The long awaited Schrems II decision was published by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II) and while it has already been summarized as the death blow to the Privacy Shield framework and the confirmation of the validity of the Standard Contractual Clauses (SCCs) by many, it may only be a Pyrrhic victory for the latter, as far as transfers to the US are concerned.
(more…)With the recent decision from the Court of Justice of the European Union (CJEU) invalidating the Privacy Shield framework (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II – see our alert here) and subjecting the Standard Contractual Clauses (SCCs) to higher standard of enforcement, global companies with the need to transfer data across the world, and especially across the Atlantic, are now required to re-assess their data transfer mechanisms.
While both Privacy Shield and the SCCs predates the General Data Protection Regulation 2016/79 dated 27 April 2016, which enter into force on 25 May 2018 (GDPR) , the new regulation aimed at providing stakeholders with additional tools to self-regulate and safeguard the privacy of individuals in the European Union
Among them, and while still confidential, the implementation of codes of conduct is encouraged under Art. 40 GDPR and by the dedicated Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/79 dated 04 June 2019 of the European Data Protection Board (EDPB). As a matter of fact, the advantages of such codes of conducts go beyond the mere facilitation of data transfers, and provide data controllers and data processors alike with a complete sectorial framework for GDPR compliance.
(more…)In a highly anticipated Schrems II decision, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, the legal framework allowing transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, mainly citing US surveillance practices and inadequate recourse to EU individuals. On the other hand, the CJEU upheld the Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries (see out alert here).
(more…)On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.
What is the Privacy Shield
The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.
(more…)Following its press release on the development of a new third country transfer module, the EU Data Protection Code of Conduct for Cloud Service Providers is proud to welcome internationally renowned law firm K&L Gates LLP as Supporter.
Brussels, 06. October 2020 – Pending the approval of its Code of Conduct under Europe’s General Data Protection Regulation (GDPR), the EU Cloud Code of Conduct (EU Cloud CoC) initiated the development of an on-top module to tackle the recent decision from the Court of Justice of the European Union (CJEU) “Schrems II”. Post-Schrems II, such an additional module is considered extremely helpful by the industry. GDPR explicitly refers to codes of conduct as an appropriate safeguard in its Article 46.2.(e). Provided that approved codes of conduct require independent oversight by an accredited monitoring body, codes of conduct may be the missing link how to create “supplementary measures” as called-for by the CJEU.
“Addressing Schrems II surely will be demanding. Therefore, the General Assembly highly welcomes the addition of this well-known international law firm. This adds to our large pool of subject matter experts and experience that will be necessary in developing an additional module for third party data transfers.”, said Jonathan Sage, Government and Regulatory Affairs Executive at IBM and Chairman of the EU Cloud CoC General Assembly.
The EU Cloud CoC, in its core version, addresses requirements pursuant to Article 28 GDPR for processors. Consequently, the Code focuses on establishing best practices to address relevant legal requirements. Drafting a third country transfer mechanism will require close negotiations with different stakeholders, as such a mechanism easily corelates with non-GDPR related aspects, such as political and societal.
“Our clients are in dire need of stable, yet flexible solutions. The Schrems II ruling created massive turbulence not just for service providers but also, and especially, for customers, who are lacking any foreseeability on the compliance of internationally provided services. We are willing to contribute to this upcoming future standard with our distinct expertise in finding practical solutions for all of our clients, and thus inherently balancing interests of providers and customers alike, through such self-regulation mechanism for the whole ecosystem. Our involvement in the EU Cloud CoC will be led by Dr. Thomas Nietsch from our Berlin Office.” said Claude-Etienne Armingaud, CIPP/E and Practice Group Coordinator for Data Protection, Privacy, and Security at K&L Gates LLP.
Considering the press conference announcing this development, one may note that European Supervisory Authorities and also the European Commission are welcoming initiatives like the one as of the EU Cloud CoC. The EU Cloud CoC General Assembly is looking forward to a cooperative dialogue with relevant stakeholders, inviting interested parties to join, to make sure that the upcoming module is meeting legal requirements, but also data subjects and industry needs, as this will be key for broad market adoption and effectiveness.
The EU Cloud Code of Conduct is a sector-specific Code pursuant to GDPR Article 40, currently pending the endorsement and official approval by supervisory authorities. Among the key benefits of the Code is its applicability to the full spectrum of cloud services, as all services types (SaaS, PaaS, IaaS) can be declared adherent against the Code.
The Code’s General Assembly members are eligible to declare their services adherent and make them subject to the robust monitoring and assessment of the Code’s Monitoring Body, thereby underpinning GDPR compliance. The General Assembly has recently announced the next evolution of its Code by drafting a dedicated module for third country transfers. Find out more about the Code , the Third Country Transfer Initiative and learn how easy it is to join the General Assembly of the EU Cloud Code of Conduct.
