemed not to be sufficient to guarantee such an essentially equivalent level of data protection for the country the company is exporting data to, “it may prove necessary to supplement” those guarantees, which is allowed as long as the provisions of the SCCs themselves are not changed.
The Court furthermore recognises that there could be situations where a company would not be able to take adequate additional measures. If so, they are “required to suspend or end the transfer of personal data to the third country concerned”. They would need to take a similar decision, if they consider they would not or no longer be able to comply with the provisions of the SCCs, or if they would no longer be able to ensure the high level of protection awarded to personal data originating in Europe.
If the company does not suspend the data flows themselves, it is up to the data protection authorities to do so in their stead, following an investigation. In order to ensure a consistent assessment of the laws in a third country, the Court also brings to mind that decisions to suspend a transfer because a third country doesn’t offer sufficient guarantees for data protection, are likely subject to a decision by the European Data Protection Board (EPDB).
The Privacy Shield self-certification mechanism was more than a contractual safeguard. It was an official adequacy decision from the European Commission, meaning that as long as a company adheres to the Privacy Shield principles, the data transfer could take place without objection. The CJEU makes clear that a decision to suspend or repeal an adequacy decision, can only be made by the European Commission itself, or by the Court, but not by an individual data protection authority. Data protection authorities are however competent to investigate a complaint against data transfers based on an adequacy decision, and could, if they find fault with the level of protection offered by the third country, refer the case to a court to get a decision on the validity of the adequacy decision.
In this case, the Court has indeed assessed the validity of the Privacy Shield adequacy decision, and it finds fault with it. Starting from the question if the Privacy Shield indeed offers an essentially equivalent level of data protection, the CJEU explains that based on standing case-law, communication of personal data to a third party, including providing access, constitutes an interference with the fundamental rights to private life and data protection, irrespective of the question if the data are used. This in itself is not a problem, as long as the interference still respects the essence of the fundamental rights, is necessary and genuinely meets an objective of general interest recognised by the EU. These objectives include national security.
The problem the Court finds however, is that the U.S. government surveillance programs run under section 702 FISA, Executive Order 12333 and Presidential Policy Directive 28, are vague. They don’t lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards to effectively protect personal data against the risk of abuse. Based on EU case-law, this is a requirement, especially with regard to the circumstances and conditions under which surveillance can be used. Paragraphs 179-184 of the verdict discuss each of the U.S. surveillance programs in more detail and explain why they, in the eyes of the CJEU, are not limited to what is strictly necessary. In short: the risk of bulk collection and/or over-collection of personal data is too large.
A second objection of the Court lies with the redress possibilities. Again according to standing case-law, individuals should have the possibility to pursue legal remedies in order to get access to personal data related to them, or to ask for the rectification or erasure of such data. Especially in light of data transfers, the existence of such redress mechanisms in the countries where data flow to are important, since EU authorities cannot effectively protect personal data themselves when it has gone abroad. They have no powers outside their national borders. The European Commission recognised that redress would be difficult when data is flowing to the U.S. and therefore created, together with the U.S. administration, the Ombudsperson, a mechanism to oversee data originating from Europe processed by the U.S. intelligence and security services. The Court however considers the introduction of the Ombudsperson cannot remedy the deficiencies of effective redress, because it is a political commitment to correct any violation, without an underlying legal obligation. Also, there is no cause of action open to EU citizens following a decision from the Ombudsperson.
The combination of data collections by government bodies that go beyond what is regarded in Europe as strictly necessary, and a lack of effective redress, makes the Court conclude the Privacy Shield does not meet the standards of an essentially equivalent level of protection. Because of that, the adequacy decision is invalid, and therefore also the rest of the Privacy Shield is invalidated.
The verdict of the CJEU leaves data transfers from the EU to the U.S. in limbo for now. It is clear the Privacy Shield can no longer be used, but a lot of questions remain as to whether SCCs remain valid for data transfers between the EU and the U.S., or other countries with impactful national surveillance systems for that matter. Clarity on that issue is expected on Friday, when the EDPB will convene at Commissioner’s level. It is likely a grace period will be announced, as was the case in 2015, in order for a negotiated solution to be found between Europe and the United States.
