The US Commerce Secretary finally understands how many non-Americans feel about #SurveillanceCapitalism. @WilburRoss has ‘portrayed the threat from Chinese #apps in stark terms, likening it to a window that allows Beijing to peer into the everyday lives of Americans.’
They collect “data on locality, data on what you are streaming toward, what your preferences are, what you are referencing, every bit of behavior that the US 🇺🇸 side is indulging in becomes available to whoever is watching on the other side. That’s what we’re trying to squelch”.
I think these US moves to block #TikTok/#WeChat could be as significant for the #DigitalServicesAct as the Snowden disclosures were for saving the #GDPR — the European Union 🇪🇺 cannot accept a US that hypocritically trashes its #DigitalSovereignty without a moment’s thought.
In the timeless words of US Supreme Court Justice Ruth Bader Ginsburg #RBG: “All I ask of our brethren is that they take their feet off our necks.”
This may also force Google and Apple to corporately decentralise, if they wish to retain the ability to do this >> “Both have said in the past that they comply with the local laws in each country they serve” << as I suggested for Facebook #SchremsII.
Andreas Mundt @Kartellamt: German competition law should be amended by start of 2021, so should be able to make use of new provisions (including on #interoperability) soon. EU will take much longer with the #DigitalServicesAct.
We must avoid regulating the competitors of the big incumbents. We should not take an approach where one size fits all 10,000 platforms active in Europe. We should take an approach that is customised to a specific company and its strategies to secure dominance.
@alexagiussaliba MEP, DSA rapporteur for the Single Market committee of the European Parliament: we must avoid a patchwork of national implementations. Traditional competition law does not have the right tools to create a competitive environment in the face of these systemic platforms we face today, where we must focus our attention.
Simeon Thornton @CMAgovUK: these new remedies (foreseen for the DSA and New Competition Tool) are to cause behavioural change, not impose large fines, so may not need such a high level of evidence to impose.
Mundt: we know who we are talking about here (quotes @TomValletti: “it’s Google and Facebook; all the rest can be dealt with by standard competition law.” “But that is not my own position” 😉 Paramount importance for cross-market competition, systemic market status, structuring or systemic companies, gatekeepers… all are pretty similar concepts.
Thornton: @CMAgovUK is completing work on platforms not supported by advertising by the end of this year, then expect primary legislation to implement their recommendations on a Digital Market Unit, codes of conduct, etc. “to put the regime in place on a timely basis”.
Under the law, “the Federal Cartel Office (Bundeskartellamt) may prohibit companies [with paramount cross-market importance] from… making the interoperability of products or services or the portability of data difficult and thus hindering competition” (new Section 19a in the Law against Restraints of Competition).
Friedrichshafen, Baden-Württemberg, CC-by Kiefer/Wikimedia
The Baden-Württemberg Data Protection Authority issued advice to data controllers in this German state following the Schrems II judgment on 28 August (in German).
This passage correctly sums up the EU Court of Justice (CJEU) approach to Standard Contractual Clauses (SCCs) as the basis for transfer of personal data outside the European Economic Area:
“SCCs cannot bind the authorities of a third country. In cases in which the authorities [of a third country] can, under the law of [that] third country, [unduly] interfere with the rights of the data subjects, [SCCs] can therefore not provide appropriate protection unless the contract parties adopt supplementary measures [to protect any data that are transferred to that third country under the relevant SCC from such undue interference].” (Die Standardvertragsklauseln können allerdings die Behörden des Drittlandes nicht binden und stellen daher in den Fällen, in denen die Behörden nach dem Recht des Drittlandes befugt sind, in die Rechte der betroffenen Personen einzugreifen ohne zusätzliche Maßnahmen der Vertragspartner keinen angemessenen Schutz dar.)
Baden-Württemberg Data Protection Authority
Below is my rough translation/paraphrase of the main bits:
[Whether the data can be protected against access by the US (or other third countries: see below) secret services] must be assessed by those responsible (Verantwortliche) on a case by case basis. If they find that they cannot protect the data against undue access, they must not transfer the data/cease any transfer. If a DPA notes this, the DPA must order the ending of the transfer.
Immediately affected entities: all public bodies or companies that transfer data to the USA, especially when they did this until now under the Privacy Shield – but also when they used SCCs.
Non-exhaustive examples:
you have a commercial relationship with companies that have their seat in the USA and exchange personal data on customers with them in that context (suppliers’ addresses, complaints, orders, etc.) or on employees (contracts, networks, etc.)
you store data in a cloud that is hosted by a US company [on a server] outside the EU.
you use a video conference system of a US provider who collects data on the participants and transfers those [data] to the USA.
This also applies if you use a processor who transfers data to the USA. This actually also applies to any other third country, “for example the UK” (!) (Repeated with further detail at the end of section III, under number 2)
Transfers that continue to be based on the Privacy Shield are unlawful and can be punished with fines and compensation payments.
Transfers on the basis of SCCs are (just about) feasible (“denkbar”), but the conditions set by the Court will only be able to be met in “rare cases” (“in seltenen Faellen”).
