Through our work as legal advisors to Link Development, we have dealt with a number of new legal issues. We have found it exciting and challenging to explore new areas of law. Some questions, however, have been more challenging than others. Perhaps the most difficult issue was whether the company could use Google Firebase as a server and database for an app they were developing. Google Firebase is a software created by Google for the development of mobile and web applications. As Google, as you know, is an American company, this raised questions about the transfer of personal data to a third country. We learned that the answer to this question is far from clear. In the following I will explain how we went about resolving the issue, and what challenges exist in the current law.
The question of whether personal data can be transferred to a third country must be resolved under the provisions of the General Data Protection Regulation (Regulation 2016/679), also known as General Data Protection Regulation (GDPR). GDPR is implemented in Norwegian law through the Act on the Processing of Personal Data of 15.06.2018. The purpose of the GDPR is to create a consistent and high level of protection for natural persons and to remove obstacles to the free flow of personal data within the EU, cf. recital 10.
If personal data is to be transferred to countries outside the EEA, the GDPR requires a separate processing ground for the transfer to be lawful. The reason for this is that countries outside the EEA may have different rules on how personal data is processed. The transfer basis shall ensure that the personal data nevertheless enjoy the same protection as within the EEA.
The GDPR specifies three options for transferring personal data to third countries. Firstly, the data may be transferred if the European Commission has decided that the area has rules that protect privacy in a similar way to the EEA area, as referred to in Article 45. This is known as an adequacy decision. If there is no adequacy decision for the country, it is appropriate to apply the option provided for in Article 46. The provision provides that the transfer may take place if the controller or processor has provided “necessary guarantees” and provided that the data subjects have enforceable and effective remedies, as referred to in Article 46 (2). If this option cannot be used either, the last resort is the exceptions provided for in Article 49. This provision will not be discussed further.
Until recently, the Privacy Shield was the adequacy decision for the transfer of personal data to the United States, cf. article 45. The Privacy Shield was an agreement between the United States and the European Union that allowed American companies to certify themselves. The companies had to prove that the personal data transferred to them enjoyed a similar level of protection as under the GDPR. However, this changed on 16 July 2020 by the Schrems II ruling.
Through Schrems II (C-311/18), the European Court of Justice ruled that the Privacy Shield Agreement was invalid as a basis for transfer. The Court held that the agreement did not provide an adequate level of protection under the General Data Protection Ordinance, read in light of the human rights in the Charter. Central to this assessment were the far-reaching homelands of US intelligence and the lack of opportunities for European citizens to overexamine decisions on surveillance.
At the same time, the court expressed the opinion that the standard privacy provisions are still a valid basis for transfer. The standard privacy provisions have been developed by the European Commission. When a data importer signs a standard privacy policy, the data importer undertakes to process personal data in accordance with the requirements of the EEA.
However, the European Court of Justice also stated that the standard privacy provisions are not always sufficient as a transfer basis. Sometimes they need to be supplemented with additional measures to achieve a sufficient level of protection. This must be seen in the context of the fact that the standard privacy provisions are not binding on third country authorities, and the country may have laws that precede the standard privacy provisions. The problem arises when these laws interfere with the protection that European citizens have under the GDPR. For example, the third country may have laws that allow the authorities to access the personal data to a greater extent than what the GDPR considers proportionate and necessary. If further measures are required and these either do not exist or the company is unable to take them, the transfer is unlawful and must cease.
In the following, I will describe how to make an assessment of whether the transfer is legal. This description will be on a general and general level.
Following Schrems II, it is now up to the individual business to assess whether the transfer of personal data is lawful. This, we found, was far from simple. A particular challenge is
one needs to find out what laws and practices apply in the third country, in order to be able to decide whether the level of protection is adequate under the GDPR. This is no easy task. The applicable laws or practices may depend on a number of factors, such as the purpose of the processing and transfer, the type of actors involved, the sector involved, the type of personal data concerned, whether the personal data is stored in a third country or whether there will be remote access to data stored within the EEA, the data format and the possibility of onward transfer to other third countries, see (footnote 1) https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/overforing-av-personopplysninger-ut-av-eos/tilleggskrav-til-overforingsgrunnlag-schrems-ii/
After determining the relevant legislation and practice, a new challenge arises; then one must assess whether the level of protection is adequate under the GDPR. Here, the business must consider whether the regulations would constitute an infringement of privacy. This is a proportionality assessment. According to the Data Protection Supervisory Authority's guidance, this assessment can refer to issues such as EMD's practice on mass surveillance under Article 8 ECHR, the points raised by the European Court of Justice in Schrems II, the elements of Article 45 (2) and the Data Protection Board's (EDPB) recommendations on European essential safeguards for surveillance measures. (footnote 2) This appears to be a fairly comprehensive legal source material. This means that the limit of what constitutes an adequate level of protection becomes unclear.
If it is concluded that the relevant regulation in the third country constitutes a violation of privacy, the company must consider whether additional measures can compensate for this so that the level of protection is equivalent to that under the GDPR. The EDPB has drawn up a recommendation on what measures can be implemented (footnote 3)
Central to this assessment is whether the additional measures counteract the violation of privacy. This must also be described as a rather complex legal assessment.
Overall, the Schrems II decision creates a number of challenges for businesses that want to transfer personal data to U.S. companies. They are required to make complex legal assessments in light of US legislation and EU/EEA law, and it is unclear what is legal. Considering how many companies transfer personal data to US companies, it appears questionable that it is so difficult to assess legality. This issue will be elucidated in more detail in second blog post.
Posted by:
Håvard Sveier Ottemo and Marthe Hella
Vi ser frem til å høre fra deg, ta kontakt.