Justice Commissioner Didier Reynders said immediately after the verdict he is “committed to having strong and protective data transfers systems. I will work closely with national data protection authorities and the European Data Protection Board. As of today, I will reach out to my US counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism.” European Commission Vice-President Vera Jourova added that the Commission will swiftly finalise the modernisation of the Standard Contractual Clauses, bringing them in line with the GDPR. U.S. Secretary of Commerce Wilbur Ross stated his disappointment with the CJEU decision. He added “the Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
More in general, the CJEU verdict clarifies that the European Union expects a high level of data protection for data originating from their shores, wherever it is flowing. The United States in this case was just an example, because of the existing evidence on the various surveillance programs. For all third countries, it is now up to data exporters, as well as to the supervisory authorities, to start their assessments of the legal frameworks in the countries they export their data to. If putting in place additional safeguards in contracts would appear not to be possible, it could be the only way forward is to suspend data processing operations until a better solution is found.
Rest assured: TrustArc has you covered.
As the pioneer and leader in enterprise certifications, TrustArc is committed to keeping you informed of the latest developments, share perspective on the impact and provide tangible actions to ensure ongoing compliance with the evolving international standards.
Today, those enterprises in TrustArc’s Privacy Shield Program may remain in the program while the EU and U.S. governments are working to negotiate a new data transfer arrangement.
Alternatively, TrustArc is also providing you a new and current solution so that you can demonstrate to your customers and regulators that you are continuing to protect data in the same way.
TrustArc’s International Privacy Verification Program, is a Privacy Shield aligned verification that preserves the regulation’s core principles and standards for protecting personal data by commercial enterprises. Organizations interested in maintaining demonstrable compliance while the EU-U.S. regulators make clarifications can verify their privacy program practices via the TRUSTe International Privacy Verification Program.
To learn more about the CJEU decision and what it means for your business, register for the webinar on July 21st, “The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Consent”.
Schrems-II – The Day After
Schrems-II: Further Analysis of the Core Elements of the Verdict
What do you get when you put an Englishman in charge of information privacy? A lot of experience, ideas, and expertise when it is Ralph O’Brien. With all the news on the Coronavirus, one could almost forget there are still Brexit negotiations taking place. There is still a question whether the United Kingdom can obtain an adequacy decision from the European Union. Is the UK data protection legislation enough to offer an “essentially equivalent” level of data protection? What are the British views on using and protecting personal data? What about national surveillance? And how does this all tie in to the life and work of a privacy consultant? These topics and more will be addressed in this episode with Ralph – a highly respected privacy professional located in the United Kingdom.
The conversation takes us from how Ralph first entered privacy and the considerations and areas of focus at that time to how privacy has evolved. As we can imagine, the world of privacy, including Brexit issues, has dramatically changed and not all changes are necessarily good. Listen as Ralph shares his thoughts on data privacy, technology, the privacy profession, and Brexit – including what caused him to “go ballistic” on Twitter. Listen to this week’s episode on our website or stream the episode below.
It was a busy but fantastic week for TrustArc in the Belgian capital at the annual International Association of Privacy Professionals Europe Data Protection Congress.
TrustArc began the conference with the announcement of its acquisition of privacy industry heavyweight Nymity. The companies have joined forces to accelerate development of the next generation of technology-driven privacy solutions. The news was received with overwhelming excitement by conference goers and news media, and will usher in incredible new content and product synergies for current and future customers.
In addition to countless conversations with friends old and new from organizations of all sizes, industries and geographies, as well as with officials from the public sector and regulatory bodies, TrustArc and Nymity also participated in the conference’s educational and information sharing efforts.
TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall, shone on the “Little Big Stage” where she unveiled the results of an IAPP-TrustArc survey report entitled “Measuring Privacy Operations in 2019.” The survey gauged what global privacy professionals–from organizations ranging from less than 250 employees to more than 25,000 employees–have done to meet increasing data privacy compliance requirements to which their organizations are subject.
Alongside IAPP Research Director, Caitlin Fennessy, Hilary performed a deep dive for a standing room-only audience, going over the report’s revealing findings and trends with respect to whether companies are adopting a single global privacy strategy (versus more regional or local implementations); what types of privacy impact assessments they conduct; how many privacy laws they currently must comply with; whether the companies have made any privacy-related operational changes within the last 12 months, and much more.
