Technology lawyer, GDPR expert, and European Commission’s Cloud Computing Expert, Maciej Gawroński from Gawroński & Partners talks to PrivSec to offer up his first reactions to the ruling and to provide clarity on the technicalities of the CJEU’s validation of Standard Contractual Clauses.

On July 16, 2020 the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, a set of legal instruments allowing for legal transfer of personal data from the EU to the US (case No Case C‑311/18, so called Schrems II judgment). 

The CJEU invalidated the Privacy Shield referring basically to the same argumentation as in the so called Schrems I judgment, i.e. lack of procedural guarantees for non-US citizens subject to mass electronic surveillance on basis of the US law.

Three main US legal acts being referred to in this context

  1. Foreign Intelligence Surveillance Act Executive (“FISA”)
  2. Executive Order 12333 (“E.O. 12333”)
  3. Presidential Policy Directive 28 (“PPD28”)

In a way the Court has, euphemistically saying, disapproved effects the European Commission’s negotiation with the US concerning replacing earlier invalidated “Safe Harbour” arrangements with the currently invalidated Privacy Shield.

In the CJEU’s opinion powers of the US governmental agencies concerning data of non-US citizens are so broad and arbitrary that it is not possible to consider the Privacy Shield as affording to EU residents a level of protection of their data adequate to that in the EU.

The Court pointed out that the US law differently (much more) protects US citizens, not giving corresponding guarantees (no legal guarantees in reality) against electronic surveillance to foreign (non-US) persons. In plain language, the CJEU pointed out that the Privacy Shield is a fake.

At the same time, the Court though formally upholding validity of Standard Contractual Clauses, explained that it does not necessarily mean that a data transfer (out of the EU) based on SCC is legal.

The Court explained that the legality of a data transfer based on the SCCs has to be validated in the context of the legislation of the country of destination. If the law of the country of destination does not provide appropriate legal guarantees for data subjects from the EU and allows for arbitrary access to personal data of EU residents of the governmental agencies in the country of destination, then the level of protection afforded by specific SCC executed might not be considered as adequate. In result such data transfer, based on valid SCCs, might remain illegal or may be considered as such by a supervisory authority and then forbidden.

Combining the Courts conclusions regarding the SCCs with the Courts findings regarding the US self-granted rights to electronic surveillance of foreign persons, as well as lack of procedural guarantees for foreigners (non-US citizens) we come to the conclusion that the SCC as such no longer validate transferring data from the EU to the US. Or at least that SCC based transfer is now “suspicious” and the real level of data protection of such transfer needs to be evaluated. 

Opinions are now formulated, including an important voice of NOYB – European Centre for Digital Rights – a foundation established by Mr Max Schrems, the activist whose efforts resulted in invalidating first the Safe Harbour and now the Privacy Shield, that all “big” data transfers to the US, based on which global cloud computing services are being provided, should be regarded as illegal. 

For sure it will be difficult to defend the legality of the transfer between Facebook Ireland and Facebook Inc, leading to the commented judgment. All that Helen Dixon, the Irish Data Protection Commissioner, can do for Facebook at the moment is delaying her decision to delegalise sending Facebook’s EU users’ data to Menlo Park (Facebook Inc).

Still, in my opinion, it is possible to defend legality of certain types of cloud computing services where some data being transferred to the US is based on SCCs. Services where the user generated content is not being sent to the US, so only telemetric data (or even basic user data – i.e. address book of users), are being sent to the US. 

Also, services protected by end-to-end encryption seem to remain compliant. Additionally, services where data is not stored (they are deleted after completion of specific processing) might remain legal. Though in the latter case, a particular attention should be given to technical data storage, cleaning buffers and dumps etc.

Of course, as the National Security Agency has access to data transferred through the Atlantic via underwater cables, all data in transfer should be properly encrypted at appropriate TSL standard. 

In each case a real ability to spy on users of a service should be reviewed and based on such findings, decide on the adequacy of data protection in that service.  

Written by Maciej Gawroński from Gawroński & Partners