Facebook loses challenge

Facebook loses challenge as court rules in favor of DPC

Facebook loses challenge as court rules in favor of DPC’s draft decision for an inquiry and suspension of Facebook’s data transfers to the US. 

Following the Schrems II judgement of last July, the Irish Data Protection Commission, launched an inquiry into Facebook Ireland Ltd, and suspended the company’s EU-US data flows. Facebook disagreed with, and decided to challenge the decision. The company asserted that the DPC’s decision, and the procedures subsequently adopted are susceptible to judicial review. This long standing legal battle over Facebook Ireland’s right to continue making data transfers to the US, has now come to an end. This ruling, affirming Ireland’s lead regulator’s decision to suspend their EU-US data flows is likely to have major effects on Facebook’s operations. 

This decision is the culmination of an eight year battle, initiated by a 2013 complaint from Mr. Max Schrems.

Facebook Ireland, a subsidiary of the US company Facebook Inc, provides the social networks Facebook and Instagram to the European region, and houses its central administration and European headquarters in Dublin. In June 2013, Mr Maximilian Schrems filled a complaint with the DPC regarding the transfer of his personal data to the US by Facebook Ireland, claiming that it was unlawful under national and EU law, and in October 2013, the DPC stated that the matter would be “investigated promptly with all due diligence and speed”. In May 2016, the DPC wrote to Facebook Ireland and Mr Schrems with a draft decision that Standard Contractual Clauses could not lawfully be relied upon in respect to transfers of EU citizens’ personal data to the US. After this judgment, in July 2020, the CJEU gave a judgment. The court ruled that according to the GDPR, EU residents whose personal data is transferred to a third country using Standard Contractual Clauses must be afforded the same level of protection guaranteed within the European Union and the GDPR. Since the authorities in the United States cannot be bound by Standard Contractual Clauses, data transferred there may not be effectively protected. As a result of last year’s judgment, the Irish DPC launched an inquiry, and came to a preliminary decision to halt Facebook’s data transfers to the US, a decision that was subsequently challenged by Facebook. 

Facebook challenged the draft decision by the DPC claiming that they should have awaited guidance from the EDPB. 

Facebook challenged the draft decision, as well as the inquiry, claiming that the Data Protection Commission should have waited for guidance from the European Data Protection Board before proceeding with an inquiry and ordering suspension of its data transfers. The company asserted that as a member of the EDPB, the DPC would have received imminent guidance from the EDPB, and should not have acted prior to receiving that. This guidance was eventually published in November 2020, and as of May 14th 2021, the High Court has ruled that Facebook Ireland “ has not established any basis for impugning the DPC decision or the PDD of the procedures for the inquiry adopted by the DPC.” The judge rejected claims by Facebook that the DPC was in breach of its duty in how the case was handled. Justice David Barnaville also stated however, that the DPC should have responded to certain questions that Facebook raised in their October 2020 correspondence.

Facebook loses challenge as high court ruling gives the Irish DPC the right to open a second “own volition“ investigation against Facebook.

This long standing battle has now come to an end, resulting in an inevitable suspension of Facebook’s data transfers to the US. A second, “own volition” investigation has also been opened and is running simultaneously with the original complaint dating back to 2013, which led to the CJEU’s “Schrems II” decision. Regarding Facebook’s appeal of the DPC’s decision, the High Court, in its 127 page document outlining its judicial review of this case, rejected Facebook’s claims against the DPC. Eight years after the initial complaint, it is now certain that the DPC will have to act to stop Facebook‘s EU-US data transfers. This decision is likely to heavily impact Facebook’s operations. Regardless, the company said it looked forward to defending its compliance to the Data Protection Commission.

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

SCCs and Privacy Shield

SCCs and Privacy Shield replacement updates, what can we expect?

SCCs and Privacy Shield replacement are both of paramount importance to trans-Atlantic data flows, however, right now the focus may be more on new SCCs. 

