IT & IP Litigation in Europe : Cross-border flow of personal data (until May, 25th, 2018)
Publié le 18/04/2017 par Etienne Wery
1. What are personal data ?
Article 2 of the Directive 95/46 gives some key definitions about the main terms used to regulate the personal data legal framework.
- Personal data : “means any information relating to an identified or identifiable natural person (“data object”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
- Processing of personal data : “means any operation or set or operations which is performed upon personal data, whether or not by automatic means.”
- Controller : “means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.”
A person is identifiable as soon as he/she can be “identified, directly or indirectly, in particular by reference to an identification number or by one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity ». Applying this criteria is far from easy; as an example, an IP address is considered by many courts (including the EU Court of justice and most Belgian case law) as a personal data, while other judges and legal systems are reluctant to go this way and try to infer from the facts of the case that in a given situation, it should not be protected as a personal data. In the Lindqvist case, the Court has ruled that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes « the processing of personal data wholly or partly by automatic means ».
In the Tietosuojavaltuutettu case, it has ruled that an activity in which data on the earned and unearned income and the assets of natural persons are: (a) collected from documents in the public domain held by the tax authorities and processed for publication, (b) published alphabetically in printed form by income bracket and municipality in the form of comprehensive lists, (c) transferred onward on CD-ROM to be used for commercial purposes, and (d) processed for the purposes of a text-messaging service whereby mobile telephone users can, by sending a text message containing details of an individual’s name and municipality of residence to a given number, receive in reply information concerning the earned and unearned income and assets of that person, must be considered as the « processing of personal data ».
In the Worten case, it has ruled that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is included within the concept of ‘personal data’.
It refers to “any information relating to an identified or identifiable natural person” (the so-called data subject). It is important to underline that such definition makes no difference between the professional or private life: a list of employees in a company is considered as a personal data because it relates to identified or identifiable natural persons. (Note: some EU countries – but not Belgium – have been one step further and do also protect legal entities).
2. The reason for a specific protection
The fear of European countries is that the data processor could circumvent the legal protection by, (i) either locating its activities outside the EU, or (ii) collecting data in the EU and sending it outside EU afterwards in order to process it in a more friendly location. The rules related to the applicable law are the answer to the first problem, while the protection of international data flow addresses the second issue.
The law provides that it applies in a situation where the controller is not established on the territory of the Community and, for purposes of processing personal data, makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community. In such circumstances, the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.
There is no detailed definition of the “equipment” that the data controller must “use” on the “territory” in order to fall within the scope of the national law. The most delicate question is related to the collection of data related to a European data subject, on a website operated by a US company. Because the “collection” of such data is a “process” (see here above), it could mean that the national law of the data subject applies.
The so-called Group 29 (a Working-Party of all national European privacy Commissioners) has provided for additional details and made clear that examples of such equipment are personal computers, terminals and servers. When such equipment is used (for anything else than for the transit of information through the territory of the Community), the national law of the country where such equipment is used, shall apply. The same can occur when such equipment is in fact the computer of the European customer. Indeed, although the equipment should be “used by” the controller, “it is not necessary that the controller exercise full control over [it]”; neither is it needed that the controller has the ownership of the equipment. The Working-Party took the view that the necessary degree of disposal is given if “the controller, (…) determines which data are collected, stored, transferred, altered etc., in which way and for which purpose”.
However the European Court of Justice has stated that “there is no ‘transfer of personal data to a third country’ where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country ». (Case C-101-01, BodilLindqvist, ECR, 2003-Page I-12971)
3. Cross-boarder flows are prohibited
It is important to understand that in the situation described in the previous paragraph, the consequence is the fact the data subject may claim the protection of its national law and may, in most cases, claim such protection before its national judge. The situation is different with cross-border flows where the purpose is not to apply national law, but to make sure that no data is transferred outside the EU relevant country, to a recipient located in a less protective country.
The legal regime in all EU countries is harmonized in such a way that “the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if (…), the third country in question ensures an adequate level of protection”. (we underline) In other words, it is a “no, but” regime per default.
The Council and the European Parliament have given the Commission the power to determine, on the basis of Article 25(6) of Directive 95/46/EC whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. As of 2015, the list is limited to Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, New Zealand, USA(Safe Harbor – see below), and Eastern Republic of Uruguay).
Beside this list, businesses have three options to waive the prohibition: they may (i) adopt the Safe Harbor Principles system (USA), (ii) sign ad hoc contracts with the recipient (model clauses), or (iii) enforce binding corporate rules at a global level (BCR).
First and third solutions ensure more freedom for the processor because the latter is deemed to comply with European standards as far as privacy is concerned and is, therefore, largely in the same situation as a European business, including for the reutilization of the data. On the contrary, the second solution is easy to put in place but the processor is bound by the contract and may not do anything else than what is provided in the contract.
(Note: The Safe Harbor Principles system is specific to American businesses, while second and third solutions are opened to any data controller located outside the EU).
4. General exceptions to the prohibition
a) Ad hoc contract and model clauses
The prohibition to transfer data outside the EU is waived if the sender and the recipient of the data sign an ad hoc contractual scheme ensuring that the fundamental principles arising from the European regulation are applied. Such principles include:
- Personal data should be collected only for specified, explicit and legitimate purposes;
- The persons concerned should be informed about such purposes and the identity of the data controller;
- Any person concerned should have a right of access to his/her data and the opportunity to change or delete data which is incorrect; and
- If something goes wrong, appropriate remedies must be available to put things right, including compensation or damages through the competent courts.