The supplementary measures must ensure that the US secret services are “effectively prevented” from gaining access to the data, this may be (just about) feasible (again: “denkbar”) in these cases:
encryption with the key held by the [EU-based] data exporter – but the encryption has to be strong enough to be not breakable by the US authorities
anonymisation or pseudonymisation, that allows only the [EU-based] data exporter to re-identify the data.*
*DK comment: if such data are matched against other data in the USA, they will often become re-identifiable, but the BW DPA does not address that.
Transfers of personal data under Art. 49 is (just about) feasible (again: “denkbar”), but note should be taken of the generally restrictive application of this article, as clarified in the EDPB Guidelines 2/2018. Art. 49(1) can only be relied on in relation to incidental transfers, not in relation to regular, repeated transfers. Art. 49(2) is even more restrictive. Art. 49(3) applies only to public authorities.
What to do next/check list Take stock of the transfers to [any] third country. Check also if private or public entities in third countries may be able to access (some) of your data remotely, “a physical export is not required”. Inform any supplier/contract partner in all third countries of the judgment and its consequences.
Find out about the legal situation in all the third countries to which you transfer data. “Public authorities such as the DPAs, the EDPB, the EU Commission or the Foriegn Office should provide guidance on these matters.” (DK: really?)
Find out if there is an adequacy decision in relation to the third countries. In certain cases, you be able to rely on BCRs.
See if you can use any of the SCCs that have been issued by the Commission:
“You will have to conclude that they cannot be used if authorities or other bodies of the relevant third country can interfere in a disproportionate way and means in the rights of data subjects, e.g., if they can collect data in bulk without informing the data subjects and without constitutional protection such as a [requirement for a] judicial order [granting access].”
“That was what the Court concluded in relation to the USA. Therefore, transfers to the USA on the basis of SCCs will only be possible in extremely limited cases (“eng begrenzte Faelle”), with the use of supplementary measures such as encryption (see above and next).”
Check to see if you can use SCCs with supplementary measures:
“This means in particular that you should consider if you can make access by others [read: third country agencies] relatively avoidable, e.g., by using encryption, or stipulating that the data must remain in the area of application of the GDPR [I think this should be read as: within the EU/EEA] and that no data will be transferred to the USA.
Parties that rely on the (Commission-approved) SCCs should immediately amend some of the clauses, i.e.:*
Clause 4f should be amended to require all data subjects to be informed of all transfers of any of their data to a non-adequate third country (rather than only if the data are sensitive, as currently specified);
Clause 5d(i) re the duty of the importer to inform the data exporter (in the EU) about any “legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation”. “If such a prohibition is in force, you must contact the DPA and discuss what to do” (“das weitere Vorgehen abklaeren”);
Add to Clause 5d a duty on the part of the data importer to challenge any demand for access [to the transferred data] in court and to not provide the data to the authority in question [i.e., that is demanding access] until a final judgment ordering disclosure has been issued.
(DK: This rather assumes that the third country obeys the rule of law, or implies that exports to any not rule of law-compliant country can never be permitted)
Delete from Clause 7(1) the possibility of data subjects choosing to take their cases in which they invoke the third-party effect of the clauses to arbitration, leaving only the option of taking the case to court.
Always use the indemnity/liability clause set out in Annex 2 to the SCCs
(NB: The SCCs to which the BW DPA refers are the controller-to-controller ones, adopted by the Commission on 5 February 2010).
If after going through the check list it has to be concluded that the transfer is not allowed (under Article 46), the last remaining option is the exception clause in Art. 49. It may be possible to use this clause in relation to [incidental] data transfers within a company, or in relation to one-off contracts. But care must be taken to check that the restrictive application of this provision does not stand in the way of such a transfer.
As to the enforcement policy of the BW DPA in this respect, the note says that companies must check if they cannot use alternative [read: non-US] providers or alternative transfer arrangements.
“If you cannot convince us that the [US] provider or contract partner that you use cannot be replaced in the short to medium term by a reliable provider or contract partner without transfer problems, the transfers [to the US provider or partner] will be prohibited by the BW DPA.” (original emphasis)
But the BW DPA is aware that the judgment may pose extreme problems for some companies and will act proportionally. It will keep the issue under review and will continue to develop its position.
The European Parliament’s Justice committee today held a hearing on the impact of the Schrems II judgment, featuring the Justice Commissioner, chair of the EDPB, and… Max Schrems 🍿
Justice Commissioner @dreynders: I have three priorities. 1/ we must ensure compliance with the ruling of Europe’s highest court. That is my personal responsibility. 2/ Companies must be able to rely on solid and predictable mechanisms, to transfer data to many destinations in the world. 3/ We will work closely with DPAs.
The Commission is focusing on 1/ DPA guidance on compliance — as highlighted by the Court. We worked closely with EDPB on its first set of guidance addressing most urgent questions. This was particularly important to build a common understanding. Must be practical, with examples.
2/ Modernisation of #SCCs, as mentioned in June report on two years of #GDPR. We will include the Court’s additional clarifications. They are v useful for SMEs which do not have the resources and expertise to negotiate individual contracts with each commercial partner abroad. We intend to launch adoption process in coming months, and finalise by the end of this year, following Opinion from EDPB and MS approval.
3/ Discussions with US will intensify in coming weeks. But we must recognise the judgment raises complex sensitive issues, so no quick fix.