 

 Almost one year since the CJEU “Schrems II” decision, a new EU-US privacy shield may still be far off. However, with Standard Contractual Clauses being upheld and used quite frequently to facilitate cross border data flows, new SCCs can be expected soon. According to this IAPP article, new SCCs may be here within a matter of weeks. Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission said “We are about to because it’s a question of weeks, adopt modernized SCCs that do things that are aligned with the (EU General Data Protection Regulation) that are much better adapted to the reality of today’s digital economy”.

 

The new Standard Contractual Clauses are expected to be here in short order, and the Commission considers the feedback received on the draft SCCs. 

 

Since the Schrems II decision, SCCs have been upheld, but with a few caveats. They have been put to use to facilitate data flows between the EU and the US, however this has not been without incidence. While privacy professionals wait for conclusive information regarding data flows across the Atlantic, there have been some recent developments. Bruno Gencarelli, during IAPP’s Global Privacy Summit Online, said that the new Standard Contractual Clauses will soon be adopted. Gencarelli, based on the feedback the European Commission received, called the draft SCCs an “enormous success”, with the Commission taking this feedback very seriously. The ongoing process is intended to modernize the SCCs to better suit the current digital climate’s size and complexity. 

 

“This is a much awaited step forward which once in place will help to unify the dissimilar criterion that EU Supervisory Authorities have been applying since Schrems II when it comes to international data transfers, as we have recently seen with the Bavarian and French DPAs decisions” comments Cristina Contero Almagro, Aphaia’s Partner.

 

Privacy Shield replacement negotiation is intensifying, but a privacy shield replacement may still be far off. 

 

While there is a willingness on each side to make a deal on a replacement for Privacy Shield, it is a balancing act between privacy and national security, making this a delicate, and complex situation. As we have seen since Schrems II, SCCs, while very useful, may not always be enough. As each side seeks to create a durable replacement for Privacy Shield, one that can stand up to legal challenges and political scrutiny, talks are underway for a solution that will meet the needs of both parties with regards to both privacy and national security.  

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Standard Contractual Clauses

Standard Contractual Clauses may not be enough, as suggested by recent decision by BayLDA

BayLDA, the Bavarian DPA has recently ordered a German company to cease from using Mailchimp, despite the use of Standard Contractual Clauses.

 

In the aftermath of the Schrems II ruling, we have seen some examples of the practical implications of this judgment. In the most recent case, the Bavarian DPA has ordered a German publishing company to cease from using Mailchimp, the popular US email marketing platform. While the transfer of data to Mailchimp, and by extension to the US, a third country, was based on Standard Contractual Clauses, it was still unlawful. It was found that the company did not do its due diligence in ensuring that this data was adequately protected from access requests by US surveillance authorities. 

 

While the data transfers by the German company were based on Standard Contractual Clauses, BayLDA suggested that additional due diligence needed to be done. 

 

A complaint was filed against the German publishing company with the Bavarian DPA, BayLDA, regarding the company’s occasional use of Mailchimp for their newsletter. The data transfers to Mailchimp by the German publishing company were based on Standard Contractual Clauses. However, under US surveillance law FISA 702, Mailchimp qualifies as an “electronic communication service provider”, rendering the transferred email addresses in danger of being accessed by US intelligence services. BayLDA suggested that there were additional steps needed to be taken by the publishing company, as far as due diligence is concerned, to determine whether any additional measures needed to be put in place to ensure that data transferred to Mailchimp was protected from US surveillance. 

 

Based on the decision by BayLDA, the company has ceased from using Mailchimp with immediate effect, avoiding possible fines.

 

The respondent in this case had argued that its use of Mailchimp was lawful according to GDPR Article 44. Recital 102, in part states that “Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.” In this case, it was ultimately found that this German company was not able to adequately protect the fundamental rights of the data subjects affected, as it had not ensured that this data was sufficiently protected from access by US surveillance. The German publishing company immediately ceased from using Mailchimp for its newsletters, avoiding a possible fine from BayLDA. 

