On June 18, 2021, the European Committee released the updated version (v.2.0) of Recommendations 1/2020 on additional measures to be adopted in the event that those provided by Article 46 of the GDPR to legitimize data transfers to third countries, are not sufficient following the impact assessment carried out for the specific case. These recommendations are a direct application of what the CJEU decided in Case C-311/18 concerning the Schrems II case.
The Schrems II decision
The CJEU’s decision in Case c-311/18 concluded that the Commission’s Privacy Shield Decision was invalidated (because it was incompatible with Article 45(1) GDPR, in light of Articles 7, 8 and 47 of the Charter), whereby the registration of the US importing company, to the relevant voluntary certification scheme, was deemed to legitimize personal data flows between an exporter established in the EU and the same company registered to the Privacy Shield. The invalidation made it necessary to find a different legitimation tool for those who in the meantime made use of the Privacy Shield and caused the reopening of negotiations between the EU Commission and the US Department of Commerce for the joint identification of a replacement tool. Negotiations are complex with narrow margins of negotiation – especially on the part of the Commission – in order to avoid the risk that the third new tool of legitimacy may follow the invalidating fate of the previous two: Safe Harbor and Privacy Shield.
Protection level in the third country
Generally speaking, the condition required for the legitimacy of foreign data transfers beyond the EU/EEA borders is the verification of an essentially equivalent level of protection of personal data in force in the importing country.
An essentially equivalent level of protection as the one conferred by the GDPR – read in the light of the fundamental rights of the Charter of Nice – is the prerequisite on which one of the tools of legitimacy provided by Chapter V of the Regulation (i.e. adequacy decision, adequate safeguards, derogations) is then grafted, regardless of which tool is chosen in the specific case.
Essentially equivalent level of protection
It is not necessary that the data protection law of the importing country is identical to that introduced by the GDPR, it is only necessary that it respects the fundamental rights determined on the basis of the provisions of the regulation, read in the light of the fundamental rights enshrined in the Charter. The assessment of an essentially equivalent level of protection is therefore a prerequisite and, in the light of the above-mentioned Schrems II decision, an attempt has been made to establish whether it is appreciable in the case of surveillance measures carried out by the public authorities of the third country for purposes of national security and law enforcement; the question is, in particular, to specify when such activities can be considered justifiable in a democratic society and, consequently, do not affect the assessment of an essentially equivalent level of protection.
European essential guarantees
In the document Recommendations 2/2020 on European Essential Guarantees for surveillance measures of November 10, 2020, the EDPB highlighted which essential safeguards – as inferred from the case law of the CJEU (relating to Articles 7, 8, 47 and 53 of the Charter) and the ECHR (Article 8 of the ECHR) – if complied with, may lead to the conclusion that the aforementioned surveillance constitutes justifiable interference.
There are four essential European guarantees outlined in the document that must still be ensured:
- Processing must be based on clear, precise and accessible rules
- Necessity and proportionality in relation to the legitimate objectives pursued must be demonstrated
- Independent control mechanism
- The individual must have access to effective remedies.
Consequences of identifying essential guarantees
Two consequences follow from the identification of essential guarantees:
- Any surveillance measures carried out by public authorities of the third country – such as national security agencies or law enforcement authorities – which nevertheless respect the above-mentioned essential guarantees, do not affect the judgement of essantially equivalence, since they may constitute an interference justifiable in a democratic society
- Any shortcomings identified in the legal regime of the third country with regard to essential guarantees, on the contrary, affect the assessment of an essantially equivalence, unless the exporter is able to identify and adopt additional measures to ensure these safeguards.
While reiterating the above, it should be borne in mind that the indication of essential guarantees – as stressed by the EDPB – does not exhaust the scope of the verification of an essentially equivalent level of protection which is the responsibility of the exporter: the evidence of essential guarantees has the sole purpose of supporting the assessment of the level of interference – in the rights to privacy and data protection – resulting from the surveillance activity of the public authorities of the third country.