Nymity EU Operations and Strategy Director Paul Breitbarth participated on three separate panels during the conference. Paul stepped on to the Little Big Stage on Wednesday morning and explained how Nymity turns compliance data into knowledge for any team in an organisation. On Wednesday evening, Paul joined his fellow panelist to discuss “Using your Register of Processing Activities to Demonstrate Compliance.” The panel provided and examined real-world examples of the challenges faced by global organisations and what they do to overcome them. As Data Protection Congress was coming to a close, Paul joined the panel on “Artificial Intelligence: From Principles to Practice” and spoke on how companies get from overarching ethical principles to a robust legal framework.
Darren Abernethy, TrustArc Senior Counsel, also led a session entitled “Winning with Privacy: Implementing Consent and DSARs to Comply AND Win Customers.” The panel first overviewed the basics of digital advertising; then addressed the various “cookie”- and ePrivacy Directive-related guidances released in the last year, including by EU privacy regulators from the U.K., France, Germany and Spain; then discussed the role of third-party cookies and consent under the California Consumer Privacy Act, as well as the importance of website cookie audits (including to help make determinations as to “service provider” vs. “third party” status for vendors); and offered practical tips on how to set up compliant and responsive DSAR/individual rights programs within organizations.
The panel spent time showing real-world examples of how cookie consent and individual rights implementations look on actual digital properties “in the wild,” providing the audience with collective insights from the panelists’ extensive experience with exactly these matters, including their use of scalable, automated technology solutions across privacy programs to account for local variations in legal requirements.
If you would like copies of slides from the above presentations, or would like to discuss how TrustArc’s Cookie Consent Manager or Individual Rights Manager may be leveraged to facilitate your company’s privacy compliance and data value maximization, we welcome you to contact TrustArc at any time for more information.
Darren Abernethy, Senior Counsel TrustArc
Ravi Pather, VP Sales CryptoNumerics
The GDPR is not intended to be a compliance overhead for controllers and processors. It is intended to bring higher and consistent standards and processes for the secure treatment of personal data. It’s fundamentally intended to protect the privacy rights of individuals. This cannot be more true than in emerging data science, analytics, AI and ML environments where due to the nature of vast amounts of data sources there is higher risk of identifying the personal and sensitive information of an individual.
The GDPR requires that personal data be collected for “specified, explicit and legitimate purposes,” and also that a data controller must define a separate legal basis for each and every purpose for which, e.g., customer data is used. If a bank customer took out a bank loan, then the bank can only use the collected account data and transactional data for managing and processing that customer for the purpose of fulfilling its obligations for offering a bank loan. This is colloquially referred to as the “primary purpose” for which the data is collected. If the bank now wanted to re-use this data for any other purpose incompatible with or beyond the scope of the primary purpose, then this is referred to as a “secondary purpose” and will require a separate legal basis for each and every such secondary purpose.
For the avoidance of any doubt, if the bank wanted to use that customer’s data for profiling in a data science environment, then under GDPR the bank is required to document a legal basis for each and every separate purpose for which it stores and processes this customer’s data. So, for example, a ‘cross sell and up sell’ is one purpose, while ‘customer segmentation’ is another and separate purpose. If relied upon as the lawful basis, consent must be freely given, specific, informed, and unambiguous, and an additional condition, such as explicit consent, is required when processing special categories of personal data, as described in GDPR Article 9. Additionally, in this example, the Loan division of the bank cannot share data with its credit card or mortgage divisions without the informed consent of the customer. We should not get confused with a further and separate legal basis the bank has which is processing necessary for compliance with a legal obligation to which the controller is subject (AML, Fraud, Risk, KYC, etc.).
The challenge arises when selecting a legal basis for secondary purpose processing in a data science environment as this needs to be a separate and specific legal basis for each and every purpose.
It quickly becomes an impractical exercise for the bank, let alone annoying to its customers, to attempt obtaining consent for each and every single purpose in a data science use case. Evidence shows anyway a very low level of positive consent using this approach. Consent management under GDPR is also tightening up. No more will blackmail clauses or general and ambiguous consent clauses be deemed acceptable.
GDPR offers controllers a more practical and flexible legal basis for exactly these scenarios and encourages controllers to raise their standards towards protecting the privacy of their customers especially in data science environments. Legitimate interests processing (LIP) is an often misunderstood legal basis under GDPR. This is in part because reliance on LIP may entail the use of additional technical and organizational controls to mitigate the possible impact or the risk of a given data processing on an individual. Depending on the processing involved, the sensitivity of the data, and the intended purpose, traditional tactical data security solutions such as encryption and hashing methods may not go far enough to mitigate the risk to individuals for the LIP balancing test to come out in favour of the controller’s identified legitimate interest.