Important also for review of existing adequacy decisions, and negotiations with S Korea and the UK. We are of course fully taking into account the requirements set by the #SchremsII judgment. This work is all part of a broader approach.
The Commission sees data protection law global convergence as more important than ever, based on binding rules and effective enforcement. This would allow the EU to have an open but assertive international approach, based on its values and strategic interest. Two recent examples: Brazil’s GDPR-like law, and S Korea creating a fully independent DPA with strong enforcement powers. This is a central component of the EU DP model, and one of the main reasons for its success in inspiring other systems around the world – a high level of DP with openness to data flow and cooperation
@EU_EDPB chair Andrea Jelinek: the #SchremsII judgment echoed some of our concerns with #PrivacyShield, such as a lack of oversight and substance. We are currently preparing additional support for controllers and processors on identifying and implementing appropriate measures.
The CJEU #EssentialEquivalence test applies to *all* mechanisms for personal data transfers. The judgment did not invalidate the Commission decision on SCCs but emphasised they must be assessed in the specific context they are used. If in practice the recipient of data cannot comply…
Article 49 transfer derogations can only be applied on a case by case basis. The responsibility is primarily the data controller’s to assess, and must consider the legal regime applicable in the third country including govt scope to access personal data.
EDPB will ensure consistency across the EEA. First, we will update existing EDPB documents on data transfers and second, prepare recommendations to support controllers and processors in implementing appropriate measures for transfer. But there cannot be a one size fits all solution.
The EDPB stands ready to support the Commission to work with the US to develop a new agreement fully in line with the judgment of the Court. I thank the LIBE committee for the support you grant the DPAs, which need adequate resources and institutional support to fulfil role
LIBE Chair: Not for the first time before LIBE… @maxschrems 🎺
We need a long-lasting, stable solution, not a privacy umbrella or “Safe Harbour 3.” We have a fundamental clash of laws between EU and US FISA 702 (and EO 12333). There is no room for another treaty to overcome the problem, unless we change CFR, or US changes surveillance laws.
After @Snowden new protections were introduced for US citizens. So after November, there is some scope for further US reform. European law should win here, after all. #SCCs only saved as you’re not allowed to use them in situations where there is a US surveillance law.
We are talking about US electronic communications surveillance providers, under FISA s.702, eg big cloud providers. Doesn’t apply to ALL US companies. There are so-called supplementary measures. Good encryption could possibly overcome EO 12333/international cable spying, but not US company access.
Supplementary contractual measures could perhaps help with EO 12333, saying there’s a huge penalty if you voluntarily hand over data to the US govt. But not with companies under FISA s.702, which is the bulk of data sent to the US.
Many US companies plan to simply ignore the Court of Justice ruling, as they do not believe DPAs will go after them anyway. For smaller companies, they mainly don’t know what to do. Facebook has sent a letter saying they will continue transferring data.
It would be helpful for European Parliament to provide guidance in a resolution. We need clarification under #GDPR s.49. FB is claiming its processing is “necessary for contract” and the judgment is irrelevant. EC must push US to clarify if FISA s.702 covers server farms of US companies in Europe.
In the long term we must come to the conclusion within the democracies we must respect each others’ fundamental rights as citizenship. This clearly won’t work with Trump. But if the US wants to be the cloud provider to the world, we must have privacy and security guarantees.
IB: Committee chair is despairing that the CFR is not being fully enforced by the EU institutions. I think he means you, Data Protection Authorities (esp. @DPCIreland), and @EU_Commission 🤦🏻♂️
For EPP, @AxelVossMdEP: we need legal certainty for businesses, especially SMEs. We must avoid fragmentation within the EU, and seek a workable basis. #SCCs not always appropriate. It’s not possible to question basic principles every four years. LIBE conclusions will depend on the way national security is managed in third countries. How will we deal with China in this context? (IB: that’s easy!) Is there any potential scope for getting movement from the US limiting the data accessed? Is there some possibility of setting up an authority on their side? These are questions I ask.
I cannot see a solution in the form of a new adequacy ruling. Which additional measures exactly would be needed beyond #SCCs?
For S&D, @paultang: the credibility of the COM is at stake. How will it ensure we don’t run into this problem again? We hear the enforcement is a problem. I would like to hear how the EDPB will ensure the law is enforced? And with a hard Brexit, what does this imply? (IB: #adequacyLoL)
For Renew, @SophieintVeld: Mr Schrems is fortunately a very stubborn and conscientious citizen, who has defended citizens’ rights more than all the DPAs and the Commission put together. They have failed twice. They cannot fail a third time. There should not be a Schrems III.
Whenever there is a big political problem for the EU, we get scared, and throw rules at it. But if the problem is political, the solution cannot be technocratic. This is not a legal, technical or DP problem. It is a geopolitical problem. Our relationship with the US.
We cannot expect @dreynders to solve this. It is for the whole EU. We have watched with growing concern the extreme weakness and reluctance of the DPAs to enforce the #GDPR, or the Commission to tackle this issue. We knew Safe Harbour and Privacy Shield were unsound.
I expect not just @EU_Commission to come up with a watertight solution, but the DPAs to finally do their duty. My rights as a citizen should not depend on companies’ ability to assess American secret services.
