Position
EDPB recommendations 01/2020 “on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data�
Federation of German Industries
(EU-transparency register number: 1771817758-48)
Version: 16.12.2020
Stand: TT.MM.JJJJ
Executive Summary BDI is grateful for the opportunity to take a position on the EDPB recommendations 01/2020 on measures that supplement transfer tools for international data transfers. With the CJEU judgment of 16 July 2020 (case C-311/18, Schrems II), responsibility for ensuring an appropriate level of data protection for the processing of personal data in third countries was shifted one-sidedly on to data processing controllers in the EU but without these controllers being provided with the instruments they would need to manage this mammoth task. Although BDI regards it as first and foremost a task of the EU legislator abstractly and generally to enable data transfer into third countries on the basis of GDPR, German industry was urgently expecting workable and balanced pointers and guidelines from EDPB and the European Commission in light of the CJEU judgment so that it would be in a position also in the future to continue organising the practical and compliant data transfers into countries outside the EU which are indispensable for globalised and digitised businesses. However, in BDI’s view, the recommendations 01/2020 as currently drafted fail to meet these expectations. The step-by-step procedure which data exporters must follow to meet their duty of care under data protection law bears witness to a dogmatic approach which pays inadequate attention to the risk-based philosophy enshrined in GDPR and will overstretch the capacities of many businesses in their day-to-day practice. At the same time, the balance of importance that EDPB assigns to possible additional measures, with a clear emphasis on technical measures which are moreover characterised by unreasonably high requirements, ignores the limits of what is possible on the ground and also shows itself to be disproportionate. The use cases presented will not do justice to the complexity of practical situations and, with the generalised terms in which they are couched, would lead to completely unacceptable results.
Federation of German Industries Member Association of BUSINESSEUROPE
The recommendations in their current form would additionally restrict disproportionately the narrow corridor left by CJEU for data transfer into third countries on the basis of standard date protection clauses. As a result, this would de facto render large swathes of data transfer impossible, not only into the United States but also into many other third countries without an adequacy decision – with serious negative implications for international data and business traffic.
Address Breite StraĂ&#x;e 29 10178 Berlin Postal Address 11053 Berlin Germany Contact Ines Nitsche
BDI therefore calls for the recommendations to be reworked in such a way that, while giving balanced consideration to constitutional principles and
T: +493020281711 F: +493020282711 Internet www.bdi.eu E-Mail I.Nitsche@bdi.eu
data protection law, they provide data exporters with pointers for the use of transfer instruments which are workable in practice and, where necessary, set out additional necessary measures with the express objective of supporting practitioners in their efforts to organise and maintain with legal certainty the data transfers to third countries necessary in a globalised economy.
3
1. Respect risk-based approach and proportionality The considerations and pointers that EDPB sets out in its recommendations concentrate one-sidedly on the rights of those affected by data processing and the verification steps and use cases presented take inadequate account of the principles of proportionality and a risk-based approach enshrined in the general data protection regulation on which the CJEU judgment of 16 July 2020 (case C-311/18, Schrems II) is also based. For example, recital 4 of GDPR underlines that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.1 Given the absence of balanced consideration underlying the EDPB recommendations, limitations would also be placed on data transfers to third countries which entail no material risk to protection of the subject’s data if all circumstances of the individual case are properly balanced. This would have massive negative consequences for all areas of industry, starting with everyday communication with employees outside the EU on necessary trade transactions with companies and institutions in third countries, through to safeguarding the security of IT networks and international cooperation on health research to combat the corona pandemic. a) Pay adequate attention to circumstances when identifying relevant data transfers and verifying the legal situation The process set out by EDPB for establishing the relevant facts is not oriented on practical considerations and possibilities and therefore entails disproportionate burdens for companies, in particular SMEs. For instance, the understanding of data transfer is extended to any onward transfers by processors in the third country to their sub-processors in another third country (cf. paragraphs 10, 31). Furthermore, additional measures would be needed merely if data are transferred into a third country covered by an adequacy decision but which are transferred onwards through a third country without adequate level of protection (cf. use case 3). It will be almost impossible in practice for smaller businesses especially to establish the entire chain of subprocessors and the precise “routing” of the data – depending on the
1
Cf. also CJEU judgment C-311/18 (“Schrems II”) of 16 July 2020, point 172.
