Through our work as legal advisers to Link Development, we as court users were introduced for the first time to the question that has plagued any business that should process computer information as part of its work: “Is this legal?”
The answer to this question was far more difficult than we had imagined, causing us to dig into issues that could not be solved with a simple yes-no answer, but which also had an overarching legal, global and international aspect to them. Immediately, this was frightening for those of us who had never visited the problem during our studies, but it turned out to also have legally interesting and unresolved aspects about it that invited deep dives and learning.
While the issues raised have been dealt with in the second post, there are some experiences and reflections that have provided a basis for reflection with us. Especially how we think what the court in this field should be like. In the following, some problems and potential for improvement will be set out, which we think can make it easier for anyone who has to orientate themselves in the EU legal jungle that is the General Data Protection Regulation.
The first problem was accessibility. The General Data Protection Regulation was difficult to navigate around, and had unclear provisions for what a should do and what a must do. Where the regulation actually imposes duties on you as a data processor, it is further uncertain what needs to be done to ensure that one is in line with the regulations. An example of the latter is Article 28 of the GDPR, which requires that a controller using a data processor must ensure that there are “sufficient guarantees” for compliance with the requirements of the Regulation.
What constitutes “adequate guarantees”, on the other hand, is not defined. While the Danish Data Protection Authority provides general guidelines on what may be relevant in such an assessment, it is nevertheless stressed that the responsibility “ultimately” falls on the controller.
However, the greatest anguish arose from the question of whether there was access to the use of a data processor subject to foreign law—in our case, American. In the light of the judgment in Schrems II (C-311/18), a requirement was added to the Standard Contract Clauses that the user of foreign data processors must ensure that the legislation of the respective States to which the data processors were subject provides equivalent protection as under the GDPR. It is therefore up to the individual companies to make an individual assessment of the states' legislation, before one can even consider using such data processors.
Two issues arise immediately. First, few entrepreneurial companies have the expertise, insight and/or resources to judge foreign national legislation, and whether this provides a similar level of protection as under the GDPR. Secondly, US data processors make up the lion's share of available and relevant data processors for Norwegian companies, so switching to a Norwegian or European data processor would often be disadvantageous and resource-intensive if one were to come to the conclusion that the level of protection is insufficient.
The situation as it is today makes it difficult for companies to deal with and to operate in compliance with GDPR. What this has in effect led to is that this unresolved grey area issue either forces one to resort to US data processors without to make an individual assessment, or to make use of European data processors in fear of to make an individual assessment. Both situations are equally hopeless in a modern digitized society where the use of foreign - and specifically American - data processors is a prerequisite for digitized enterprises — not a privilege.
While the issue is of course complex with an international, supranational, legal and political plan, we still envisage some solutions for the aforementioned issues.
One of these is that the individual assessments — and responsibility for these — should be elevated to a body level. An EU body that reviews foreign national legislation on an ongoing basis would shift legal responsibility to where it belongs. Namely, the EU. While this may seem to coincide with the Commission's ability to make adequacy decisions under Article 45 GDPR, it is stressed that these would be retestable, interim and consecutively reviews, so that those in absenteeism of the adequacy decisions of the Commission, and the possible disregard thereof by an EU judgment (cf. Schrems), would give controllers an access to use foreign data processors with a greater degree of security and without fear of legal accountability. One would thus eliminate the gray zone doubt, and end up with more absolute but also more consequential states of law.
However, in the light of recent agreements between the EU and the US, it may appear that the need for such a solution will be less in the future:
While working with GDPR has been an educational and interesting experience — and one that has undoubtedly given us more flavour — the legal situation following the Schrems judgments gives both legal professionals and anyone dealing with the regulations a desire for a pan-European legislation that provides more clarity and predictability than that which results from the current state of law.
Posted by:
Håvard Sveier Ottemo and Marthe Hella
Vi ser frem til å høre fra deg, ta kontakt.