SCHREMS II – The CJEU invalidates the Privacy Shield but upholds Standard Contractual Clauses (SCCs)
In 2016, the European Commission recognized the Privacy Shield as a mechanism providing adequate protection for the transfer of personal data from the European Union (EU) to US companies that are participating organizations.
On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated this decision, rendering illegal any data transfer based on the Privacy Shield.
For the CJEU, US law, and in particular the regulations allowing American authorities to access personal data transferred from the EU to the US for national security purposes, does not guarantee a level protection of data subjects equivalent to that required by EU law.
Regarding the European Commission’s Decision 2010/87/EC on Standard Contractual Clauses (SCCs), the CJEU confirms SCCs are valid transfer mechanisms, provided that, in practice, they are effective and ensure a level of data protection essentially equivalent to that guaranteed in the EU.
In this respect, the CJEU emphasizes that SCCs in their present form require the data exporter and importer to verify, prior to any transfer, whether the level of protection is respected in the third country concerned.
They also require the data importer to inform the exporter of any failure to comply with the SCCs or with any additional measures added to the SCCs by the parties. In this case, the data exporter is obliged to suspend the data transfer and/ or terminate the contract with the data importer.
What does this mean in practice for organizations transferring personal data outside the EU?
Following the CJEU’s ruling, any organization transferring personal data outside the EU, in particular to the US, must re-evaluate these transfers, the legal mechanisms put in place to regulate them and, if necessary, implement additional measures.
Regarding data transfers to the US:
- For transfers initially based on the Privacy Shield: The Privacy Shield can no longer be used as a basis for data transfer to the US. In this case, the organization must immediately determine an alternative transfer mechanism or stop transferring data to the US.
- For transfers based on the conclusion of SCCs: In accordance with the recommendations of the European Data Protection Board (EDPB) and the CJEU judgement, transfers based on SCCs must be assessed to determine whether US law does not compromise the level of data protection guaranteed by EU law and the SCCs. This assessment must be made on a case-by-case basis, taking into account the circumstances of the transfer and any additional measures that may be put in place. It should be documented. If this assessment does not lead to the conclusion that a sufficient level of protection is guaranteed, the transfer must be suspended. If an organization decides to continue transferring data to the US despite this conclusion, it must notify its supervisory authority. Considering that it emerges from CJEU’s findings that US law does not provide a level of protection essentially equivalent to that guaranteed by the EU, entities wishing to keep transferring data to the US must determine whether they can implement supplementary measures to guarantee this level of protection (e.g. by sending strictly minimized and non-sensitive data).
- For transfers based on the Binding Corporate Rules (BCRs): Transfers based on BCRs must be assessed under the same conditions as transfers based on SCCs. Likewise, if the conclusion of the assessment is that an equivalent level of protection is not guaranteed, organizations must cease the transfer or notify the supervisory authority if the transfer is continued.
- For transfers based on Article 49 GDPR derogations: Transfers based on derogations can be carried out, provided that they fall within the strict conditions of these exceptions as notably interpreted in EDPB guidelines. As an example, any transfer to the US based on the consent of the data subject supposes informed consent, including an information of the possible risks of such transfer for the data subject due to the absence of appropriate safeguards. Regarding data transfers to other third countries: While Schrems II was about data transfers to the US, the CJEU’s conclusions has implications for all data transfers to third countries with no adequacy decision. For such transfers, like for transfers to the US, organizations can keep relying on SCCs and BCRs, but need to be able to demonstrate – for each transfer – the effectiveness of the tools they are relying on, including by implementing supplementary where necessary. If supplementary measure are not able to guarantee an appropriate level of protection for the transferred data, the transfer must be suspended or notified to the competent supervisory authority. In the face of the many uncertainties resulting from the CJEU’s judgement, in particular for data transfers to the US, the EDPB adopted recommendations on 11 November 2020 on the supplementary measures that may be put in place. These recommendations will be subject to public consultation and will be applicable immediately after their publication. At the same time, the SCCs are being entirely redesigned to take into account findings of the Schrems II case.
EU SUPERVISORY AUTHORITIES – An increase in fines: a general trend?
After de 50 million euros fine issued by the CNIL against Google on January 2019 (see our Newsletter n°1), the UK data protection authority (ICO) and the Hamburg Commissioner recently issued record fines, confirming that national authorities no longer hesitate to heavily sanction companies in breach of GDPR.
On 16 and 30 October, the ICO fined British Airways £20 million (about €22 million) and Marriott £18.4 million (about €20 million) for data breaches which made a large amount of personal customer data accessible to third parties. These are the highest fines imposed by the ICO for breaches of the security obligations under the GDPR.
On 1 October 2020, the Hamburg Commissioner fined H&M €35 million for the illegal recording of its employees and the excessive collection of sensitive data. This fine is higher than the total of all fines previously imposed by the German authorities since the entry into force of the GDPR.
COOKIES – The CNIL publishes amending guidelines and its practical recommendation
On 1 October 2020, the CNIL published new guidelines on cookies and other tracers, as well as a practical recommendation on how to obtain consent.
By 31 March 2021, companies using cookies and other tracers will have to ensure that they comply with these new regulations.
The companies concerned must update their information notice and review their consent collection mechanism or justify that the tracer can benefit from the limited consent exemption exception.
Failing this, they expose themselves to the sanctions provided for by the RGPD, both for the deposit of cookies and tracers in itself and for the processing of personal data resulting therefrom.
End of the public consultation on two new draft EDPB guidelines
The EDPB adopted two new draft guidelines:
- Guidelines on the concepts of controller and processor, which will replace the previous Article 29 Working Party (WP29) opinion and will describe, under GDPR, the concepts of controller, joint controller, processor, third parties and data recipients and the obligations resulting from these qualifications.