4
complexity of the supply chain in question, a requirement whose blanket applicability goes beyond the limit of proportionality. It should therefore be clarified that the relevance test is restricted to data transfer to the data importer and to any sub-processor contracted to process the data in the third country. In any event, the requirements on establishment of the relevant facts taking all circumstances into account is explicitly always restricted to the degree of what is reasonable in the individual case. In addition, there should be a clarification that data transfers to importers established outside the EU are excluded from the scope of the recommendations insofar as the provisions of articles 3(2) and 3(3) GDPR are directly applicable to them. Moreover, the proposed detailed examination of the data protection level of the third country in question with reference to the also recently published restrictive recommendations 2/2020 on essential guarantees2 will in practice be scarcely workable for SMEs and will pose major challenges even for international groups. Inasmuch, it should also be clarified at least that the extent of the analysis is always restricted to the degree of what is reasonable in the individual case. Furthermore, to support data importers in their evaluation and to offer a homogeneous basis for the assessment, uniform relevant information on the surveillance laws of and the related legal situation in particular third countries should be gathered and published. The general pointers in annex 3 to possible information sources which can provide the data exporter with support are insufficient for this purpose. However, insofar as an exact risk assessment is required of data exporters, the latter should also be able to take into account all circumstances of the data transfer in the individual case in order to arrive at proportionate results. Yet this includes not only the objective legal situation in the third country in question as set out by EDPB in the recommendations (cf. in particular paragraph 42), but also the likelihood of data disclosure in the specific individual case. The likelihood of data disclosure or a corresponding request from the authority in the third country in a specific individual case
2
Whereas the European Commission refers to article 23 GDPR as the verification benchmark in the recently published SCC for data transfer (cf. section 19 of the implementing decision on standard contractual clauses for the transfer of personal data to third countries).
5
established on the basis of objective criteria (in particular the extent of past disclosure requests by authorities) is a key component of a risk assessment in day-to-day business practice. This is because the real risk of being exposed to such a data disclosure request varies considerably depending on the business model of the data exporter and data importer, and the data category (business data/private information). Making allowance for the intervention probability for risk assessments is inherent in GDPR (cf. inter alia articles 24 and 25 GDPR). Accordingly, CJEU also underlines in its decision at various points that the test and assessment should always be carried out in the light of all circumstances of the specific data transfer.3 The European Commission also appears to interpret the CJEU judgment in this way since it makes clear in its recently published draft for modernised standard contractual clauses that the test should take into account in particular the specific circumstances of the transfer as well as relevant experience of the data importer as to whether or not authorities have issued data disclosure requests for a particular type of data in the past (“To that end, they should in particular take into account the specific circumstances of the transfer ( […] and any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred) […]”).4 Restriction of data transfer to third countries also in cases where the assessment poses no relevant risk for the personal data of the person in question in the specific context would be disproportionate and out of line with the stipulations of the CJEU judgment and of GDPR. It should therefore be clarified in paragraph 33 of the recommendations that the likelihood of disclosure to the authorities in a specific case should be taken into account alongside the further criteria. At the same time, the categorical exclusion of supposedly subjective criteria for the risk assessment in paragraph 42 should be deleted.
Cf. e.g. CJEU “Schrems II” paragraphs 112, 121, 146. Cf. section 20 of the implementing decision on standard contractual clauses for the transfer of personal data to third countries. 3 4
6
b) Appropriate balance and selection of supplementary measures The findings on selection and balance of categories of supplementary measures also lack sufficient considerations on risk-based approach and principle of proportionality. Thus, the recommendations advise that contractual and organisational measures broadly have not sufficed on their own or in combination to produce an adequate level of data protection in the individual case but can regularly be applied only as a supplement to technical measures (cf. e.g. paragraph 48). This blanket statement contradicts the principle that the selection of supplementary measures which may be necessary should also consider all circumstances in the individual case. Articles 24 and 25 GDPR explicitly provide that technical and organisational measures should be deployed “taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons”. A similar provision is included in the Commission draft for new standard contractual clauses with the further qualification that technical measures should be taken into account if they do not prevent fulfilling the purpose of processing.5 However, the individual circumstances of a data transfer are regularly determined by such a wide variety of factors that a blanket assessment of individual categories of measures as adequate or insufficient is not possible in isolation from the specific case. Even if the authorities of a third country are naturally not bound by the contractual agreements between data exporter and data importer, there is nevertheless an obligation on the data importer to reject an official request and corresponding information obligations vis-à-vis the data exporter are of great importance to establish whether there is in fact an attempt at data breach. In suitable cases, an adequate level of data protection can in this way also be ensured in such cases jointly with organisational measures. It should therefore be clarified in paragraph 48 that contractual and organisational measures alone or in combination can also suffice if an
5
Cf. draft implementing decision on standard contractual clauses for the transfer of personal data to third countries, annex, section II, clause 1, modules 1 to 4 under the subpoint “Security of processing”.
