The “Schrems II" decision requires businesses sending information to countries that are not subject to the EU's General Data Protection Regulation ('GDPR') to ensure data subjects' rights are adequately protected in the destination country. It will impact both New Zealand businesses subject to the GDPR and those receiving data that is subject to the GDPR.
The ruling also increases the advantage offered by New Zealand's current position as one of just 11 non-EU countries with data “adequacy" status, which means this country is treated as an EU country for the purposes of data transfer. However, a review of that status expected as early as September could change all that – and will test whether the just-passed Privacy Act 2020 puts to rest earlier fears that the valuable designation would be lost.
The Schrems decisions
The requirements for transferring data to non-EU countries for entities captured by the GDPR has changed with the Court of Justice of the European Union's ('Court') decision in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II").
The Schrems proceedings arose from a complaint brought by Max Schrems in Ireland against the Irish Data Protection Commissioner. The focus of the complaint was to determine whether Facebook was permitted to transfer data from Ireland to the United States, given Facebook's alleged involvement in the PRISM mass surveillance program.
Prior to the Schrems cases, the Article 29 Data Protection Working Party (an advisory body that has since been replaced by the European Data Protection Board) took the approach that data could be transferred to a non-European country if that country offered a broadly similar level of protection to that of the EU, even if that third country offered less protection in some minor respects. In the Schrems I decision, which was issued in 2015, the Court found that the standard to be met was that the third party's protection of personal data must be “essentially equivalent" to the rights guaranteed by the EU. The Schrems I decision had the effect of invalidating a decision of the European Commission which said that the EU-US Safe Harbour arrangement was “adequate" for the purposes of EU law.
In the Schrems II decision issued late last month, the Court:
- confirmed that the “standard contractual clauses" ('SCCs') that governed data transfers from the EU were valid, and
- invalidated a previous decision of the Commission that was the legal basis for holding that the EU/US Privacy Shield was valid for the purposes of international data transfer.
In respect of transfers to the United States, previously data controllers could rely on the validity of the Privacy Shield to assume that the data protection provisions in the United States were adequate for the purposes of the GDPR. The Privacy Shield (like the EU-US Safe Harbour before it) has been heavily criticised and thus the decision of the Court to invalidate it is not unexpected. The Court invalidated the Privacy Shield based on several factors, including that:
- US law enforcement requirements trumped the Privacy Shield.
- There were insufficient limitations and safeguards against the powers of local law enforcement under US law, particularly when proportionality requirements that gave protection under EU law were taken into account.
- There was no effective remedy in the US for EU data subjects who felt their rights had been compromised.
- There were deficiencies in the oversight of the Privacy Shield and how complaints were handled, as the Privacy Shield Ombudsperson was not a “tribunal" and could not be considered to be a fair and impartial court.
The Schrems II decision confirmed that data protection authorities have a duty under the GDPR to suspend or prohibit data transfers if the SCCs could not be complied with or if protection of the data could not otherwise be ensured. Data controllers will now need to be more proactive and accountable when sending data to countries outside of the EU, especially where the laws of the destination country allow for personal data to be accessed in ways that would not be permitted in Europe.
If data controllers are transferring data in reliance on the SCCs, they will also need to verify whether the law of the third country or destination ensures adequate protection under EU law. This is an onerous obligation, as it requires data controllers to conduct a detailed assessment of the laws of the third country and form a view as to how those laws compare to the protections in the GDPR.
What does this mean for New Zealand?
The Schrems II decision will have a major impact on how transfers of information about EU data-subjects to non-EU countries are handled. In particular, due to the heighted expectations on data controllers to ensure data subjects' rights are adequately protected in the destination country. This decision makes New Zealand's current officially recognised “adequacy" status even more important than it was previously.
There are currently 11 countries that have been designated by the European Commission as providing an adequate level of protection for the purpose of data transfers. This means personal data can be transferred as freely as it would to countries within the EU, without data controllers needing to conduct their own assessments as to whether the laws of the destination country offer adequate protection, and without needing to rely on SCCs. The fact that New Zealand has been granted adequacy status gives us a considerable advantage over other countries that have not been given this designation (including Australia).
New Zealand's adequacy status is soon to be reviewed however. The review was scheduled to be completed by May 2020, but has been delayed and is currently expected in September or October this year.
Many will be relieved that the Privacy Act 2020 gained parliamentary assent before the review takes place, as there has been doubt cast as to whether the current Privacy Act 1993 continues to meet the high standard required by the European Commission.
The Privacy Act 2020 offers a number of heightened protections that should assist New Zealand to maintain its adequacy status. In particular:
- Mandatory breach notifications have been introduced for privacy breaches that result in serious harm, which allows for greater transparency and accountability.
- New privacy principle 12 regulates how personal information can be sent from New Zealand to other countries, meaning that organisations can only transfer personal information overseas if the receiving country is subject to similar safeguards to those in place in New Zealand. If the destination country does not offer similar protections, the relevant individual must be fully informed that their information may not be adequately protected, and they must authorise this disclosure.
- New criminal offences have been introduced, with fines of up to NZ$10,000.
- The Privacy Commissioner is now empowered to issue compliance notices to organisations to make them do something, or refrain from doing something in order to comply with the Act.
There is however a concern that the reforms may not go far enough. There are protections for data subjects under the GDPR that are not replicated in New Zealand legislation (for example, the right to data portability, the right to be forgotten and additional controls regarding how data can be processed and used). Additionally, the enforcement powers under the Privacy Act (particularly the imposition of financial penalties) are of a vastly different scale compared to the GDPR, where penalties for breaching the law can be up to €20 million or 4% of annual global turnover (whichever is higher).
Overall, New Zealand's new privacy law brings us closer into line with international trends, and should improve New Zealand's chances of retaining adequacy status. The Schrems II decision does however give rise to some additional concern that European regulators are taking a narrower view of what will constitute adequate protection and “essential equivalence" with EU law. This may mean that the European Commission is less likely to grant a country adequacy status given there is an increased likelihood such a decision could be overturned by the Court.
What does this decision mean for New Zealand organisations that are subject to the GDPR?
The GDPR applies to New Zealand businesses that process personal information and have an office in the EU. It also applies to New Zealand businesses that do not have an office in the EU, but process the personal information of data subjects residing in the EU for purposes relating to:
- Offering goods or services to data subjects in the EU, or
- Monitoring the behaviour of data subjects in the EU.
For businesses that do not have an EU office, but are required to comply with the GDPR, the major impact of the Schrems II decision will be to ensure that when personal information about a EU data subject is being sent from New Zealand to a country outside of the EU, the requirements of the GDPR are complied with and the destination country gives adequate protection to data in comparison to the EU. As a matter of practicality, businesses that may be subject to the GDPR should ensure that they are prepared for the Privacy Act 2020, and in particular that they are compliant with new Privacy Principle 12. This should go a long way towards mitigating the risk of falling foul of the requirements of the GDPR.
For New Zealand businesses with an office in the EU, it should be business as usual in terms of transferring data within the EU, to New Zealand, or to any other country with adequacy recognition. If however, information is to be transferred to any other destination, care will need to be taken to ensure that such transfer is still permitted under European law.
If you would like to discuss any of the matters raised in this article, please get in touch with the contacts listed or your usual Bell Gully adviser.