In order to facilitate the free circulation of data, the EU Commission has adopted pan-European standard model clauses. Companies may always rely on any different contract they’d draft themselves, provided that it is approved by the national privacy Commissioner of the country of the sender. But, if companies choose for the EU model clauses, all national Member States are under the obligation to recognize the standard contractual clauses as fulfilling the requirements laid down by the Data Protection Directive for the export of data to a third country, and consequently may not refuse the transfer. There are model clauses for a transfer from a controller to a controller, as well as for the transfer from a controller to a processor.
b) Binding corporate rules (“BCR”)
Binding Corporate Rules are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. It ensures that all transfers that are made within a group benefit from an adequate level of protection. This is an alternative to the company having to sign standard contractual clauses each time it needs to transfer data to a member of its group, and may be preferable where it becomes too burdensome to sign contractual clauses for each transfer made within a group. Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection to companies to get authorization of transfers by national data protection authorities. It should be noted that the BCR do not provide a basis for transfers made outside the group. BCR must contain in particular: privacy principles (transparency, data quality, security, etc.); tools of effectiveness (audit, training, complaint handling system, etc.); and an element proving that BCR are binding.
5. Specific exception to the prohibition (only for USA)
a) The Safe Harbour Principles
In consultation with the European Commission, the American Department of Commerce elaborated the Safe Harbour Principles, intended to facilitate the transfer of personal data from the European Union to the United States. The protection is organized around seven pillars (the principles):
- Notice: Individuals must be informed that their data is being collected and about how it will be used.
- Choice: Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer: Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security: Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity: Data must be relevant and reliable for the purpose it was collected for.
- Access: Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement: There must be effective means of enforcing these rules.
The way those requirements are met is largely in the hand of each company. It usually requires some organizational changes, technical means such as segregation of the data, and ad hoc documentation for internal and external use. A company who wants to qualify under those principles should make a statement to the American Department of Commerce in order to agree with the Principles and publicly declare that it is prepared to respect all of them (meaning, among other things, that the American Federal Trade Commission may check whether or not said company is respecting these principles). Each company must re-certify every 12 months. This can be done by a self-assessment or by a third-party assessment. There are also specific requirements in order to ensure appropriate employee training and an effective dispute mechanism.
b) Invalidation of the Safe Harbour principles
The Schrems case (also called Facebook case although Facebook was not in the trial) is the most noticeable decision of the Court of Justice issued in 2015.
Mr Schrems, an Austrian national residing in Austria, has been a user of the Facebook social network (‘Facebook’) since 2008.On 25 June 2013 Mr Schrems made a complaint to the Irish Commissioner by which he in essence asked the latter to exercise his statutory powers by prohibiting Facebook Ireland from transferring his personal data to the United States. He contended in his complaint that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in there by the public authorities. Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the National Security Agency (‘the NSA’).
The Commissioner considered that :
- There was no evidence that Mr Schrems’ personal data had been accessed by the NSA.
- The allegations raised by Mr Schrems in his complaint could not be profitably put forward since any question of the adequacy of data protection in the United States had to be determined in accordance with Decision 2000/520 and the Commission had found in that decision that the United States ensured an adequate level of protection.
Regarding the second argument raised by the Commissioner, the Court of Justice ruled that a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, such as Decision 2000/520, cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the national supervisory authorities a claim concerning the protection of their rights and freedoms in regard to the processing of that data. A decision of that nature cannot eliminate or reduce the powers expressly accorded to the national supervisory authorities.
As a result, the existence of the Safe Harbor Principles “does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection”.
Regarding the second argument, the Court has notably ruled that :
- Protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary.
- Legislation is not limited to what is strictly necessary where it authorizes, on a generalized basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.
- Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection
Consequently, the Court has decided that the Commission decision supporting the safe harbour principles is invalid.
c) The new EU-US privacy shield
Since February, 2016, a new framework has been adopted in order to protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.
The political declaration states that “the EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson”.
The same declaration underlines that the new arrangement will include the following elements:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
The Article 29 Working Party (WP29) has determined that the following four guarantees should be respected when personal data is transferred outside the EU:
- Data processing should be based on clear, precise and accessible rules.
- Data collection should be proportionate.
- An independent oversight mechanism should be in place.
- Effective remedies should be available to data subjects.
The WP29 has stated that it will examine the Privacy Shield on the basis of these four guarantees.
Around Spring 2016 – during the Summer at the latest – the US government and the EU Commission will finalize the draft of the new legal framework. In the meantime, businesses should double-secure their transfers with one of the general exceptions (see here above).
d) Listed and/or large companies
In practice, a large number of multinational and/or listed companies start by qualifying under the Safe Harbor Principles or the new EU-US privacy shield in order to secure exchanges between the EU and the USA. Later on, they deploy those Principles within the group to harmonize the protection of data regardless the country where they are processed/sent/received. At the end, they get approval of the global system under the BCR system. Despite the fact that the whole process can prove to be quite heavy, those companies usually find it satisfactory at the end, notably because it considerably facilitate compliance with other legal requirements, such as whistle blowing procedures, e-discoveries, SOX Act and other financial regulations for listed companies.
6. Other exceptions to the prohibition
Very exceptionally, the national data protection authority of the sender of the data in the EU, may authorize a transfer that would normally not be fully compliant; it will usually authorize it under other strict conditions and is usually reluctant to do so.
Also, the prohibition is waived in the following exceptional situations provided for in the European directive (please note it being exceptions, they should be interpreted restrictively and cannot constitute a normal framework for data transfers, especially when they are massive and repetitive):
- The data subject has unambiguously given his free and informed consent to the proposed transfer;
- The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
- The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims;
- The transfer is necessary in order to protect the vital interests of the data subject;
- The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.