Korff on Kuner: Schrems II Re-Examined

Comments on: Chris Kuner, Verfassungsblog, Schrems II Re-Examined, 25 August 2020:

Below are some comments by me on the above blog. In each case, I first quote Kuner and then provide my comments. The quotes are in the order in which they appear in the blog.

Kuner:

“[T]he Court’s reasoning here seems tautological, i.e., it held that while contractual clauses cannot bind third country authorities this can be remedied though safeguards including additional clauses (para. 132).”

Korff comment:

I do not think this is quite correct. The Court does not say inadequacies in third countries’ laws can be remedied by contract – of course they cannot (as the Court makes clear in para. 125 and repeats in para. 131). Rather, the Court suggests that (as you yourself note) private parties can adopt legal, technical and organisational measures to guard against violations of data protection rights by third country agencies (in particular against undue, untargeted access to the data concerned by those countries’ law enforcement and national security agencies).

To me, the most important implication of the judgment is that it is indeed now a legal requirement under EU (Treaty and Charter) law that personal data that are transferred to a third country must be protected against such abuses – and that if they cannot be effectively protected against such abuses, the data should not be transferred. Or to be more precise: if the personal data on EU individuals that are to be transferred to a third country cannot be protected against undue access by the third country’ agencies, the transfer would be in violation of the GDPR, and the data exporter would be liable to administrative fines of up to 4% of the organisation’s gross annual turnover. (There may be doubts about the extent to which the EU supervisory authorities will actually enforce this, or at least about how quick they may start to do this – see below – but the principle seems to me to be clear.)

Kuner:

“[S]ettling disputes under Article 65 GDPR between the DPAs on the types of safeguards to be used could require the EDPB to opine on issues that could be politically explosive, such as whether particular third countries abide by the rule of law or respect fundamental rights.

Korff comment:

Yes, but so what? That is something courts and regulatory bodies do all the time. They should not be scared of “opining on issues that could be politically explosive”, especially not when it comes to protecting EU citizens (and others in the EU) against abuses by third countries that do not “abide by the rule of law or respect fundamental rights”. If they are too weak-spined to do that, they should not be in their official roles as guardians of a fundamental right enshrined in the Treaties and the Charter!

Kuner:

“It is important to note that the Court does not require that additional safeguards provide a 100% guarantee that access to data by third parties can never occur, but rather that they constitute “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law…” (para. 137). Thus, they should be evaluated under a standard of proportionality, not of perfection.”

Korff comment:

I cannot see any explicit reference in the quote from the judgment to proportionality, unless you read “effective” as “reasonably effective in the circumstances”. But surely that is a stretch. The judgment says, in the very same paragraph, that the “mechanisms” (i.e., the clauses without or with “supplementary measures”) must:

make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. (para. 137, emphasis added)

I can accept that it may not always be possible for any measures to always, 100%, ensure that the risk in question will never materialise. But surely, given the “high risk to the rights and freedoms of natural persons” that can arise from undue access to personal data by agencies of a state that does not “abide by the rule of law or respect fundamental rights”, the bar should be set high.

In my opinion, if in the third country concerned (the one to which personal data are to exported from the EU) the law allows for access to the imported data (either while in transit, through access to Internet nodes in the third country, or after transit, e.g., through secret back doors to databases or under secret orders) in ways and subject to processes that seriously fail to meet European rule of law (and data protection) standards, then that should be regarded ipso facto as a “high risk to the rights and freedoms” of the data subjects.

That in turn means that the proposed transfer – being a form of processing – must be subjected to a data protection impact assessment (Article 35 GDPR). Moreover, if this shows that any measures that may be adopted (such as SCCs by themselves, or SCCs with “supplementary measures”) cannot remove the “high risk”, then the relevant supervisory authority or authorities must be consulted (Article 36). And if those authorities find that a “high risk” does indeed remain and cannot be removed, they should use their powers under Article 58 to suspend or prohibit the transfer (see in particular Article 58(2)(f) and (j)).

Kuner:

“A few examples of clauses and safeguards [that could provide ‘supplementary measures’ to guard against abuse] could include the following:

  • Legal measures: The parties to the transfer could agree on enhanced legal guarantees that build on those in the SCCs but provide stricter conditions for suspending data flows and deleting data in cases of unauthorized government access, as well as stricter penalties for breaches of their obligations.
  • Technical measures: Strong encryption could be used to make it nearly impossible for unauthorized actors to read the data.
  • Organisational measures: Groups of data exporters and importers (such as in a trade association) could commit to suspend data transfers to countries that do not respect the rule of law, based on internationally-recognized standards (for example, those published by the World Justice Project). This approach is already used in other areas, such as fair labour standards.”

