News
Letter to the EDPB in response to the recently adopted recommendations published by the EDPB
With a letter to the European Data Protection Board (EDPB), the International Network of Privacy Law Professionals (INPLP) made use of the opportunity to provide comments on the recently adopted recommendations published by the EDPB.
About INPLP
The International Network of Privacy Law Professionals (INPLP) is a not-for-profit international network of qualified professionals (35 countries) providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi- jurisdictional views, a GDPR-fines database, and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how (aproximately 60 publications per year), conducting joint research into data processing practices, and engaging proactively in international cooperation in both the private and public sectors. Please find all members and publications here: inplp.com
Introduction
INPLP would like to thank the EDPB for the opportunity to provide comments on the recently adopted Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
This contribution is drafted at the sole initiative of INPLP. Neither INPLP nor any of its members have received any remuneration or benefits of any kind in compensation for the drafting or submission of these comments. The positions expressed herein are based exclusively on the individual members’ concerns regarding the consequences of the Recommendations as drafted, based on their experience as data protection professionals.
As a result of the recent Schrems II judgement C-311/18, there is currently significant uncertainty within the European Union (and more generally speaking, among many stakeholders subject to EU data protection rules) on the possibility or impossibility of transferring personal data to third countries in the absence of any affirmative adequacy ruling. INPLP therefore welcomes the EDPB’s initiative for providing a methodological and concrete overview of steps and measures that should be taken to supplement transfer tools.
INPLP is particularly supportive of the general position that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes, and that a transfer of personal data to third countries cannot constitute a means of undermining or watering down the protection that such data is afforded in the EEA. It is indeed critically important that data exporters ensure a level of protection for the data (and the affected data subjects) that is essentially equivalent to the protections available in the EEA.
Specific comments and concerns
Based on our own evaluation of the proposed Recommendations, our members are concerned that they appear to disregard a balanced consideration of risk in relation to the personal data itself, e.g. based on the sensitivity or volume of the personal data or the impact on data subjects, and to the risks (or lack thereof) inherent to the processing activities. The Recommendations apply a strict risk assessment test that considers only the jurisdiction(s) of the importer, since the exporter is required to assess in some detail whether the protections of the EEA data protection regime are not directly or indirectly undermined by the domestic legal order of the importer. The personal data itself, however, does not appear to take a central role in any of the steps, nor does the nature of the processing activity.
In effect, the Recommendations to some extent consider all personal data and all processing activities to be equal before EEA data protection law, in the sense that the need for measures to supplement transfer tools appears to be driven largely or even solely by the jurisdiction(s) that apply to the data importer. As a result, even the most trivial and small-scale personal data transfers are treated in the same manner as the most sensitive and large-scale transfers, without consideration of risk or the likelihood of such data being targeted by third country authorities.
The INPLP members would of course not question that highly sensitive data – such as critical or large scale governmental databases or the special categories of personal data identified in the GDPR – would warrant significantly more demanding supplemental measures. Nor could it be reasonably disputed that e.g. the criteria developed by the Article 29 Working Party for the applicability of the DPIA obligation (WP 248) could be a useful resource to determine data protection risks, and therefore the need for supplementary measures.
But precisely such considerations appear to be absent from the proposed Recommendations. This is most explicitly visible in Use cases 6 and 7 of the proposed Recommendations, respectively dealing with transfers to cloud services providers requiring access in the clear and with remote access to data for business purposes. For both of these use cases, the Recommendations conclude that there is no scenarios in which effective measures could be found to appropriate organise a transfer, without consideration of the nature of the data or the processing activity to be covered.
As a result, even fairly trivial data transfers would no longer be lawful. By way of examples, a small sports club’s mailing list would no longer be permitted to be managed through a US-based service provider, a European baker would not be permitted to store its customer lists in a non-European cloud service, and a European affiliate in an international group would no longer be permitted to share business information with its non-European counterparts. Such transfers would be unlawful, despite the low likelihood that such data would be relevant to third country authorities, and despite the low risk to individuals even if such data would be targeted by authorities. A risk based approach might be productively integrated in the discussion of these Use cases in the Recommendations.
Conclusions
INPLP is keenly conscious of the legitimate policy concerns surrounding data sovereignty, in particular regarding personal data, as well as of current risks and abuse scenarios. Our members value and treasure the high bar that European data protection law has set, including for third country transfers. However, our conviction is that the current Recommendations in their present form leave too little margin for a risk-based analysis, and would effectively isolate the EEA from the global data economy, since transfers to third countries outside of any affirmative adequacy finding (and to some extent even with an affirmative adequacy finding) would not be legally defensible, or at least legally reliable, for European data exporters.
Assuming that such isolation is not the intent of the proposed Recommendations, we would submit these observations for your kind consideration and would especially suggest introducing an assessment of the sensitivity and risks of the personal data concerned as a part of the stepwise process in the current Recommendations. In this context, INPLP would particularly recall the extremely useful and highly appreciated work that has been done in the Guidelines on DPIAs, which take into consideration which types of data and processing are "likely to result in a high risk". While appreciating that the policy context for the current Recommendations differs significantly from that of the DPIA Guidelines, INPLP would humbly suggest that a similar risk consideration in relation to third country transfers might be usefully developed as well.
This letter was sent with the support of the following INPLP members:
COUNTRY | LAST NAME | FIRST NAME | COMPANY |
Austria | Thiele | Clemens | Götzl Thiele EUROLAWYER Rechtsanwälte |
Austria | Winklbauer | Stephan | AHW Rechtsanwälte |
Belgium | Graux | Hans | Time.lex |
Czech Rep. | Nielsen | Tomas | Nielsen Legal, advokátní kancelář, s. r. o. |
Cyprus | Alexandra Constantinos | Kokkinou Andronicou | tassos papadopoulos & associates LLC |
Denmark | Thöle | Claas | NJORD Advokatpartnerselskab |
Estonia | Orav | Mari-Liis | TGS Baltic |
France | Le Quellenec | Eric | Alain Bensoussan Avocats Lexing |
Greece | Deligianni | Mary | Zepos & Yannopoulos |
Croatia | Guljaš | Boris | Boris Guljaš I Ranko Lamza |
Ireland | Moore | Leo | William Fry |
Israel | Barkan-Lev | Adi | BL&Z Law Offices & Notaries |
Israel | Zabow | Beverley | BL&Z Law Offices & Notaries |
Japan | Shono | Satoshi | Matsuda & Partners |
Luxembourg | Molitor | Michel | Molitor Avocats a La Coer |
Luxembourg | Liebermann | Virginie | Molitor Avocats a La Coer |
Malta | Gatt | Gege | Malta IT Law Association |
Netherlands | Cordemeyer | Bob | Cordemeyer & Slager |
Norway | Flagstad | Øystein | Gjessing Reimers |
Portugal | Henriques | Ricardo | Abreu Advogados |
Romania | Iftime-Blagean | Adelina | Wolf Theiss |
Serbia | Urzikic Stankovic | Ljiljana | Stankovic & Partners |
Slovenia | Jamnik | Matija | JK Group d.o.o. / JK Group ltd |
Slovakia | Chlipala | Miroslav | Bukovinsky & Chlipala, s.r.o. |
Spain | Arribas | Belén | Belén Arribas, Abogada |
Turkey | Yavuzdoğan Okumuş | Begüm | Gün + Partners |
United States | Odia | Kagan | Fox Rothschild LLP |
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010