Last week, at the time of writing this article, the Court of Justice of the European Union (“CJEU”) reached a decision for the Schrems II case. Much has been said about the decision already, but to our knowledge, its impacts on European (“EU”) funded projects have not been discussed.
European funded projects typically involves a number of organisations from EU member states as well as from a long list of further countries outside the European Economic Area (“EEA”), working all together for the aim of the project.
In this context, it is not infrequent for personal data to be collected from EU citizens in the EU and then transferred outside the EEA for research and innovation actions.
This kind of activity, while not illegal or problematic per se, requires the compliance with additional rules and provisions, in primis with Chapter V (Transfer of personal data to third countries or international organisations) of the EU General Data Protection Regulation 2016/679 (“GDPR”).
Among the requirements provided therein, the EU legislator, besides having recalled the unavoidable compliance with the principles set forth in other chapters of the GDPR, identifies a series of legal grounds pursuant to which the transfer of personal data might operate.
For the purposes of this article, it is worth to recall that there are essentially three levels of protection when it comes to personal data transfer, from the strongest to the weakest, in terms of ensuring that the fundamental rights (in particular those provided in article 7 and 8 of the Charter of Fundamental Rights of the European Union) of EU citizens are in any case respected and not undermined:
- the first is represented by so-called adequacy decisions. Pursuant to article 45 of GDPR, the EU Commission might issue an adequacy decision after a long and in-depth analysis on the ability of a given third country to ensure “an adequate level of protection”, followed by the negotiation on the content of the adequacy decision with the third country in question;
- the second one is represented by the derogations provided in GDPR article 46 , which will be applicable whenever an adequacy decision has not yet been issued, and among which there are the standard contractual clauses (“SCC”) adopted by the EU Commission (article 46, par. 2 lett. c); and then
- specific and well detailed exceptions (article 49 of GDPR) to be used as last recourse.
Of course, it appears clear that not all third countries successfully negotiated with the EU Commission an adequacy decision, and for this reason, SCC comes to hand.
Indeed, SCC are essentially a template agreement drafted by the EU Commission providing certain requirements and safeguards that cannot be derogated by private parties and that can be filled by EU data exporters willing to transfer personal data outside the EEA to organisations that will then process those personal data.
As a matter of fact, with the decision 2004/915/EC and 2010/87 EU, the EU Commission published two different set of SCC: one regulating the relationship between an EU data controller and an extra EU data controller, and the other regulating an EU data controller and an extra EU data processor. This distinction should be kept in mind.
In fact, last week, on Thursday 16th 2020, with the decision concerning the case C-311/18, or as publicly known as Schrems II, CJEU ruled over:
- the invalidity of the Privacy Shield, i.e. the adequacy of decisions that so far represented the legal ground allowing the transfer of EU personal data to the United States of America (“USA”); and
- while confirming the validity of decision 2010/87 EU providing for the EU data controller – extra EU data processor SCC, the CJEU stated that the EU data controller, before entering into data transfer agreement with third countries data processor, must assess: “whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses” (par 134 of the sentence). An example, which is directly inferred in the case at hand, is whether the third country has in place programmes of mass surveillance performed through personal data processing.
The legal consequences and implications of this ground breaking decisions are several, and we suggest reading at least one or two analyses of prominent legal scholars published over the last few these days (among the other the one published on the European Law Blog by Professor Christopher Kuner). Moreover, applying the finding of the CJEU to EU funded project, it is possible to make the following considerations:
- if among the partners working in the project there are partners incorporated under US law that are currently receiving data of EU citizens, the transfer of such personal data is now illegal and should cease (also considering that the CJEU did not indicate a grace period, but rather seems to go in the opposite direction, see paragraph 202 of the judgement);
- if the project contracted service providers having their data base in US, the situation is the same as above;
- a different, but at the same time tricky situation, might occur if the service provider engaged for the project made available EU-based servers through a subsidiary, or in any case an entity with corporate relationships with US-based companies, according to which the subsidiary might be allowed to transfer personal data of its users to the parent company;
- If, for the purposes of the project, it is necessary to transfer personal data to a third country not covered by an adequacy decision and the recipient of the personal data is a data processor, the project should use the SCC; however, the obligations identified by the CJEU might cause several practical difficulties. The European Data Protection Board indeed stated: “While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter […] shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country”.
Last but not least, in light of the finding of the CJEU, further considerations can also be formulated considering the presence in many EU funded projects of partners incorporated under Israel and/or UK laws. Indeed, the transfer of personal data to Israel is now covered by an adequacy decision; however it is also known that in Israel mass surveillance programmes are currently in place. On the other hand, the UK will exit definitely from the EU by the end of December 2020, and the possibility to transfer personal data from the EU to the UK might hinge on the issuance of an adequacy decision. However, the UK itself has been also recently (in 2018) condemned for the implementation of surveillance laws which violate fundamental rights of privacy and data protection (see the case of Big Brother Watch and Other vs The United Kingdom, held before the European Court of Fundamental Rights)
In any case, without the presumption to summarize in few words a very complex legal dilemma, here are additional sources for further information:
- the European Data Protection Board has made available an FAQ document that adequately analyse the sentence’s implications for data supervisory authorities;
- for equal representation, here is the reaction of the US Secretary of Commerce;
- here, instead, you can find the text of the full sentence;
- here the International Association of Privacy Professionals collected the press releases so far published by EU Institutions as well as data protections authorities.