Outside the European Economic Area, the transfer of personal data and governed by chapter V of Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (RGPD). Article 44 of this regulation provides that the transfer of personal data outside the EEA can only take place if sufficient guarantees have been put in place to ensure a level of data protection at least equivalent to that guaranteed by the GDPR in the territory of the EEA. What guarantees are given to data transferred outside the EEA? On February 5, 2010, the European Commission adopted the decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries . These clauses are intended to compensate for the inadequacy of the guarantees offered by third States. It imposes obligations that the data importer is required to comply with. In addition, was concluded on July 12, 2016, on P rivacy shield , a contract between the United States and the European Union to protect data. But can these agreements be considered to allow European citizens to benefit from a sufficient level of protection when their data is processed outside the EEA?
By a judgment of July 16, 2020 , the Court of Justice of the European Union has validated the decision of the European Commission of February 5, 2010 relating to standard contractual clauses. Indeed, it considered that the standard contractual clauses dating from 2010 were not in themselves contrary to Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union which respectively guarantee respect for private life. and family, the protection of personal data and the right to an effective remedy and access to an impartial tribunal. However, compliance with these provisions must be assessed by carrying out an assessment of the effectiveness of the guarantees as applied by the importer of the data which is the subject of the dispute, with regard to the obligations incumbent on him in the third country. concerning. Conversely, finding that the legislation in force in the United States did not ensure a sufficient level of protection for European citizens, the Court declared the invalidation of the Privacy Shield, which was normally intended to remedy these shortcomings.
In this case, an Austrian national lodged a complaint requesting that the competent authorities prohibit Facebook Ireland from transferring personal data concerning him to the United States, arguing that American law did not allow him to benefit from a sufficient protection of their personal data. However, Article 44 of the GDPR specifies that in the event of transfer of the data of European citizens to a third country, the level of protection of individuals guaranteed by the GDPR must not be compromised.
The applicant was denied his request on the grounds that the European Commission recognized the existence of a sufficient level of protection.
Faced with this refusal, the applicant appealed to the Supreme Court of Ireland, which decided to refer to the CJEU a request for a preliminary ruling on the interpretation and validity of decision 2000/520. By judgment of 6 October 2015 , Schrems, the Court declared this decision invalid and considered that the legislation in force did not make it possible to ensure an adequate level of protection.
Following this decision, an investigation was carried out by the Irish authorities, Facebook Ireland indicated that a large part of the personal data collected from users was transferred to Facebook Inc. on the basis of the clausesits types of data protection. The Irish Supreme Court was thus seized to know if the standard contractual clauses should be invalidated considering that they do not remedy the lack of adequacy of the American legislation because these clauses do not bind the American public authorities. The Irish Supreme Court, in turn, seized the CJEU in order to ask it various preliminary questions relating to contractual clauses and the Privacy Shield.
First of all, the European judges recall that a transfer of personal data made for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country falls within the scope of the GDPR. . This taking into account that these data may be processed by the authorities of the third country concerned for the purposes of public security, defense and State security.
Then the following question arises:
Can European residents be considered to benefit from a sufficient level of protection of their personal data when processed by the United States?
The European judges affirm that “ the law of this third country does not provide the necessary limitations and guarantees with regard to interference authorized by its national regulations and does not ensure effective judicial protection against such interference. . “The judges consider that the level of protection granted in the United States to the data of European citizens is not sufficient with regard to the requirements of the GDPR. European judges found that several US surveillance programs allow intelligence agencies to collect and process data on a massive scale, including data relating to European residents. Current US law does not provide European residents with sufficient protection or an effective remedy against interference with their rights.
Second, the question arises: do the commitments resulting from the Privacy Shield ensure sufficient protection with regard to the GDPR? The purpose of this agreement between the United States and the European Union was to remedy the problem of the inadequacy of the American protection system with that established by the GDPR within the European Union. Its objective is to allow the free transfer of data between the two territories while respecting the requirements of European regulations. The Court considers that this objective has not been achieved. According to her, the data protection shield ombudsman, described as being “ independent of the intelligence services ” is unable to take binding decisions with regard to the American surveillance services, depriving the persons concerned with any legal guarantee or right of effective remedy.
Not ensuring a sufficient level of protection with regard to the GDPR, decision 2016/1250 adopting the Privacy Shield was annulled by European judges. This means that it is no longer possible to transfer personal data freely to organizations located in the United States.