First publication : EU CoC Cloud
The current COVID-19 pandemic continues to raise many issues on employee privacy and how employers may balance processing their employees’ data with ensuring safety in the workplace. The French Supervisory Authority (CNIL) has provided guidance on the methods that may be used by employers to collect and process health data from their employees (outside of medical care data) in order to detect possible symptoms related to COVID-19, as well as data relating to travel or events. In addition, more generally, the French Labor Ministry has published a “National protocol regarding the end of the lockdown for companies to ensure health and safety of the employees” (Protocol), in order to help employers manage the various tasks and issues related to the end of the lockdown and employees’ return to work. This document does not have legal force, but sets out the general recommendations and principles of prevention regarding the protection of employees’ health and safety in the context of the current health crisis.
Under the General Data Protection Regulation (GDPR) framework, the CNIL guidance available here in French) reiterates a number of core principles:
In the private sector, Articles L. 4121-1 and R. 4422-1 of the French Labor Code (FLC) provide for a safety obligation incumbent on employers, which must implement occupational risk prevention, information and training actions. The company and its legal representatives are criminally liable for the employee security obligation. Employers that fail to provide employees with safe and appropriate working conditions would face a court risk and could be held liable for not ensuring the employees’ safety and security on the workplace. Since 2015, the French Supreme Court has held that the employer’s obligation with regard to employees’ health and safety is an enhanced best efforts obligation (obligation de moyen renforcée). Therefore, the employer can avoid liability by proving that preventive measures have been implemented. French Supreme Court case law holds that the employer has complied with this legal obligation to take the necessary measures to ensure the safety and protect physical and mental health of employee when it is demonstrated that he has taken all measures to prevent, adapt and provide information on the risks, in accordance with Articles L. 4121-1 and L. 4121-2 of the FLC.
In the context of the current pandemic, the employer’s safety obligation is more topical than ever. In order to comply with this mission, employers have the right to process personal data, albeit only when strictly necessary to foster that purpose. In this respect, the CNIL encourages employers to regularly consult the information and recommendations published by the French Labor Ministry, in order to better understand their obligations in this period of health crisis.
According to the CNIL’s position, employers are entitled, in this context, to:
On the other hand, Article L.4122-1 FLC provides that each employee has a safety obligation which requires them to preserve not only their own health and safety, but also, the health and safety of other individuals with whom they may come into contact in the course of their professional activity, be it other workers or customers. However, in practice, employers might be in a delicate situation if they were to take disciplinary sanctions against these employees, and they might face labor court actions.
While French employees are usually only required to provide an illness certificate, which does not provide any specifics on the health status other than inability to work, the CNIL understands that the contagiousness of the COVID-19 pandemic mandates self-reporting be more specific to enable employers to take any measure required to ensure the safety in the workplace.
However, this reinforced duty to provide information does not extend to individuals working in isolated conditions, e.g. without contact with other individuals and/or working remotely. For such “isolated” workers, the classic rules of labor law apply and employers are not allowed to mandate such disclosure of personal data.
When organizing the return to work, employers are encouraged to facilitate dialogue with its employees and employee representative. Employers may require certain information, and may ask employees to inform the company’s management of, in particular, any travel to risk areas and risk factors related to their health or relatives. However, this organizational requirement must be compliant with the GDPR for the processing of employees’ personal data.
In any case, employers may only process elements related to (i) the date, (ii) the identity of the person, (iii) the contamination status reported by the employee, and (iv) the data related to the organizational measures to be put in place.
The CNIL emphasizes the particular sensitivity of health-related data, which is considered a “special category of personal data” under Article 9 GDPR, and thus requires processing under robust conditions of security and confidentiality, as well as limited access to authorized personnel. Consequently, employers wishing to take steps to ensure the health of their employees must rely on their occupational health service.
Processing operations pertaining to such special category of personal data is, by principle, prohibited under GDPR, unless they fall within one of the exceptions provided under GDPR, namely:
In the context of the pandemic, the CNIL highlights that (2) and (8) would be the only relevant bases to ensure the safety in the workplace.
In that regard, the coordination with health authorities, as potential recipients of the data, is authorized, to ensure the medical care of the exposed person. Nevertheless, the identity of the individual, effectively or presumably infected, must not, under any circumstances, be communicated to other employees.
Considering that GDPR and its French implementation only apply to automated processing (particularly computer processing) or to non-automated processing where a physical file is materialized, this means that the simple verification of temperatures prior to access to premises would not trigger application of GDPR insofar as no trace of this check is kept and if no other operation is carried out. On the other hand, any automated temperature verification, such as through use of thermal cameras, would be subject to GDPR. Given that other less intrusive methods to achieve a similar purpose exist, they may not pass muster for the data minimization tenet of GDPR.
Based on the CNIL and French Labor Ministry guidance, the following could be considered by employers in order to effectively and efficiently organize their employees’ return to work:
First publication: K&L Gates Hub in collaboration with Christine Artus, Sarah Chihi, Anne Ragu, Clara Schmit
