Tag: Schrems

BCRs and Tetra Pak has just got them approved in Sweden

by

20 August 2020

07:57

1 Comment on BCRs and Tetra Pak has just got them approved in Sweden

Sweden

, , , , ,

An extremely interesting development considering the recent Schrems II decision and that Tetra Pak has US operations.

This is a first for the Swedish Data Protection Authority with BCRs. OneTrust has a good summary of the decision, etc., in English. Here is the decision in Swedish.

Now, there is much discussions on the legality of Binding Corporate Rules since Schrems II, after all surveillance in the U.S. is omnipresent, over which we have no control over here in the E.U., but in reality what this decision means is that the we need to be realistic, business must go on.

My take on the transfer of data is to dive into the potential risks to rights and freedoms of the natural person. If there are none, e.g. you are only transferring email address and name of the individual, and maybe they are adding business activities into a log, e.g. financial records. I find it difficult to really force myself to change an established business practice, especially now with coronavirus times, and many businesses are in survival mode, and many close to bankruptcy. If HR data is being transferred then this must change clearly.

I am, even as a privacy professional sceptical of all the fuss and hype there is on blocking all personal data transfers out of the EU to a country such as the U.S. (lacking adequacy decision now with Privacy Shield gone), because of Schrems II.

I guess if I wasn’t a small startup myself, serving small-medium businesses, I would think differently. But if this is all too complex, the SMB will do nothing, they have too much to lose, and when it happens it can go quick, money spent must be prioritised. For the SMB Schrems II is like double-dutch, all this legal speak, it’s out of their boundaries of business operations, and and the Data Protection Authorities get this, and are not normally targeting the small actors selling consulting, car repairs, chickens, or a pair of shoes, they are after the biggies.

An open letter to the CJEU from L

by

23 July 2020

09:56

1 Comment on An open letter to the CJEU from L

Canada, European Union, U.K., U.S.

, , ,

Read a view of the Schrems’ decisions from the other side of the great pond, in the U.S. I found this to be an informative, serious but fun read through the spectacles of Lydia F de la Torre, EU & US Counsel (Spain/California) and a lecturer of Privacy Law at Santa Clara University School of Law. Grab a coffee, it is long and its climax is an open letter to the CJEU which I’ve copied below 🙂

Everyone knows the story of the Privacy Shield. Or at least they think they do. But, I’ll let you in on a little secret. Nobody knows the real story, because nobody has ever heard my version of it. I am a lecturer at Santa Clara Law. You can call me L.

The blogpost by Lydia covers the Schrems I and II saga. From reading this I gained some insight which I hadn’t really bothered to dig into earlier, but I am not alone in this. One example is Schrems I resulted in the fall of Safe Habor, we all know this, but what is not common knowledge, is that it seems that even Max himself was unaware that Facebook were using SCCs, if he’d known earlier there would have been no Schrems II because it would have been taken at the beginning.

You really should read the complete Post from Lydia, it is actually entertaining 😉

To: The Court of Justice of the European Union (Grand Chamber)

In regards: Overdue homework

Dear Grand Chamber:

I have been waiting for years for you to give us a hint as to what is the essence of the european right to data protection.

I know you know the right to a private life and the right to data protection are two different rights, but I am starting to suspect you can’t tell them apart as you keep citing to them as if they were twins.

And that is a scary proposition, since the ECtHR is not going to steal your thunder because the European Convention of Human Rights (that the ECtHR has the authority to adjudicate on) does not recognize a right to data protection.

Perhaps reading member state caselaw on the right to data protection could get your creative juices flowing? Jurisprudence under Article 35 of the Portuguese Constitution or Article 18(4) of the Spanish Constitution? How about the German classics on Recht auf informationelle Selbstbestimmung?

And yes, I know you are not bound to follow preceding from the Constitutional Courts of Member States.

But let’s be honest.

You can’t claim copyright over the EU Charter of Fundamental Rights either. We all know the Charter it is just a compilation of the rights granted on Europeans, initially, by Member State law.

So please, do your homework next time you rule on a GDPR case and hand down something that tells us what the core of the European right to data protection exactly is. Is data localization absent essential equivalence for a cross-border transfer part of it? If Privacy Shield had passed muster from a privacy perspective, would a violation of Article 47 of the Charter (since the Ombudsperson did not equate to a tribunal within the meaning) trigger a violation of the fundamental right to data protection under Article 8.3of the Charter?

Looking forward hearing from you soon.