For GUE/Left. C Daley MEP: blanket data retention is unlawful. Over and over again. What is the @EU_Commission going to do? DPAs are under resource pressure. I do have confidence in @DPCIreland, which took the High Court proceedings in Ireland, and were the ones that referred this case
Justice Commissioner, @dreynders: of course this is a political discussion we have with the US. The judgment provides some indications of how it could be addressed, for example a strengthened framework for redress, built on existing elements, but may be also a necessity for legislative change.
US state and federal discussions, and limitations of intelligence services, have advanced — there is more common ground than at the time Privacy Shield was negotiated. The q also is how it’s possible to give a certain level of certainty to companies.
It’s still possible to use #SCCs across the Atlantic (IB: rubbish!) but we are continuing to modernise the clauses, working with the EDPB and national authorities. And it’s true with UK an #adequacyLoL decision must take account of #SchremsII. (IB: no chance!)
The Commission said in its two-year GDPR review it’s v important Member States give appropriate financial and human resources to DPAs, which depends on the size of the companies in the MSes (Ireland!) The US authorities are in the best place to analyse their own legislation and see what’s needed.
EDPB chair Andrea Jelinek: yesterday the EDPB created a task force to look at NOYB’s 101 complaints (two are now withdrawn). We will work closer together than ever to solve this issue. You can be sure we are investigating all together. But enforcement is a matter of the national DPAs. We have the one-stop shop mechanism to coordinate.
I reassure you again we are working closely together and very hard to succeed in protecting EU citizens’ rights. And this is not only a problem of DP. It is a geopolitical problem. We should come together to see if the Western world has a common understanding about DP and rights
Schrems: Legal certainty is essential. SMEs are unable to do this. This is a problem of the GDPR itself as it focuses so much on the controllers. Small German SMEs cannot control Google. It should be enforced against processors directly.
Two possible US law changes. 1/ Delayed notice of surveillance, giving standing, which is a big problem. 2/ Need equal protections as US citizens have. Not too much to ask in the negotiations. US multinationals have options, eg to split processing operations, in EU without access from US parent.
This will happen if these industry players get the feeling this is essential to continue doing business in Europe. The processors hold the power here.
It’s obviously impossible for even large EU companies to properly assess US law.
They need help from the DPAs, even if it is not formally their responsibility. Also: could EU companies self-certify in a binding way? Makes it much easier and could be used with any third country. Finally, we’ll have same problem with UK surveillance law.
@DPCIreland has salami-sliced to delay every issue, it’s insanely expensive, also to appeal against them if NOYB loses (so far we always won.) This is why it’s impossible for the average citizen to take action. First decision will take 10 years!
DPC now has 140 people, it’s not a question of lack of resources. NOYB has 6 people and we seem to get more done. You need the right people at the head.
@BirgitSippelMEP: what effective powers does the US Ombudsperson have? If anything goes wrong, EU citizens don’t have the same rights as US citizens. We have transatlantic uncertainty. We do not need a technical “solution” to make it seems there’s no uncertainty.
Even when using #SCCs – how can companies assess adequacy if the Commission cannot? @ThierryBreton says we need European #DataSovereignty. Will the Commission check if this will help? We have to look into overburdening of DPAs, esp. @DPCIreland.
Many European companies use Google Analytics and Facebook Connect. Can the EDPB provide guidance on this to help them?
M Körner MEP: the Commission should say: let’s make privacy great again! Trump is concerned about TikTok. I am more concerned about China as well. Let’s US and EU together as Western countries protect our values of privacy and data protection. We need an EU-US no spy agreement!
The European Parliament will not change the Charter of Fundamental Rights! Please. Facebook. Google. Go and lobby your government and Congress! If you want to operate in the European market, you have to comply with European rules!
Körner: This is the third time we are sitting here. If we can’t change things this is useless!
Pirate MEP @echo_pbreyer: We should be proud of the CJEU! We don’t need unsafe flows of data to third countries. The mass surveillance programmes exposed by @Snowden have been found as excessive, not strictly necessary. So yes @dreynders, which laws are you asking US to change?
CJEU says we need new legislation addressing all executive programmes, and EU citizens need enforceable rights in US courts, and that could be done by a no-spy agreement that gives European citizens the same rights as US citizens. That is needed.
The US has threatened a trade war with Europe if it enforces #SchremsII. If this is what it takes, so be it. –@echo_pbreyer
@dreynders: on #DataSovereignty we are open to all those apply the rules, esp. if we can apply an adequacy decision. (IB: Is he talking to his fellow commissioner @ThierryBreton?)
It’s true there are possible changes with the surveillance process in the US. Certainly there are requests for enforceable rights for EU citizens in the US, we are discussing this. It will take some time in relation to issues due to national security and the elections situation.
Jelinek: every DPA has to face three cases from NOYB regarding Google Analytics and Facebook Connect. We have created an EDPB task force to look into these complaints thoroughly and together << IB: @NOYBeu wouldn’t be forced to file all these if the DPAs were more effective
@maxschrems: #DataSovereignty should be our rules applying, not data geographically in the EU. Data transfers are one of the best ways for the EU to promote its rules, so we should engage with more and more companies to build this globally.
