Published On: Tue, Jun 22nd, 2021

EU puts out final superintendence on information transfers to third countries

The European Data Protection Board (EDPB) published a final recommendations yesterday environment on superintendence for creation transfers of personal information to third countries to approve with EU information insurance manners in light of final summer’s landmark CJEU statute (aka Schrems II).

The prolonged and brief of these recommendations — that are sincerely long; using to 48 pages — is that some information transfers to third countries will simply not be probable to (legally) lift out. Despite a continued existence of authorised mechanisms that can, in theory, be used to make such transfers (like Standard Contractual Clauses; a send apparatus that was recently updated by a Commission).

However it’s adult to a information controller to cruise a viability of any transfer, on a box by box basis, to establish either information can legally upsurge in that sold case. (Which might mean, for example, a business creation formidable assessments about unfamiliar supervision notice regimes and how they strike on a specific operations.)

Companies that customarily take EU users’ information outward a confederation for estimate in third countries (like a US), that do not have information endowment arrangements with a EU, face estimable cost and plea in attaining correspondence — in a best box scenario.

Those that can’t request viable ‘special measures’ to safeguard eliminated information is protected are avocation organisation to postpone information flows — with a risk, should they destroy to do that, of being systematic to by a information insurance management (which could also request additional sanctions).

One choice choice could be for such a organisation to store and routine EU users’ information locally — within a EU. But clearly that won’t be viable for each company.

Law firms are approaching to be unequivocally happy with this outcome given there will be increasing direct for authorised recommendation as companies fastener with how to structure their information flows and adjust to a post-Schrems II world.

In some EU jurisdictions (such as Germany) information insurance agencies are now actively carrying out correspondence checks — so orders to postpone transfers are organisation to follow.

While a European Data Protection Supervisor is bustling scrutinizing EU institutions’ possess use of US cloud services giants to see either high spin arrangements with tech giants like AWS and Microsoft pass pattern or not.

EU bodies’ use of US cloud services from AWS, Microsoft being probed by bloc’s remoteness chief

Last summer a CJEU struck down a EU-US Privacy Shield — usually a few years after a flagship endowment arrangement was inked. The same core authorised issues did for a predecessor, ‘Safe Harbor‘, yet that had stood for some fifteen years. And given a passing of Privacy Shield a Commission has regularly warned there will be no discerning repair deputy this time; 0 brief of vital remodel of US notice law is approaching to be required.

US and EU lawmakers sojourn in negotiations over a deputy EU-US information flows understanding though a viable outcome that can mount adult to authorised plea as a before dual agreements could not, might good need years of work, not months.

And that means EU-US information flows are confronting authorised doubt for a foreseeable future.

The UK, meanwhile, has usually squeezed a information endowment agreement out of a Commission — notwithstanding some aloud enunciated post-Brexit skeleton for regulatory dissimilarity in a area of information protection.

If a UK follows by in ripping adult pivotal beliefs of a hereditary EU authorised horizon there’s a high probability it will also remove endowment standing in a entrance years — definition it too could face crippling barriers to EU information flows. (But for now it seems to have dodged that bullet.)

Data flows to other third countries that also miss an EU endowment agreement — such as China and India — face a same ongoing authorised uncertainty.

Legal clouds accumulate over US cloud services, after CJEU ruling

The backstory to a EU general information flows issues originates with a censure — in a arise of NSA whistleblower Edward Snowden’s revelations about supervision mass notice programs, so some-more than 7 years ago — done by a eponymous Max Schrems over what he argued were vulnerable EU-US information flows.

Although his censure was privately targeted during Facebook’s business and called on a Irish Data Protection Commission (DPC) to use a coercion powers and postpone Facebook’s EU-US information flows.

A regulatory dance of hesitancy followed that finally saw authorised questions referred to Europe’s tip justice and — eventually — a passing of a EU-US Privacy Shield. The CJEU statute also put it over authorised doubt that Member States’ DPAs contingency step in and act when they think information is issuing to a plcae where a information is during risk.

Following a Schrems II ruling, a DPC (finally) sent Facebook a rough sequence to postpone a EU-US information flows final fall. Facebook immediately challenged a sequence in a Irish courts — seeking to retard a move. But that plea failed. And Facebook’s EU-US information flows are now unequivocally most handling on borrowed time.

As one of a platform’s theme to Section 702 of a US’ FISA law, a options for requesting ‘special measures’ to addition a EU information transfers look, well, singular to contend a least.

It can’t — for instance — encrypt a information in a proceed that ensures it has no entrance to it (zero entrance encryption) given that’s not how Facebook’s promotion sovereignty functions. And Schrems has formerly suggested Facebook will have to combine a use — and store EU users’ information inside a EU — to repair a information send problem.

Safe to say, a costs and complexity of correspondence for certain businesses like Facebook demeanour massive.

But there will be correspondence costs and complexity for thousands of businesses in a arise of a CJEU ruling.

Max Schrems on a EU justice statute that could cut Facebook in two

Commenting on a EDPB’s adoption of final recommendations, chair Andrea Jelinek said: “The impact of Schrems II can't be underestimated: Already general information flows are theme to most closer inspection from a supervisory authorities who are conducting investigations during their sold levels. The idea of a EDPB Recommendations is to beam exporters in rightly transferring personal information to third countries while guaranteeing that a information eliminated is afforded a spin of insurance radically homogeneous to that guaranteed within a European Economic Area.

“By clarifying some doubts voiced by stakeholders, and in sold a significance of examining a practices of open authorities in third countries, we wish to make it easier for information exporters to know how to cruise their transfers to third countries and to brand and exercise effective extra measures where they are needed. The EDPB will continue deliberation a effects of a Schrems II statute and a comments perceived from stakeholders in a destiny guidance.”

The EDPB put out progressing superintendence on Schrems II correspondence final year.

It pronounced a categorical modifications between that progressing recommendation and a final recommendations include: “The significance on a significance of examining a practices of third nation open authorities in a exporters’ authorised comment to establish either a legislation and/or practices of a third nation strike — in use — on a efficacy of a Art. 46 GDPR send tool; a probability that a exporter considers in a comment a unsentimental knowledge of a importer, among other elements and with certain caveats; and a construction that a legislation of a third nation of end permitting a authorities to entrance a information transferred, even though a importer’s intervention, might also strike on a efficacy of a send tool”.

Commenting on a EDPB’s recommendations in a statement, law organisation Linklaters dubbed a superintendence “strict” — warning over a appearing impact on businesses.

“There is small justification of a useful proceed to these transfers and a EDPB seems wholly calm if a end is that a information contingency sojourn in a EU,” pronounced Peter Church, a Counsel during a tellurian law firm. “For example, before transferring personal information to third nation (without adequate information insurance laws) businesses contingency cruise not usually a law though how a law coercion and inhabitant confidence agencies work in practice. Given these activities are typically sly and opaque, this form of research is approaching to cost tens of thousands of euros and take time. It appears this research is indispensable even for comparatively harmless transfers.”

“It is not transparent how SMEs can be approaching to approve with these requirements,” he added. “Given we now work in a globalised multitude a EDPB, like King Canute, should cruise a unsentimental stipulations on a power. The superintendence will not spin behind a tides of information soaking behind and onward opposite a world, though many businesses will unequivocally onslaught to approve with these new requirements.”

Europe puts out recommendation on regulating general information transfers that’s cold comfort for Facebook

Europe’s tip justice strikes down flagship EU-US information send mechanism

Facebook told it might have to postpone EU information transfers after Schrems II ruling


About the Author