Sincerely,

L

In the Privacy Shield storm -practical advice

by

20 July 2020

17:17

2 Comments on In the Privacy Shield storm -practical advice

U.S.

,

I am and still attending a great session hosted by the IAPP on the Schrems II decision and Privacy Shield consequence, i.e. it is no longer a legal mechanism for data transfer from the EU to the US.

Miriam Wegmeister was a great panelist and gave some great insights, very practical and cool lady!

Practical steps as follows:

  • There were some revised SCCs drafted even before this decision which can be used.
  • Look at other mechanisms, e.g. transfers subject to appropriate safeguards (Article 46). What jumps out at me are (e) Code of Conduct, and (f) Certification.
  • Art 49 normally only to be used in exceptional circumstances, maybe the Commission can relax on this. Art 49 is derogations for international transfers, my favourite (not) legal subject. It makes sense, as it is similar to Art 6, with some variations.

The decision is that Privacy Shield is not legal anymore, stop, no grace period, however looking at the UK Information Commissioner website and voila, they are recommending to “continue using Privacy Shield until new guidance becomes available” but do not start using Privacy Shield.

Yes, I’m angry about the Schrems II decision!

by

19 July 2020

16:19

4 Comments on Yes, I’m angry about the Schrems II decision!

U.S.

,

Why the hell should a devote privacy and GDPR advocate be angry about this decision, after all it’s good for privacy is it not?

Yes decision is correct, but also no.

Clearly Facebook is a scapegoat, twice now with Schrems I and II. But now we are in limbo again! The fact is that even if the large businesses have heaps of money to bring in an army of legal professionals to replace all Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs), which may or may not work. The Small Medium Business (SMB) do not have this luxury.

Apart from the large businesses, I work with quite a lot of SMBs, and I can tell you exactly how they feel in a single word…. confused in two words confused and hopeless. Most have yet to do their work for GDPR compliance, and those which have, may have done an initial effort in 2018, but have since done nothing.

What makes me angry is that now in 2020, some of these are calling me in because I have created some low-cost tools which help them to help themselves. They are making the effort, but they are in main, using cloud providers from the U.S., and there was a simple remediation, to check that the business was Privacy Shield certified. I had a cheat list of all most common cloud services, if the business wasn’t listed, my recommendation was to move to another which was. And so it was cheap and easy for them to fix themselves, without paying me my expensive hourly consulting rate.

So now all these SMBs have nothing, again. And yes I’m angry, because I was starting to get some traction in the SMB market. My speciality is making this legal stuff doable for any businesses, it’s not rocket science, But now it’s quite ridiculous, there is no way I will instruct every SMB to stop using all U.S. cloud services, they will kick me out. In fact the low-cost GDPR tools I have created are based on U.S. services, and they can’t be moved. There is nothing equivalent in the EU. It feels unfair to the SMB, they are getting the GDPR thing, and how it is good for business. Together, my small business and my customers were starting to make great progress.

It is not only my opinion that the SMB is critical for a functioning society, although maybe it is just mine that it is the SMB which will suffer most from this judgement?

Okay, sorry for this rant. I’m feeling a bit like Ms Angry, but now I’m done 😉

Image taken from https://www.bbc.co.uk/programmes/p05g2zz1.

Ambiguous status of SCC under the ‘Schrems II’ decision

by

16 July 2020

23:52

3 Comments on Ambiguous status of SCC under the ‘Schrems II’ decision

Uncategorized

, , , , ,

As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC.

Arguments against Privacy Shield has changed little since the ‘Schrems I’ decision that invalidated Safe Harbour – governmental intrusion, lack of proportionality, ineffective role of ombudsperson.

What is really new is that a EU-based data controller relying upon SCC is now expected to assess how public authorities in third countries obtain access to personal data and how legal system in those countries works.

Two questions still remain:

1. How such controllers in question are expected to conduct such evaluation? Any methodology in this regard? It may seem somewhat similar to what we have in Article 45(2) – which factors Commission shall evaluate when issuing adequacy decisions. However, a private entity living with SCC is not a EU body and often does not have sufficient resources and understanding as to how to conduct the research and put necessary safeguards in place.

2. Enforcement. Amid DPAs facing lack of financial resources and manpower, the CJEU’s decision puts even extra burden on them. Thus, a newly invented (by CJEU) requirement may easily end up becoming unviable with no practical effect due to insufficient oversight.

Bonus question: taking into account the ‘accountability’ principle, how exporting controllers should demonstrate their compliance with the new obligation?

Hopefully, answers are yet to come.