US has more to lose than EU from a trade war. Its IT industry dominates the globe. The EU has an upper hand on these issues. US companies right now aren’t moving much, but we could get them to lobby the US. That requires enforcement on the EU side. China/#TikTok plays into this… with little due process, US can hardly argue EU is violating WTO rules.
It’s not all or nothing enforcement. There could be letters to companies asking about their transfers. You can have a prohibition notice, with 6 months to implement. Then fine.
IB: Well, that was fun! Looking forward to a strong @EP_Justice resolution on these issues, action from the @EU_EDPB and @EU_Commission, and protection at long last for EU citizens’ rights against overbearing US surveillance!
Below are some comments by me on the above blog. In each case, I first quote Kuner and then provide my comments. The quotes are in the order in which they appear in the blog.
Kuner:
“[T]he Court’s reasoning here seems tautological, i.e., it held that while contractual clauses cannot bind third country authorities this can be remedied though safeguards including additional clauses (para. 132).”
Korff comment:
I do not think this is quite correct. The Court does not say inadequacies in third countries’ laws can be remedied by contract – of course they cannot (as the Court makes clear in para. 125 and repeats in para. 131). Rather, the Court suggests that (as you yourself note) private parties can adopt legal, technical and organisational measures to guard against violations of data protection rights by third country agencies (in particular against undue, untargeted access to the data concerned by those countries’ law enforcement and national security agencies).
To me, the most important implication of the judgment is that it is indeed now a legal requirement under EU (Treaty and Charter) law that personal data that are transferred to a third country must be protected against such abuses – and that if they cannot be effectively protected against such abuses, the data should not be transferred. Or to be more precise: if the personal data on EU individuals that are to be transferred to a third country cannot be protected against undue access by the third country’ agencies, the transfer would be in violation of the GDPR, and the data exporter would be liable to administrative fines of up to 4% of the organisation’s gross annual turnover. (There may be doubts about the extent to which the EU supervisory authorities will actually enforce this, or at least about how quick they may start to do this – see below – but the principle seems to me to be clear.)
Kuner:
“[S]ettling disputes under Article 65 GDPR between the DPAs on the types of safeguards to be used could require the EDPB to opine on issues that could be politically explosive, such as whether particular third countries abide by the rule of law or respect fundamental rights.
Korff comment:
Yes, but so what? That is something courts and regulatory bodies do all the time. They should not be scared of “opining on issues that could be politically explosive”, especially not when it comes to protecting EU citizens (and others in the EU) against abuses by third countries that do not “abide by the rule of law or respect fundamental rights”. If they are too weak-spined to do that, they should not be in their official roles as guardians of a fundamental right enshrined in the Treaties and the Charter!
Kuner:
“It is important to note that the Court does not require that additional safeguards provide a 100% guarantee that access to data by third parties can never occur, but rather that they constitute “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law…” (para. 137). Thus, they should be evaluated under a standard of proportionality, not of perfection.”
Korff comment:
I cannot see any explicit reference in the quote from the judgment to proportionality, unless you read “effective” as “reasonably effective in the circumstances”. But surely that is a stretch. The judgment says, in the very same paragraph, that the “mechanisms” (i.e., the clauses without or with “supplementary measures”) must:
make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. (para. 137, emphasis added)
I can accept that it may not always be possible for any measures to always, 100%, ensure that the risk in question will never materialise. But surely, given the “high risk to the rights and freedoms of natural persons” that can arise from undue access to personal data by agencies of a state that does not “abide by the rule of law or respect fundamental rights”, the bar should be set high.
In my opinion, if in the third country concerned (the one to which personal data are to exported from the EU) the law allows for access to the imported data (either while in transit, through access to Internet nodes in the third country, or after transit, e.g., through secret back doors to databases or under secret orders) in ways and subject to processes that seriously fail to meet European rule of law (and data protection) standards, then that should be regarded ipso facto as a “high risk to the rights and freedoms” of the data subjects.
That in turn means that the proposed transfer – being a form of processing – must be subjected to a data protection impact assessment (Article 35 GDPR). Moreover, if this shows that any measures that may be adopted (such as SCCs by themselves, or SCCs with “supplementary measures”) cannot remove the “high risk”, then the relevant supervisory authority or authorities must be consulted (Article 36). And if those authorities find that a “high risk” does indeed remain and cannot be removed, they should use their powers under Article 58 to suspend or prohibit the transfer (see in particular Article 58(2)(f) and (j)).
Kuner:
“A few examples of clauses and safeguards [that could provide ‘supplementary measures’ to guard against abuse] could include the following:
Technical measures: Strong encryption could be used to make it nearly impossible for unauthorized actors to read the data.
Organisational measures: Groups of data exporters and importers (such as in a trade association) could commit to suspend data transfers to countries that do not respect the rule of law, based on internationally-recognized standards (for example, those published by the World Justice Project). This approach is already used in other areas, such as fair labour standards.”
Korff comment:
These are useful, even if for now still limited suggestions – but they still raise issues. Just a few brief comments on each, if I may:
Legal measures: The Commission SCCs already contain clauses on the following lines:[1]
Obligations of the data importer
The data importer warrants and undertakes that:
It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
A footnote to the clause in the controller-to-processor SCCs (but which presumably can also be read into the other clauses) adds the following clarification:
Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC,[2] that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
But of course, in the context of Schrems II, we are talking about “mandatory requirements [in third countries to which data are to be transferred]” which do go “beyond what is necessary in a democratic society”.