 

This decision by BayLDA provides further clarity on the practical application of Schrems II.

 

This decision by the Bavarian DPA provides further clarity to companies who may be transferring data based on Standard Contractual Clauses, that at times this may not be enough. There is still necessary due diligence to be done on transfers of data outside the EU or UK. Due to third country surveillance laws, which may not be compatible with EU or UK laws, supplementary measures may need to be carried out to adequately protect the data being transferred to service providers in those third countries. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

French court ruling provides greater context to the application of “Schrems II” under the GDPR

French court ruling provides further guidance as to the application of “Schrems II”, as data hosted by subsidiary of US company is found to be protected. 

 

France’s highest administrative court ruled earlier this month that the hosting of a booking platform for COVID-19 vaccinations on Amazon Web Service, also known as AWS, was indeed sufficiently protected under the EU GDPR. Initially there was some question as to whether using Amazon Web services as a hosting platform was compatible with the GDPR under the “Schrems II” ruling, due to the fact that the processor was a company bound by US law. The final ruling in this case was based on the fact that the court believes that enough legal and technical safeguards are in place in the event that US authorities ever request data access. This gives quite a bit of context and has big implications for many companies, underscoring the need for supplementary legal safeguards when data is entrusted to a subsidiary of a non-EU company. 

 

Health data hosted by a company bound by US law, while a cause of concern for many, was found to be sufficiently protected under the GDPR. 

 

The plaintiffs in this case worried that the hosting of health data by a company which is bound by US law presented various risks including not just the transfer of data to the US, but also access to that data being granted to US authorities if requested from the processor. Due to the level of perceived risk, the plaintiff deemed this a sensitive and urgent matter. However, what was thought to be a violation of the provisions of the GDPR under “Schrems II”, under further investigation and reflection, turned out to be sufficiently protected under the GDPR, due to the several legal and technical safeguards put in place by the defendant, Doctolib. The judge in this case ruled against the claim filed to have this service suspended. 

 

This French court ruling was the result of careful assessment of the technical and legal safeguards provided for in this agreement.

 

The French court ruling came after careful consideration and assessment of the legal and technical safeguards and other guarantees provided for between Doctolib and Amazon Web Services. The assessment found that distinct provisions had been made within the contract between the two, for a specific procedure in the event of access requests by a foreign authority. The legal guarantee in this case is that access requests from public authorities to the processor   will be challenged. The judge also noted that the data would be encrypted with the key being held by a trusted third-party within funds and not by Amazon Web Services. Furthermore, it was found that data transmitted to Doctolib through the vaccination campaign contained no sensitive health data specifying, for example, that a user is a priority candidate for vaccination due to a certain pre-existing condition. As an additional step any data entered by users for the purpose of identification for scheduling a vaccination appointment, is deleted at most within three months of their vaccination appointment. 

 

“The ruling signals that there is room for the rule of reason in the application of Schrems II, and should generally be seem as good news for the online industry,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

“It is paramount that companies carry out an assessment covering their data flows, the countries involved and the safeguards that should be applied based on the risk identified, what is known as ‘Data Transfer Impact Assessment’”, states Cristina Contero Almagro, Aphaia’s Partner.

This telling highlights the need for legal and technical safeguards, which are recommended even when data is not being transferred outside the EU.

 

A key part of complying with “Schrems II” rests on technical measures like pseudonymization and encryption, and ensuring that the processor has no way of accessing the re-identification key, particularly when the key may possibly be accessed by a public authority. Legal safeguards, like those taken by Doctolib are also essential. While the new draft standard contractual clauses recently published by the European Commission do make similar provisions, it is recommended, in anticipation of these new SCCs, that companies make provisions for this type of guarantee in a specific addendum, even in cases where there is no transfer of data outside the EU.

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.