Korff comment:

These are useful, even if for now still limited suggestions – but they still raise issues. Just a few brief comments on each, if I may:

  • Legal measures: The Commission SCCs already contain clauses on the following lines:[1]

Obligations of the data importer

The data importer warrants and undertakes that:

It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.

A footnote to the clause in the controller-to-processor SCCs (but which presumably can also be read into the other clauses) adds the following clarification:

Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC,[2] that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

But of course, in the context of Schrems II, we are talking about “mandatory requirements [in third countries to which data are to be transferred]” which do go “beyond what is necessary in a democratic society”. 

In many third countries, there are domestic laws that require a controller or processor in that country to do or not do certain things when the GDPR requires that a controller or processor who is subject to the GDPR does the opposite, e.g., when the law of the third country requires the controller or processor (in the context of data transfers: the data importer) to disclose personal data to a national agency of that country in circumstances that go “beyond what is necessary in a democratic society”, and that prohibit the controller or processor/importer in question from informing the EU-based data exporter – when the GDPR in fact prohibits the disclosure and demands the informing of the EU-based exporter (and through it, the EU Member State’s data protection authority).

In such circumstances, clauses requiring the suspension of data flows and the deletion of data in cases of unauthorized government access are ineffective: the data importer is legally barred from informing the EU data exporter and may also be prohibited from deleting the data (and the data may in any case already – wrongly – be in the hands of the not-rule-of-law-compliant state agencies).

In relation to countries with such rules-of-law-incompatible laws (and there are many),[3] clauses about ex post facto informing the EU data exporter of abuses are useless: the data importer is legally barred from complying with them – or the authorities can gain access to data through back doors without the importer even being able to note this (let alone challenge it). The only solution in such cases is to not transfer the data in the first place.

  • Technical measures: “Strong encryption” that would “make it nearly impossible for unauthorized actors to read the data” are indeed a possibly useful “supplementary measure” in relation to data transfers.

However, strong encryption only has limited use, i.e., only in cases in which the data are not decrypted in the third country (or they would again be accessible to the not-rule-of-law-compliant agencies there: see above). So they could work in relation to servers in those countries hosting data that remain under the control of the EU data exporter (e.g., fully highly-encrypted back-up data). But as Max Schrems has pointed out, the encryption would have to go further than is currently usual, to include e-communications metadata such as IP addresses, etc. Moreover, there would always remain a risk, in particular in countries with highly developed surveillance/decryption technologies. In that case, surely the simpler, lesser-risk option would be to move the data to an EU-based server/host?

  • Organisational measures: You suggest that “Groups of data exporters and importers (such as in a trade association) could commit to suspend data transfers to countries that do not respect the rule of law, based on internationally-recognized standards (for example, those published by the World Justice Project). This approach is already used in other areas, such as fair labour standards.” Well, yes – in principle that sounds good.

But in practice, the vast majority of countries in the WJP’s “Rule of Law Around the World Index 2020” score abysmally. In the charts, only Australia and New Zealand, Western Europe and North America (USA and Canada) are marked in green, meaning a score over 0.7/1.[4] The Index is also based on much broader issues of good governance and rule of law than those specifically important for data protection and state surveillance/access to personal data. In that respect, the Privacy International State of Surveillance Briefing Guidelines and questions are more directly relevant.[5] 

PI has produced a series of reports specifically on this issue, based on these guidelines, covering Argentina, Brazil, Chile, Colombia, Egypt, India, Indonesia, Jordan, Kenya, Lebanon, Mexico, Morocco, Pakistan, Paraguay, the Philippines, South Africa, Thailand, and Uganda.[6] We can certainly add the Peoples Republic of China and Russia (and quite a few further countries including also the USA) to the list.

The main point to make in this respect is that few countries outside the EU – and indeed many EU Member States[7] – meet the standards set by the Court when it comes to their national security agencies’ powers of access to data (especially data on non-nationals) and lack of effective remedies.

In sum: The suggested measures really have only very limited value.

Kuner:

“Apocalyptic predictions about how [Schrems II] may mean the end of data transfers to the US” are unlikely to come true in practice – because “the [EU] wheels of data protection enforcement turn slowly” and “[t]he DPAs also tend to be careful not to issue high-profile penalties before being completely sure that they have a strong legal case.”

