What Schrems II means for EU data transfers to Hong Kong
07Aug2020On 25 June 2013, Maximillian Schrems, an Austrian national, applied to the Data Protection Commissioner in Ireland to prohibit Facebook from transferring his personal data to the United States. Seven years later, that application has resulted in a judgement of the European Court of Justice (ECJ) – known as the Schrems II decision – that may have serious consequences to data recipients in Hong Kong of personal data transferred from the EU. Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt explains the implications.
The facts and findings
Mr Schrems claimed that the law and practices in the United States do not offer sufficient protection against access by public authorities to his personal data transferred from the EU to that country. He asserted that US laws require Facebook to make personal data transferred to it available to US authorities such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).
In the course of its judgement, the ECJ referred to surveillance programmes of the NSA and FBI relating to copying and filtering internet traffic flows (including metadata and communication content), and to access data in transit to the US in sub-Atlantic cables even before the data reached the US. The ECJ found that there were no statutory limitations on the power conferred to implement these surveillance programmes, nor were there any protections or guarantees for non-US persons. The data collected was not limited to what was necessary, but was effectively a mass surveillance programme. There were no enforceable rights that could be exercised by EU data subjects or access to judicial review in respect of how powers in respect of the surveillance programmes were implemented.
As a consequence of these findings, the ECJ made several critical legal statements:
- GDPR continues to apply to the transfer of personal data for commercial purposes from the EU to a third country, even if the data may be processed by the authorities of the third country for national security reasons.
- The general principles for personal data transfers to third countries apply to all provisions in the corresponding chapter of GDPR and must be interpreted and applied to ensure that the level of protection of natural persons guaranteed by GDPR is not undermined. This applied in respect of adequacy decisions, and also transfers under safeguards such as standard contractual clauses for data protection.
- The Privacy Shield Decision of the European Commission (Decision 2016/1250) on the adequacy of the protection provided by the EU-US Privacy Shield was invalid. This is because the US surveillance programmes in respect of non-US persons resulted in limitations on the protection of personal data which do not satisfy the requirements for those limitations under EU law.
- EU data subjects whose personal data are transferred to a third country relying on standard contractual clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by GDPR. This requires an assessment of both (a) the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and (b) the relevant aspects of the legal system of the third country in respect of access by the public authorities of that third country to the data transferred.
- The data exporter and the data importer must verify, prior to any transfer, whether EU levels of protection are respected in the third country. The data importer must inform the data exporter if the data importer is unable to comply with the standard contractual clauses. This is the case even when that inability arises from compliance with laws of the third country rather than commercial and practical implementation of the contractual obligations. If the data importer states it is unable to comply, then the data exporter must suspend the transfer of data or terminate the contract.
- The EU supervisory authority must suspend or prohibit a transfer of personal data to a third country if the supervisory authority decides that a data transfer relying on standard contractual clauses cannot be complied within that country and that the protection required by EU law of the data transferred cannot be ensured by other supplementary means.
What does this mean for businesses in Hong Kong
GDPR requires that personal data transferred from the EU to a place outside the EU must be afforded with comparable protection. It achieves this objective by outlining a number of avenues under which personal data may be transferred. Schrems II is primarily focused on standard contractual clauses as a means of providing appropriate safeguards for personal data transfers from the EU.
Many EU data exporters to Hong Kong have relied on standard contractual clauses as a means of complying with GDPR in respect of the export of personal data from the EU to Hong Kong. Now, EU data exporters and Hong Kong data importers must review those arrangements in light of Schrems II.
Merely adopting standard contractual clauses is not, and never was, sufficient to comply with the obligation to provide appropriate safeguards for data transfers under GDPR. Appropriate safeguards could only be achieved by measures that were supplementary to signing the contract. It required a proper assessment of whether the full implementation of those standard contractual clauses could deliver EU equivalent levels of protection for the data. It also required a management programme to fully implement the obligations of the standard contractual clauses.
Schrems II now goes further and states that contracting parties who fully comply with standard contractual clauses as written may still not be providing appropriate safeguards. This is because the principle of providing EU levels of protection in respect of the data transfer is overarching, and is not intended to be subject to rights of public authority access in third countries. So, in addition, there is an obligation on the EU data exporter and the Hong Kong data importer to verify, prior to any transfer, whether EU levels of protection are respected in Hong Kong in respect of access by the public authorities of Hong Kong to the data transferred.
The primary legislation in Hong Kong that deals with access by public authorities to personal data is the recently enacted National Security Law. EU data exporters and Hong Kong data importers must conduct assessments of the National Security Law to see whether its provisions are compatible with EU levels of protection for personal data transferred from the EU. This is not an easy or enviable task.
ECJ comments on US surveillance programmes
The ECJ considered these aspects of US mass surveillance programmes did not provide EU levels of protection:
- The surveillance programmes did not apply the principle of proportionality and gathered more data than necessary to meet the genuine needs of public interest.