In many third countries, there are domestic laws that require a controller or processor in that country to do or not do certain things when the GDPR requires that a controller or processor who is subject to the GDPR does the opposite, e.g., when the law of the third country requires the controller or processor (in the context of data transfers: the data importer) to disclose personal data to a national agency of that country in circumstances that go “beyond what is necessary in a democratic society”, and that prohibit the controller or processor/importer in question from informing the EU-based data exporter – when the GDPR in fact prohibits the disclosure and demands the informing of the EU-based exporter (and through it, the EU Member State’s data protection authority).
In such circumstances, clauses requiring the suspension of data flows and the deletion of data in cases of unauthorized government access are ineffective: the data importer is legally barred from informing the EU data exporter and may also be prohibited from deleting the data (and the data may in any case already – wrongly – be in the hands of the not-rule-of-law-compliant state agencies).
In relation to countries with such rules-of-law-incompatible laws (and there are many),[3] clauses about ex post facto informing the EU data exporter of abuses are useless: the data importer is legally barred from complying with them – or the authorities can gain access to data through back doors without the importer even being able to note this (let alone challenge it). The only solution in such cases is to not transfer the data in the first place.
Technical measures: “Strong encryption” that would “make it nearly impossible for unauthorized actors to read the data” are indeed a possibly useful “supplementary measure” in relation to data transfers.
However, strong encryption only has limited use, i.e., only in cases in which the data are not decrypted in the third country (or they would again be accessible to the not-rule-of-law-compliant agencies there: see above). So they could work in relation to servers in those countries hosting data that remain under the control of the EU data exporter (e.g., fully highly-encrypted back-up data). But as Max Schrems has pointed out, the encryption would have to go further than is currently usual, to include e-communications metadata such as IP addresses, etc. Moreover, there would always remain a risk, in particular in countries with highly developed surveillance/decryption technologies. In that case, surely the simpler, lesser-risk option would be to move the data to an EU-based server/host?
Organisational measures: You suggest that “Groups of data exporters and importers (such as in a trade association) could commit to suspend data transfers to countries that do not respect the rule of law, based on internationally-recognized standards (for example, those published by the World Justice Project). This approach is already used in other areas, such as fair labour standards.” Well, yes – in principle that sounds good.
But in practice, the vast majority of countries in the WJP’s “Rule of Law Around the World Index 2020” score abysmally. In the charts, only Australia and New Zealand, Western Europe and North America (USA and Canada) are marked in green, meaning a score over 0.7/1.[4] The Index is also based on much broader issues of good governance and rule of law than those specifically important for data protection and state surveillance/access to personal data. In that respect, the Privacy International State of Surveillance Briefing Guidelines and questions are more directly relevant.[5]
PI has produced a series of reports specifically on this issue, based on these guidelines, covering Argentina, Brazil, Chile, Colombia, Egypt, India, Indonesia, Jordan, Kenya, Lebanon, Mexico, Morocco, Pakistan, Paraguay, the Philippines, South Africa, Thailand, and Uganda.[6] We can certainly add the Peoples Republic of China and Russia (and quite a few further countries including also the USA) to the list.
The main point to make in this respect is that few countries outside the EU – and indeed many EU Member States[7] – meet the standards set by the Court when it comes to their national security agencies’ powers of access to data (especially data on non-nationals) and lack of effective remedies.
In sum: The suggested measures really have only very limited value.
Kuner:
“Apocalyptic predictions about how [Schrems II] may mean the end of data transfers to the US” are unlikely to come true in practice – because “the [EU] wheels of data protection enforcement turn slowly” and “[t]he DPAs also tend to be careful not to issue high-profile penalties before being completely sure that they have a strong legal case.”
Korff comment:
Well, the authorities may be slow and scandalously weak in their enforcement, but (a) they cannot duck their responsibilities under the law (as clarified by the Court) forever – and some may have a firmer spine (and more resources) than others, and (b) as the indominable Max Schrems has shown, if it comes to it they can be forced (kicking and screaming) to do their job (even if it takes an excessively long time and unacceptably hard work on the part of individuals and NGOs).
Kuner:
“If, as can probably be expected, the judgments in [joined cases C-623/17, C-511/18, C-512/18 and C-520/18] result in the Court restricting data processing for these purposes, it may help identify measures that could put EU-US data flows on a firmer legal footing.”
“With the Court taking such a strict position in Schrems II, any hope of a stable and viable accommodation for data transfers between the EU and the US can only be based on changes to US law.”
Korff comment:
I agree that, in the light of Schrems II and earlier judgments, it is likely that the Court will continue to interpret EU law in such a way as to protect the (data protection) rights of individuals in the EU as much as possible against undue, indiscriminate, insufficiently regulated access to their data by national security agencies (be that in the EU – although there the Court is hampered by the indefensible exclusion from EU law including the Treaties and – outrageously – the Charter of Member States’ activities relating to their national security, or outside the Union). And I agree that this situation can only be properly addressed by the transgressors (again, in the EU and beyond) changing their laws and practices to meet globally-recognised rule of law and privacy/data protection standards. But as noted below, that will not be easy to achieve.