If approached correctly, GDPR LIP can provide a framework with defined technical and organisational controls to support controllers’ use of customer data in data science, analytics, AI and ML applications legally. Without it, controllers may be more exposed to possible non-compliance with GDPR and the risks of legal actions as we are seeing in many high profile privacy-related lawsuits.
Legitimate Interests Processing is the most flexible lawful basis for secondary purpose processing of customer data, especially in data science use cases. But you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use an individual’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
If you choose to rely on GDPR LIP, you are taking on extra responsibility not only for, where needed, implementing technical and organisational controls to support and defend LIP compliance, but also for demonstrating the ethical and proper use of your customer’s data while fully respecting and protecting their privacy rights and interests. This extra responsibility may include implementing enterprise class, fit for purpose systems and processes (not just paper-based processes). Automation based privacy solutions such as CryptoNumerics CN-Protect that offer a systems-based (Privacy by Design) risk assessment and scoring capability that detects the risk of re-identification, integrated privacy protection that still retains the analytical value of the data in data science while protecting the identity and privacy of the data subject are available today as examples of demonstrating technical and organisational controls to support LIP.
Data controllers need to initially perform the GDPR three-part test to validate using LIP as a valid legal basis. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
The legitimate interests can be your own interests (controllers) or the interests of third parties (processors). They can include commercial interests (marketing), individual interests (risk assessments) or broader societal benefits. The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. Conducting such assessments for accountability purposes is happily now also easier than ever, such as with TrustArc’s Legitimate Interests Assessment (LIA) and Balancing Test that identifies the benefits and risks of data processing, which assigns numerical values to both sides of the scale and uses conditional logic and back-end calculations to generate a full report on the use of legitimate interests at the business process level.
What are the benefits of choosing legitimate interest processing?
Because this basis is particularly flexible, it may be applicable in a wide range of different situations such as data science applications. It can also give you more on-going control over your long-term processing than consent, where an individual could withdraw their consent at any time. Although remember that you still have to consider managing marketing opt outs independently of whatever legal basis you’re using to store and process customer data.
It also promotes a risk-based approach to data compliance as you need to think about the impact of your processing on individuals, which can help you identify risks and take appropriate safeguards. This can also support your obligation to ensure “data protection by design,” performing risk assessments for re-identification and demonstrating privacy controls applied to balance out privacy with the demand for retaining analytical value of the data in data science environments. This in turn would contribute towards demonstrating your PIAs (Privacy Impact Assessments) which forms part of your DPIA (Data Protection Impact Assessment) requirements and obligations.
LIP as a legal basis, if implemented correctly and supported by the correct organisational and technical controls, also provides the platform to support data collaboration and data sharing. However, you may need to demonstrate that the data has been sufficiently de-identified, including by showing that the risk assessments for re-identification are performed not just on direct identifiers but also on all indirect identifiers as well.
Using LIP as a legal basis for processing may help you avoid bombarding people with unnecessary and unwelcome consent requests and can help avoid “consent fatigue.” It can also, if done properly, be an effective way of protecting the individual’s interests, especially when combined with clear privacy information and an upfront and continuing right to object to such processing. Lastly, using LIP not only gives you a legal framework to perform data science it also provides a platform that demonstrates the proper and ethical use of customer data, a topic and business objective of most boards of directors.
About the Authors
Darren Abernethy is Senior Counsel at TrustArc in San Francisco. Darren provides product and legal advice for the company’s portfolio of consent, advertising, marketing and consumer-facing technology solutions, and concentrates on CCPA, GDPR, cross-border data transfers, digital ad tech and EMEA data protection matters.
Ravi Pather of CryptoNumerics has been working for the last 15 years helping large enterprises address various data compliance such as GDPR, PIPEDA, HIPAA, PCI/DSS, Data Residency, Data Privacy and more recently CCPA compliance. I have a good working knowledge of assisting large and global companies, implement Privacy Compliance controls as it particularly relates to more complex secondary purpose processing of customer data in a Data Lakes and Warehouse environments.