- The legislation on which the surveillance programmes were authorised does not contain meaningful limitations on the power to implement surveillance programmes to obtain foreign intelligence information, nor does it confer guarantees for non-US persons potentially targeted by those programmes.
- The surveillance programme targeting data in transit to the US was not subject to any judicial review mechanism, and the manner and scope of that bulk collection of data were not sufficiently clear and precise.
- EU data subjects did not have a redress mechanism for unlawful electronic surveillance for national security purposes in respect of some surveillance programmes. The Ombudsman provisions under the EU-US Privacy Shield were inadequate for that purpose.
These examples relate to specific US surveillance programmes. The ECJ has made it clear that each third country would need to be assessed on a case-by-case basis. Different issues and considerations may arise for other third countries.
Perspectives on the National Security Law and Schrems II
The National Security Law came into force in Hong Kong on 30 June 2020. It criminalised acts of secession, subversion, terrorism activities, and collusion with foreign countries or with external elements. The scope of the National Security Law includes offences committed from outside Hong Kong by a person who is not a permanent resident of Hong Kong.
The National Security Law grants the Hong Kong Police Force a number of additional, supplementary powers, including carrying out interception of communications and conducting covert surveillance on a person suspected, on reasonable grounds, of being involved in the commission of an offence endangering national security[1]. Schrems II brings this power under the spotlight.
Applying the factors considered by the ECJ in Schrems II:
Proportionality: The Chief Executive can only authorise interception or covert surveillance if she forms the view that it is necessary for, and proportionate to, the purpose of preventing or detecting offences endangering national security, or protecting national security[2]. Additionally, the Chief Executive is required to consider the intrusiveness of the interception or covert surveillance, and whether other less intrusive means are available.
Meaningful limitations: The primary limitation in respect of interception or covert surveillance arises from the process by which authorisation is considered and given. An application for authorisation may only be made by an officer of the Hong Kong police force responsible for national security. He must obtain the approval of an officer not below the rank of chief superintendent of the police force before he submits the application[3]. The application must contain a statement containing prescribed information. The prescribed information includes an assessment of the purpose, benefits and impact of granting the authorisation. Each authorisation has a maximum duration of six months, after which a renewal application is needed for the interception or covert surveillance to continue. There are also provisions intended to ensure that legal professional privilege is preserved in the course of conducting interception or covert surveillance programs.
Judicial review:The Committee for Safeguarding National Security is responsible for supervising the interception and covert surveillance rules. Decisions made by the Committee are not amenable to judicial review[4].
Mass surveillance: Authorisation can only be given if the Chief Executive is satisfied there is reasonable suspicion that the person has been, is, or is likely to be involved in an offence endangering national security or activity that may constitute a relevant threat to national security[5]. This condition makes it difficult for authorisation to be given for mass surveillance.
Rights of EU data subjects: The provisions in the National Security Law in respect of interception and covert surveillance do not contemplate individual rights to appeal or have access to records in relation to those surveillance programmes.
Applying Schrems II strictly to the National Security Law is likely to give a mixed report card on whether Hong Kong applies EU levels of protection to personal data in respect of access by public authorities. The position in Hong Kong appears to be better than the position in the US, but does not appear to fully satisfy all factors referred to by the ECJ in the Schrems II judgement.
It will take some time to fully and clearly understand the scope and extent of the National Security Law. Consequently, it will take some time to fully and clearly understand how assessments of the National Security Law should be conducted to apply the principles of Schrems II to the export of personal data from the EU to Hong Kong.
Some observations
Here are some additional thoughts and observations in relation to issues arising under Schrems II:
Philosophical differences: At the root of Schrems II is a philosophical difference on the nature of the rights involved. The Charter of Fundamental Rights of the European Union contains both the right to respect private life, home and communications and the right to protection of personal data. Under the Hong Kong Basic Law and the Hong Kong Bill of Rights Ordinance, the protection of personal data is not expressly listed as a fundamental human right. In the US, personal data tends to be considered through the lens of property rights, rather than human rights. The elevation of personal data protection (as opposed to just privacy) to a fundamental human right is one of the hallmarks of the EU. However, this is not necessarily the case elsewhere. Yet this is the standard that the ECJ insists must be applied in respect of data exports from the EU to third countries.
National security assessments: The ECJ has made it clear that the primary burden is on the data exporter and the data importer. EU data exporters are mostly not equipped to assess third-country national security laws. EU data exporters are likely to require non-EU data importers to conduct those assessments in pre-contract diligence assessments undertaken to support the use of standard contractual clauses. This will place the effective burden on the data importer. Data importers are hardly better equipped to unilaterally respond to these kinds of queries. There is a role for lawyers to help.
Breach of undertakings: The data exporter is likely to require a non-EU data importer to provide representations and undertakings in relation to the access to personal data by public authorities. This places the data importer in an acutely awkward position. Clauses in a contract do not bind national authorities. The ultimate obligation of the data importer is to comply with the laws of the country in which it operates. Situations could arise where either the data importer breaches national security laws or breaches its contractual obligations to EU data exporters. Hong Kong data importers could be between a rock and a hard place.