7
appropriate risk assessment does not identify any relevant risk for protecting the data of natural persons in the individual case. Beyond this, in light of GDPR and the principle of proportionality it enshrines, the criteria for selection of one or more supplementary measures (cf. paragraph 49) should be supplemented by further factors, e.g. the purpose of data processing or the likelihood of a data breach by a public authority in the third country in the individual case. Otherwise, there is a danger that companies would as a result of the balancing process have to take disproportionate precautions which would often make the intended transfer and processing impossible in practice. The skewed situation for measures to be taken in the individual case as a result of an inadequate balance is already clear from the examples for supplementary measures set out in annex 2, measures which fail to pay adequate account even to the factors previously itemised in paragraph 49 such as the nature of the data to be processed. Moreover, the blanket requirement to have comprehensive encryption at all stages of data processing disregards the fact that in practice the envisaged and necessary data processing operations often call specifically for unencrypted data processing by the recipient (e.g. for in-house exchange of personnel and worker data or customer files). These would be impeded by the recommended data encryption, which means that this measure does not constitute a suitable solution in these cases. Furthermore, many businesses, in particular SMEs, do not have the tools or resources to apply strong encryption. In addition, the strict ban on data decryption at all stages of processing would have serious implications for IT security. For certain technologies such as inspection of data packages in order to combat malware and DDOS attacks, it is necessary to decrypt the data packages. With a ban on this measure, many businesses would in future have problems maintaining a high level of IT security. In order to offer businesses a real and practical benefit as they implement data protection requirements for third-country transfer and in order to serve as an orientation for a comprehensive risk assessment in the individual case, the examples should be designed flexibly and in a differentiated fashion.
8
2. Structure use cases in practical and flexible fashion As already explained above, the use cases set out in annex 2 of the recommendations by way of example prove to be unbalanced and not workable in practice or only with great effort. In use cases 6 and 7, EDPB only makes it generally clear that it sees no technical solutions for cases involving transfer of unencrypted data to data importers which carry out computing operations with these data, or for cases of remote access to unencrypted data for business purposes. These use cases lack other proposed solutions, for instance in the form of contractual and/or organisational measures incorporating a specific risk assessment on the basis of all relevant circumstances in the individual case. However, in this regard, both broadly delineated groups of cases relate in practice a wide range of extremely relevant data processing operations, e.g. the use of cloud/SaaS providers or also in-house exchange of personnel and worker data in day-today processes which can harbour completely different risk potential. But use cases 6 and 7 in conjunction with the other versions of the possible protective measures imply that there would be no suitable supplementary measures for all substantive situations which fall under these widely framed categories, so that companies are deprived of total overall discretion for maintenance of all data processing operations which fall under these use cases – with serious negative consequences for international data and business flows. Against this background and bearing in mind the points set out above, the listed use cases should be critically examined and flexibly structured so that they can do justice to the complexity of the different scenarios in practice and the associated risk potential. As currently presented, the use cases prove to be disproportionate and not helpful for companies.
9
About BDI The Federation of German Industries (BDI) communicates German industries’ interests to the political authorities concerned. She offers strong support for companies in global competition. The BDI has access to a widespread network both within Germany and Europe, to all the important markets and to international organizations. The BDI accompanies the capturing of international markets politically. Also, she offers information and politico-economic guidance on all issues relevant to industries. The BDI is the leading organization of German industries and related service providers. She represents 40 inter-trade organizations and more than 100.000 companies with their approximately 8 million employees. Membership is optional. 15 federal representations are advocating industries’ interests on a regional level. Imprint Federation of German Industries (BDI) Breite StraĂ&#x;e 29, 10178 Berlin, Germany www.bdi.eu T: +49 30 2028-0 Contact Ines Nitsche Legal Advisor Law, Competition and Consumer Policy T: +49 30 2028-0 i.nitsche@bdi.eu BDI document number: D 1295
10