- Guidelines on the targeting of social network users, which aim at clarifying the roles and responsibilities of social networks and providing practical guidance to stakeholders. These drafts were subject to public consultation from 7 September to 19 October 2020. The final guidelines are expected to be issued soon.
The CNIL publishes a charter relating to controls
The CNIL has supervisory powers over any organization processing personal data. These controls are governed by the French Data Protection Act dated 6 January 1978.
In order to ensure greater transparency of controls and to encourage the proper conduct of investigations, the CNIL issued a charter of controls on 1 September 2020.
The purpose of this charter is to set out the rights and obligations of the organizations being investigated. It also specifies the conduct and consequences of a control, regardless of its form, as well as the principles of good conduct to be followed in this situation.
The CNIL publishes a guide on authorized third parties
“Authorized third parties” are authorities with the power to request organizations to disclose documents or information that may include personal data (e.g. Social Security Contribution Collection Office, Revenue & Customs, police authorities, officers of justice…). When receiving such a request, the organizations concerned may encounter difficulties in reconciling the obligation to comply with the request and the protection of personal data.
In order to help organizations concerned by this type of request, the CNIL recently published:
- A practical guide containing the a checklist when processing a request for disclosure of personal data by an authority (for example, obtaining a written request specifying the legal basis of the request, checking the quality of the authorized third party in question, applying confidentiality measures to secure the exchange, etc.).
- A compendium describing the main proceedings that may be launched by authorized third parties.
AVIA LAW - The French Constitutional Council rejects several provisions of the Avia Law
In a decision dated 18 June 2020, the Constitutional Council rejected two sets of provisions relating to the liability regime for operators of online communication services of the law aimed at combating hate content on the Internet (the “Avia Law”). The Avia Law provided for two types of obligations for website operators:
- The obligation for website hosts and publishers to remove, within one hour, any terrorist or child pornography content notified by the administrative authority (Paragraph I of Article 1 of the Avia Law).
- The obligation for certain online platform operators to remove or render inaccessible, within 24 hours, any content reported by an Internet user if such content can obviously fall under certain criminal qualifications (such as incitement to discrimination, hatred or violence against a person or group of persons, sexual harassment, glorification of terrorism, etc.)(Paragraph II of Article 1 of the Avia Law).
While the Constitutional Council welcomes the worthiness of Avia Law’s aim, namely to combat the proliferation of hateful content on the Internet, it stresses that free access to online communication services and the possibility of expressing ideas and opinions are the corollary of the freedom of expression and communication. Any violation of this freedom must be necessary, appropriate and proportionate to the aim pursued.
Yet, with regard to the obligation to withdraw within one-hour contents notified by the administrative authority, the Constitutional Council notes that
- Whether a content is unlawful or not is not based on whether it is manifestly unlawful, but is subject to the sole discretion of the administration;
- Appeals against a request for withdrawal are not suspensive;
- the one-hour period given to the website publisher or host to remove or make the content inaccessible does not allow them to obtain a decision from a judge before being forced to comply, and
- the penalty for failure to withdraw is one year’s imprisonment and a fine of 250,000 euros.
With regard to the obligation to withdraw manifestly illegal content reported by Internet users within 24 hours, the Constitutional Council notes that
- the obligation applies as soon as a user reports illegal content, without the prior intervention of a judge, and it is therefore up to the operator to assess all the content reported, however numerous it may be,
- the task of assessing the unlawfulness of the content within 24 hours is particularly complex in view of the scope of the offences concerned and the legal technicality of some of them, and
- no grounds for exemption from liability are provided for (considering, for example, the multiplicity of reports at the same time), even though each failure to withdraw the content may result in the imposition of a penalty amounting to 250,000 euros;
For all these reasons, the Constitutional Council rules the provisions at stake to be unconstitutional and rejects them insofar the legislator has undermined the freedom of expression and communication in a way that is not appropriate, necessary and proportionate to the aim pursued.
DIGITAL SERVICES - End of the consultation on the Digital Services Package
Except for a few exceptions, the European legislative framework for digital services has remained broadly unchanged since the adoption of the E-Commerce Directive on 8 June 2000.
The European Commission therefore decided to launch a public consultation which ended on September 8th, 2020 to define the future set of rules applicable to digital services, launch the project to overhaul the liability regime for intermediary service providers, and to improve and clarify their obligations in terms of content moderation.
The consultation was divided into two work strands:
- The first strand focused on the main principles laid down by the e-commerce directive, in particular the freedom to provide digital services across the EU single market and a broad limitation of liability for content created by users. Building on these principles, the European Commission intends to establish clearer and more modern rules concerning the role and obligations of online intermediaries, as well as a more effective governance regime to ensure the application of these rules.
- The second strand addressed the level playing field in European digital markets where a few platforms act as “gatekeepers”. In this respect, the European Commission wishes to reflect on the adoption of provisions to remedy the imbalances on these markets, so that consumers have the widest possible choice and the market for digital services remains competitive and open to innovation.
The contributions obtained will guide the European Commission’s proposals for the Digital Services Package, which should be issued by the end of 2020. It will complete the (EU) Regulation 2019/1150 on the relationship between platforms and companies (see our Newsletter n°1).
CYBERSECURITY - Bill for the implementation of a cybersecurity certification for B2C digital platforms
In order to ensure that consumers are better informed about the security of their data when using a digital solution, the French Senate recently passed a bill to require digital platforms whose connections exceed a certain threshold – which will be specified by decree – to display a cybersecurity diagnosis accompanied by a color code easily understandable by consumers (e.g. a “cyber-score”).
The bill provides that the criteria considered for the diagnosis, as well as the practical details of its presentation and its period of validity will have to be specified by decree and after consultation of the CNIL. The bill is due to be reviewed by the National Assembly in the near future.