Data protection authorities: The ECJ views the role of personal data protection authorities in the EU as being supervisory in nature, rather than hands-on. Data protection authorities must be more proactive. EU data exporters, and indirectly non-EU data importers, need guidance to better understand the parameters to assess whether third countries have EU levels of data protection. We expect data protection authorities in the EU to publish assessment frameworks to assist EU data exporters in completing the assessments required by Schrems II. Non-EU data protection authorities will need to support data importer in their location and give guidance on principles that can assist non-EU data importers respond to assessments directed to them in respect of the national security laws of their location. In Hong Kong, the Privacy Commissioner has stated that he will continue to monitor the latest developments and the consequences and impact of the Schrems II judgment to the global privacy landscape. This is a holding statement. This is understandable, as Schrems II and the Hong Kong National Security Law are so new. More guidance is needed.
Uncertainties: Although the Schrems II judgement is lengthy and detailed, uncertainties remain. Will it be possible to ring-fence certain categories of personal data that are less likely to be of interest in the context of national security concerns? Is the assessment of the laws in the country of the data importer to be conducted on the basis of the laws in force, regardless of how those laws are applied in practice? Must the assessment required under Schrems II be applied by all EU data exporters to third countries, regardless of size and resources and regardless of the volume, sensitivity or nature of the personal data involved? More guidance is needed.
Other compliance measures: Standard contractual clauses are one means to demonstrate data protection to EU equivalent standards for data transfers outside the EU. There are others. None is ideal. Hong Kong does not have an adequacy decision from the European Commission. Binding corporate rules are subject to the same considerations of ensuring EU levels of protection. EU data subjects could be requested to consent to the data transfer from the EU to Hong Kong. That consent would need to be explicit, specific and informed. Also, the consent can be withdrawn by the EU data subject. These requirements make consent a less desirable basis for achieving an appropriate safeguard. Derogations in GDPR for data transfers that are necessary to perform a contract, or that are necessary for important reasons of public interest, are only intended to be applied on a case-by-case basis where the data transfers are occasional. Again, these requirements make them a less desirable basis for achieving an appropriate safeguard.
Supplementary measures: The ECJ has suggested that supplementary measures can be adopted to provide appropriate safeguards. No guidance is given on what those supplementary measures may be. However, basic principles of data minimisation and data security can assist. The data exporter should carefully and rigorously assess the personal data to be transferred to a third country, and ensure that only the minimum personal data necessary is transferred. The data exporter can consider anonymising data to be transferred. Encryption can be used to preserve the privacy and security of data in transit. Ultimately, the selection of supplementary measures will be a matter for the data exporter and the data importer to decide. The standard remains the same. The supplementary measures must be sufficient to achieve EU levels of personal data protection. If the data exporter is not satisfied this is the case, then it must refuse to transfer the personal data. This could lead to increased data localisation.
The EU-US Privacy Shield: The ECJ ruled that the principle of ensuring EU equivalent levels of data protection applied in respect of all personal data transfers from the EU. This permitted the ECJ to assess the EU-US Privacy Shield. The EU-US Privacy Shield was an example of an adequacy decision of the European Commission. This was a formal decision of the European Commission that transfers of personal data to the US that complied with the EU-US Privacy Shield framework would be considered to have an adequate level of protection for GDPR purposes. The ECJ in Schrems II has now invalidated the EU-US Privacy Shield. This aspect of Schrems II is largely irrelevant to Hong Kong. Hong Kong has not been granted adequacy status by the European Commission for GDPR purposes. Japan is the only jurisdiction in Asia that has.
Conclusion
Schrems II is a landmark judgement that has global repercussions. Hong Kong will experience the consequences of the judgement. It is early days yet. It is too soon to make drastic decisions. An immediate decision to stop all EU personal data transfers to Hong Kong is not a pragmatic or required decision. EU data exporters to Hong Kong, and Hong Kong data importers, should start to re-assess their compliance with standard contractual clauses. We expect this will include assessing whether Hong Kong is an EU equivalent jurisdiction in respect of data access by public authorities for the purposes of national security. We expect clients to need legal assistance in conducting these assessments. We are ready to help.
Pádraig Walsh
For a global discussion on the Schrems II verdict, please see the 6 August 2020 PrivacyRules webinar below. Pádriag speaks on: Data access laws in Hong Kong at 12:36; Standard contractual clause alternatives at 32:18; Data protection authorities in third-countries at 43:01; and, Due-diligence on service providers’ compliance at 54:18.
If you would like to discuss any of the matters raised in this article, please contact:
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
[1] Article 43, National Security Law
[2] Schedule 6, Part 1, Para 2, Implementing Rules for Article 43
[3] There are limited exceptions to this authorisation protocol permitted in urgent cases.
[4] Article 14, National Security Law
[5] Schedule 6, Part 1, Para 2, Implementing Rules for Article 43