“ so that the level of protection of natural persons guaranteed by [the same] regulation is not compromised “
The last question that arises concerns the standard contractual clauses for the transfer of data provided for in decision 2010/87 mentioned above. The following problem arises: is the conclusion of standard contractual clauses sufficient to ensure an adequate level of protection of personal data under the GDPR in the event of transfer of said clauses? To respond to this problem, the judges looked at the criteria to be taken into account to determine whether the level of protection provided by the clauses is sufficient. As stated above, before making transfers of personal data, data controllers must ensure that they have provided for “appropriate guarantees” “that the data subjects have enforceable rights and effective legal remedies”. According to the Court, the conclusion of standard contractual data protection clauses adopted by the Commission may constitute such appropriate guarantees.
This level of protection must be applied “ so that the level of protection of natural persons guaranteedby [the same] regulation is not compromised ”, regardless of the GDPR provision on which the data transfer is based. This means, regardless of whether the transfer of personal data is carried out between two countries subject to the GDPR, to a country which benefits from an adequacy decision or whether it results from the conclusion of standard contractual clauses, the final protection granted under the transfer must be similar.
To control the level of protection, judges will therefore have to take into account the contractual provisions concluded between the data controller established in the Union and the recipient of the transfer established in the third country, but also the possible access of the public authorities of this country. third party to the transferred data and the relevant elements of the latter’s legal system which may allow data subjects to exercise legal remedies. Thus, the sole study of standard contractual clauses is insufficient to ensure the lawfulness of the transfer of data, it is necessary to take into account the whole of the context surrounding these clauses to ensure that the level is equivalent to that guaranteed by the GDPR within the European Union. However, as detailed previously, the American legislation does not allow European citizens to benefit from sufficient protection with regard to the GDPR and the use of standard contractual clauses does not make it possible to alleviate the problems linked to the American system because the standard contractual clauses do not undertaking that the parties which entered into them, consequently the American authorities, will not be subject to them and European nationals will not be able to benefit from effective protection of their personal data. The CJEU emphasizes that “ This is the case, in particular, when the law of this third country allows its public authorities to interfere with the rights of data subjects relating to these data “.
The only solution would be to put in place measures to regulate the disputed laws in accordance with European requirements
If these clauses do not ensure a sufficient level of protection with regard to the requirements of European law, can they be considered valid with regard to European Union regulations? Shouldn’t they be canceled? European judges consider that other measures can supplement the clauses without affecting their validity. However, they consider that an adequacy decision finding that a country provides “ an adequate level of protection ” and therefore has “ all the required guarantees ” allows the personal data of European nationals to be transferred freely without the need for additional guarantees because it has been proven by the Commission that the level of protection granted by the third country meets the requirements of the GDPR.
The Court maintains that the establishment of standard contractual clauses aimed at providing a framework for a transfer therefore implies responsibility for the data controller who exports the data. This involves checking “ on a case-by-case basis and, on a case-by-case basis […] whether the law of the third country of destination provides appropriate protection, […], by providing, if necessary, additional guarantees to those offered by these clauses. ”. Failing this, for the controller to be able to put in place sufficient measures to guarantee such protection, the exporter, or failing this, the competent control authority must “ suspend or end the transfer of data to personal character to the third country concerned ‘. Therefore, the data controller who exports them is obliged to check the legislation of the importing country to transfer this data even before entering into contractual clauses.
Finally, European judges highlight the fact that contractual clauses provide for guarantees which aim to ensure compliance with European legislation. Consequently, these model clauses remain valid. But despite this, it will become complex for a European data controller to have recourse to it, for example, to export data to the United States because the conclusion of this type of clause implies to find out beforehand about the legislation around data protection in the importing country, yet the CJEU has characterized that mass surveillance is omnipresent in American law, it is therefore rare that the co-contractor does not fall within the scope of the disputed surveillance laws. The only solution would be to put in place measures to regulate the disputed laws in accordance with European requirements, a solution impossible to put in place as a private actor.
This judgment has profoundly changed practices. First of all, it implies that transfers of data to the United States formerly, carried out under the basis of the Privacy Shield must modify their framework or be suspended. In addition, it means that if the contract is subject to the scope of the disputed surveillance laws, the standard contractual clauses cannot be used. The only possible solution would be to respond to one of the hypotheses of article 49 of the GDPR which provides for “ exemptions for special situations “: these are in particular cases where the data subject has given its consent, if the transfer is necessary for the performance of the contract or if it is justified by reasons of public interest.
Despite these derogations from article 49, it cannot be denied that this decision leads to legal uncertainty, faced with this, European companies will have to rethink the transfers of personal data they have to countries that do not benefit from protection. adequate with regard to European requirements.
Eternoscorp remains at your disposal to ensure the transfer of the data you have to third countries in a manner that complies with European legislation and the control and monitoring requirements that it implies.
| 
Besoin de conseils en lien avec ce sujet ?
Faites appel à nos experts !
Que pensez-vous de cette analyse ?
Réagissez !