Problematic legislation and fundamental rights: new obstacles to transferring personal data from Europe

We have all experienced restrictions on international travel during the COVID-19 pandemic. But did you know that recent developments in European privacy law have also made it harder for personal data to cross international borders? As Special Counsel Nicholas Blackmore explains, new EU Standard Contractual Clauses and guidance from the European Data Protection Board pose significant challenges for Australian businesses attempting to transfer personal data from Europe.

Many Australian business will already be familiar with the rules under the EU General Data Protection Regulation (the “GDPR”) which restrict the transfer of personal data out of the European Economic Area (“EEA”). Australian businesses may need to transfer personal data from the EEA to Australia because they sell products and services to European consumers, they have business ventures or offices in Europe, or they process personal data on behalf of European clients. “Transferring” data under the GDPR includes moving or copying the data to a computer located in Australia, as well as a user in Australia remotely accessing a copy of the data stored on a computer located in the EEA.

While personal information is protected in Australia by the Privacy Act 1988, the European Commission has taken the view that the Privacy Act does not offer adequate protection for personal data transferred from Europe. As such, the most common solution is for a European business wanting to transfer personal data to Australia (a “data exporter”) and an Australian business wanting to transfer personal data from the EEA (a “data importer”) to enter into the Standard Contractual Clauses approved by the European Commission.

The new Standard Contractual Clauses

The European Commission recently issued a new set of Standard Contractual Clauses (the “new SCCs”). The previous set of Standard Contractual Clauses (the “old SCCs”) were replaced by the new SCCs with effect from 27 September 2021. While the old SCCs continue to be valid in existing contracts until 27 December 2022, the new SCCs need to be used in all new contracts.

In addition, the European Data Protection Board (“EDPB”) recently finalised its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection for personal data (the “Recommendations”), which provide practical guidance to data exporters and importers on how to provide “an essentially equivalent level of protection” for personal data transferred outside of the EEA.

While there are a number of significant differences between the old SCCs and the new SCCs, the biggest difference is that the parties are now required to provide warranties in relation to the laws and practices of the destination country; what the Recommendations call “problematic legislation”.

The obligation to assess problematic legislation

The problematic legislation provisions in the new SCCs are an attempt to address the issues that caused the old SCCs to be ruled invalid by the European Court of Justice in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems. In that case, Austrian privacy activist Max Schrems challenged Facebook’s practice of transferring personal data of Europeans to servers in the USA, where the data could potentially be subject to access by the US Government. Of particular concern was the National Security Agency’s PRISM programme, which grants the Agency broad powers to collect any electronic data that matches court-approved search terms. The European Court of Justice held that a US company that was subject to that law could not provide adequate protection to European personal data, even if it was otherwise compliant with the EU-US Privacy Shield scheme or the old SCCs.

As a result, the new SCCs now require both parties to warrant that:

• they have conducted an assessment of the relevant laws and practices of the destination country, taking into account the circumstances of the transfer and any other safeguards in place to protect the data; and
• they have no reason to believe that the laws and practices of the destination country applicable to the processing of the personal data by the data importer (including any requirements to disclose personal data or allowing access by public authorities) will prevent the data importer from protecting the personal data as required by the new SCCs.

The new SCCs require that this assessment must be documented, and produced to an EU supervisory authority on request. The assessment must be updated whenever there is a material change in the relevant laws and practices.

While the above obligations are imposed on both parties – and are enforceable against both parties by data subjects - the new SCCs also specifically require that the data importer use its best efforts to provide the data exporter with all relevant information in relation to the laws and practices of the destination country.

Conducting an assessment

As such, the New SCCs effectively require Australian data importers to conduct a thorough assessment of relevant Australian laws and practices. The Recommendations provide further guidance how to conduct this assessment. They state that the assessment should focus on “problematic legislation”, which means any Australian legislation which:

• imposes obligations on the data importer and/or affects the data transferred in a manner that may impinge on the New SCC’s guarantee of an essentially equivalent level of protection to that afforded under EU law; and
• does not respect the essence of the fundamental rights and freedoms recognised by the EU Charter of Fundamental Rights, or exceeds what is necessary and proportionate in a democratic society to safeguard an important objective which is also recognised in EU law.

The former requirement essentially covers any legislation which allows a government authority to intercept personal data in transit to the data importer, or to compel the data importer to provide access to or a copy of the personal data. In Australia, this would include the Telecommunications (interception and Access) Act, the Surveillance Devices Act and equivalent State and Territory legislation, the Australian Security Intelligence Organisation Act, and federal and state police powers legislation.

The latter requirement essentially means that the legislation does not include protections for the fundamental rights and freedoms of individuals (as those rights and freedoms are defined in EU law), does not serve an important public interest which is also recognised under EU law, or goes further than is necessary and proportionate in serving that public interest.

As such, this assessment is no simple task – it requires both a knowledge of the various Australian legislation under which a government authority might have access to personal data, and an assessment of whether that legislation meets EU standards on protecting the fundamental rights and freedoms of individuals.

Once the assessment is conducted, the data exporter is only permitted to transfer personal data outside the EEA if the assessment concludes that:

• there is no problematic legislation;
• there is no reason to believe that the problematic legislation will be applied in practice to the data importer or the transferred personal data; or
• the parties can put “supplementary measures” in place to protect the transferred personal data from the effects of the problematic legislation.

Supplementary measures

“Supplementary measures” are practical or technical measures which circumvent problematic legislation by ensuring that any personal data will not be identifiable in the hands of a government authority. The Recommendations cite a number of possible supplementary measures that parties could use:

• the personal data is encrypted and the data importer does not have the decryption key;
• the personal data is pseudonymised and the data importer does not have the ability to re-identify the data; or
• the personal data is split into multiple data sets, such that any one data importer does not hold sufficient data to identify any data subject.

However, these supplementary measures are severely limited in their usefulness. The Recommendations acknowledge that supplementary measures are simply not possible where the data importer requires access to unencrypted and identifiable personal data, which will be the case in the majority of situations.

Conclusion

Unlike the old SCCs, the new SCCs require Australian data importers to conduct a detailed and documented assessment of relevant Australian laws and practices to determine whether they include protections for the fundamental rights and freedoms of individuals, serve an important public interest, or go further than is necessary and proportionate in serving that public interest.

Conducting this assessment is not a simple task – it requires expertise on the relevant Australian legislation, and on EU standards for protecting fundamental rights and freedoms.

Personal data is only permitted to be transferred outside the EEA if the assessment concludes that there is no problematic legislation or there is no reason to believe that the problematic legislation will be applied in practice to the data importer or the transferred personal data. Alternatively, the parties can put in place “supplementary measures” in place to protect the transferred personal data from the effects of the problematic legislation.

As a law firm with global expertise in data privacy law, Kennedys is ideally placed to assist its clients with undertaking the assessment required under the new SCCs.

Read other items in the Australian Insurance Brief - December 2021