Kuner:
“Numerous countries have sought EU adequacy decisions or adopted data protection legislation based on the EU model, and the GDPR has been a success story in this regard.”
“[T]he judgment may cause some third countries to question whether it is worthwhile to strive to reach the EU’s data protection standards and to engage in protracted negotiations only to have the agreement, or the adequacy decision based on it, invalidated later on. Having now ensured that data transfers must meet a high standard, the EU should also take care not to set the bar too high, or it may make the GDPR a less attractive model for third countries.”
Korff comment:
There has always been a tension between the EU’s (and in particular the EU Commission’s) desire for “opening up trade” with third countries and to that end facilitating data flows including flows of personal data to third country trading partners, on the one hand, and ensuring full protection of personal data on individuals in the EU in accordance with the Charter on the other hand. The Commission has in the past too often been too ready to declare that third countries provide “adequate” protection, while glossing over manifest inadequacies in the laws and practices of such countries, not least in relation to access to EU data by the law enforcement and national security agencies of the third countries in question.
But if that is what made the EU data protection rules “attractive”, it was a scam: the EU sets high standards on paper, also on paper allows free transfers only to countries that ensure similarly high (“adequate”, now “essentially equivalent”) levels of protection – but then in practice a political body (or at least a not exactly non-political body), the European Commission, can undermine this principled approach by, essentially, pretending that certain third countries provide such levels of protection when in reality they do not – especially when it comes to national security agencies’ access.
If the Court has exposed the inappropriateness of this Commission policy, it should be welcomed!
[1] The clause reproduced here is from the controller-to-controller transfer clauses (Commission Decision 2004/915/EC of 27 December 2004), clause II(c), which slightly modified the similar clause, clause 5(a), in the previous version of those clauses (Commission Decision 2001/497/EC of 15 June 2001), clause 5(a). The corresponding clause in the controller-to-processor clauses (Commission Decision 2010/87/EU) is clause 5(b).
[3] See Douwe Korff, Ben Wagner, Julia Powles, Renata Avila and Ulf Buermeyer, Boundaries of Law: Exploring Transparency, Accountability, and Oversight of Government Surveillance Regimes, comparative report covering Colombia, DR Congo, Egypt, France, Germany, India, Kenya, Myanmar, Pakistan, Russia, South Africa, Turkey, UK, USA, January 2017, available at: https://ssrn.com/abstract=2894490
See also Douwe Korff et al. (footnote 3, above) that covers some of the same and some further countries.
[7] I will not deal with the EU Member States’ deficiencies here. They deserve serious attention in their own right. As you note, more clarity may be given by that in upcoming CJEU cases.
“The United States should not update its privacy law because of a judgment of the European Court. The United States should update its privacy law because it is long overdue, because it is widely supported, and because the ongoing failure to modernise our privacy law is imposing an enormous cost on American consumers.” (p. 12)
Marc Rotenberg
And he makes an important point about the US authorities finally noticing that protecting personal data is also a national security concern — “The alignment of national security and data protection is accelerating.” (id.)
But I am not sure that Trump’s Secretary of State Mike Pompeo really accepted that means taking up this good advice and bringing in serious data protection law and remedies in the USA (and signing up to the Council of Europe’s Convention 108+).
When Pompeo cited the “long-term threat to data privacy, security, human rights and principled collaboration posed to the free world”, he emphasised the need to safeguard “the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party.”
I do not think he included the USA, or the NSA (or GCHQ etc.) in the group of “malign actors, such as the Chinese Communist Party.” I believe that the USA (and the UK! and the other 5EYES?) want to continue their excessive (untargetted, bulk) spying on everyone, except their own citizens; they just want to make sure that their strategic enemies (PR China, Iran) cannot do the same. Sorry if I sound pessimistic. (I even think that one element of support for Brexit came from this reluctance to be curtailed by EU law in this respect, or even the ECHR although they find that more difficult to get away from).
So I hope the USA will move on adopting real data protection rules and remedies, and will sign up to 108+ — but I am not holding my breath, not even for Biden 😞
What is more, real data protection a l’ Europe would have to apply to anyone whose data are or can be brought under the power (jurisdiction) of the spying state. In Europe, we do apply fundamental rights in this way (see section 3.3 in the Issue Paper on The Rule of Law on the Internet and in the wider Digital Environment I wrote for the Council of Europe Commissioner for Human Rights some years ago.)
But the USA continues to refuse to adopt this view and insists on not extending many constitutional protections (including privacy protections) to “non-US persons”. (They even succeeded in persuading the lawyer for the German secret service to adopt the same view – which was rightly slammed down by the Constitutional Court in a recent judgment). Does anyone really think that will change?
I wonder if the term is now becoming too broad to be useful — for example, the Court of Appeal’s decision on police facial recognition systems was on straightforward human rights law grounds, not ethics. The #ALevelFiasco outcome was simple politics 🤔 (And, did the mark moderation algorithm have anything to do with AI/ML? I thought it was a relatively straightforward statistical fitting? As @RDBinns commented, isn’t most “AI”/“Machine Learning”?!)