Korff comment:

Well, the authorities may be slow and scandalously weak in their enforcement, but (a) they cannot duck their responsibilities under the law (as clarified by the Court) forever – and some may have a firmer spine (and more resources) than others, and (b) as the indominable Max Schrems has shown, if it comes to it they can be forced (kicking and screaming) to do their job (even if it takes an excessively long time and unacceptably hard work on the part of individuals and NGOs).

Kuner:

“If, as can probably be expected, the judgments in [joined cases C-623/17, C-511/18, C-512/18 and C-520/18] result in the Court restricting data processing for these purposes, it may help identify measures that could put EU-US data flows on a firmer legal footing.”

“With the Court taking such a strict position in Schrems II, any hope of a stable and viable accommodation for data transfers between the EU and the US can only be based on changes to US law.”

Korff comment:

I agree that, in the light of Schrems II and earlier judgments, it is likely that the Court will continue to interpret EU law in such a way as to protect the (data protection) rights of individuals in the EU as much as possible against undue, indiscriminate, insufficiently regulated access to their data by national security agencies (be that in the EU – although there the Court is hampered by the indefensible exclusion from EU law including the Treaties and – outrageously – the Charter of Member States’ activities relating to their national security, or outside the Union). And I agree that this situation can only be properly addressed by the transgressors (again, in the EU and beyond) changing their laws and practices to meet globally-recognised rule of law and privacy/data protection standards. But as noted below, that will not be easy to achieve.

Kuner:

“Numerous countries have sought EU adequacy decisions or adopted data protection legislation based on the EU model, and the GDPR has been a success story in this regard.”

“[T]he judgment may cause some third countries to question whether it is worthwhile to strive to reach the EU’s data protection standards and to engage in protracted negotiations only to have the agreement, or the adequacy decision based on it, invalidated later on. Having now ensured that data transfers must meet a high standard, the EU should also take care not to set the bar too high, or it may make the GDPR a less attractive model for third countries.”

Korff comment:

There has always been a tension between the EU’s (and in particular the EU Commission’s) desire for “opening up trade” with third countries and to that end facilitating data flows including flows of personal data to third country trading partners, on the one hand, and ensuring full protection of personal data on individuals in the EU in accordance with the Charter on the other hand. The Commission has in the past too often been too ready to declare that third countries provide “adequate” protection, while glossing over manifest inadequacies in the laws and practices of such countries, not least in relation to access to EU data by the law enforcement and national security agencies of the third countries in question.

But if that is what made the EU data protection rules “attractive”, it was a scam: the EU sets high standards on paper, also on paper allows free transfers only to countries that ensure similarly high (“adequate”, now “essentially equivalent”) levels of protection – but then in practice a political body (or at least a not exactly non-political body), the European Commission, can undermine this principled approach by, essentially, pretending that certain third countries provide such levels of protection when in reality they do not – especially when it comes to national security agencies’ access.

If the Court has exposed the inappropriateness of this Commission policy, it should be welcomed!


[1] The clause reproduced here is from the controller-to-controller transfer clauses (Commission Decision 2004/915/EC of 27 December 2004), clause II(c), which slightly modified the similar clause, clause 5(a), in the previous version of those clauses (Commission Decision 2001/497/EC of 15 June 2001), clause 5(a). The corresponding clause in the controller-to-processor clauses (Commission Decision 2010/87/EU) is clause 5(b).

[2] Now Article 23 GDPR.

[3] See Douwe Korff, Ben Wagner, Julia Powles, Renata Avila and Ulf Buermeyer, Boundaries of Law: Exploring Transparency, Accountability, and Oversight of Government Surveillance Regimes, comparative report covering Colombia, DR Congo, Egypt, France, Germany, India, Kenya, Myanmar, Pakistan, Russia, South Africa, Turkey, UK, USA, January 2017, available at: https://ssrn.com/abstract=2894490

[4] World Justice Project Rule of Law Index 2020, pp. 16 (Americas) and 17 (rest of the world), available at: https://worldjusticeproject.org/sites/default/files/documents/WJP-ROLI-2020-Online_0.pdf

[5] Privacy International, State of Surveillance Briefing Guidelines, 2017, available at: https://privacyinternational.org/sites/default/files/2017-12/Survey_Questions.pdf

[6] Follow the links at: https://privacyinternational.org/long-read/1037/tracking-global-state-surveillance

See also Douwe Korff et al. (footnote 3, above) that covers some of the same and some further countries.

[7] I will not deal with the EU Member States’ deficiencies here. They deserve serious attention in their own right. As you note, more clarity may be given by that in upcoming CJEU cases.