“Framing the problem” in the sense used was something privacy campaigners have been doing for decades — I remember well this was Barry Steinhardt’s position on the “Snooper Bowl” 20 years ago.
Useless as the NHSX #TracingApp 1.0 was, I think its ethics board did a better job than most in exposing its issues — even if it was told it was not there to make assessments of the overall approach, and then shut down when it became too much of an obstacle to politicians
I also wonder how far these three phases happened in parallel, rather than more sequentially. For example, Oscar Gandy has been asking at least some of the “3rd phase” questions since the late 1980s… And the “second phase” started at the latest with Cynthia Dwork’s turn to fairness in 2011, much earlier than many of the endless “AI ethics” codes.
Finally, this excellent @adwooldridgecolumn makes clear some of these issues have been raised over several centuries!
‘Scientific management retreated in the face of popular fury: Charles Dickens satirised it in the person of Mr Gradgrind, who wanted to “weigh and measure every parcel of human nature”. F.R. Leavis, a literary critic, dubbed it “technologico-Benthamism”.’
As Adrian Wooldridge added, ‘The universities to which A-level students are struggling to get admitted provide an example… Tenure and promotion are awarded on the basis of the production of articles (which can be measured) rather than teaching (which can’t), so students suffer.” See also Goodhart’s Law, and this excellent letter from the director of the UK’s national institute for AI and data science:
while we’d be happy to support third parties to develop and deploy artificial intelligence and data science ethically and efficiently, it didn’t take an algorithm — or in this case a statistical model — to spot that the main issue was human. Its formula may have done exactly as it was meant to — but the Department for Education and Ofqual lacked the open, interdisciplinary, accountable, equitable and democratically-governed processes to ensure a fairer result for our students.
Sleeping Policeman on Ferry to Ometepe, CC-by David Dennis
I hate to say this, because some European data protection authorities are excellent (e.g.several of the German states, the German federal regulator… seeing a pattern here. Plus of course @EU_EDPS). But there is such a long-running pattern of Data Protection Directive/General Data Protection Regulation-breaking…
each NDA request was bc the project was clearly illegal. eg's of papers written as a result of not signing the NDA and investigating instead: 1) a project on illegal migration surveillance: https://t.co/jc6xovhfYN and 2) illegal smart city surveillance: https://t.co/EqmcJY316p
…I’m beginning to wonder if most of them are simply DPA-washing rampant law-breaking across Europe, and anyone who wants to see #GDPR enforced should waste no further time and proceed directly to court. Has anything changed since this 2014 EU Fundamental Rights Agency report finding data protection remedies to be lacking? (The GDPR was agreed, and came into force… but little has seemingly changed so far on the enforcement side.)
One thing that has improved, since I contributed to that report on the UK situation, is the experience and effectiveness of the judiciary. The most senior member state courts are becoming much better enforcers than the DPAs (e.g. England and Wales’ Court of Appeal). And of course, @EUCourtPress is leading the way on GDPR/Charter of Fundamental Rights enforcement.
Maybe if the “AI ethics” crowd (including @CDEIUK, based in… yes, @DCMS, the UK govt dept responsible for data protection law; and its chair Roger Taylor) had paid more attention to those pesky legal “ethics” already in the #GDPR, @Ofqual (chair: Roger Taylor) would be in less deep 💩 over the #ALevelFiasco.
Neither @CDEIUK nor @ofqual have easy-to-find web pages about their board members (unlike @hfea). Perhaps if they did, these people would feel a little more personal responsibility for their organisations’ actions? (To be honest, the main fault in all this lies with the former DCMS secretary of state, now Health Secretary, Matt Hancock, who appointed Taylor and several more board members like him.)
Taylor told the Times Educational Supplement he had ‘messed up his A levels.’ How ironic! Now, he’s messed up thousands of other people’s, too! His naivety about “measuring” people and public services really shines through. And, pricelessly, he says: “The performance regime itself is something that should be subject to a performance assessment.” Someone should ask him what grade he’d give @Ofqual. (I’m imagining this interviewer hasn’t spent much time with actual philosophy professors >> ”Like a philosophy professor, he builds his argument from first principles.”)
Mr. Measurement doesn’t seem too interested in psychological evidence about the stress of high-stakes exams:
Is he really basing all this (highly damaging to the country’s young people) spouting on his own and his children’s personal experiences? 🙄
Not that you can tell from the @ofqualboard web page or his gov.ukprofile, but it seems Taylor was reappointed as Ofqual chair until 2023.
I’m guessing Education Secretary Gavin Williamson, Taylor, and the Information Commissioner will be the principal govt scapegoats for the #ALevelFiasco (once the #GCSEfiasco is out of the way.) @UKLabour, and Parliament’s select committees, must already be scenario-planning… especially since Taylor has attacked Labour’s plans for standardised testing reform, and said exam stress was down to mentally fragile young people 😳
Shadow Education Secretary @KateGreenSUsaid Williamson has “a few days to demonstrate that he’s now going to do it right”. Lib Dem leader @EdwardJDavey added: resign! Education Select Committee chairman @halfon4harlowMP said: “We’ve got to make sure that this is an exam system for the many, not the few”. 👏🏻
