Data transfer: the necessary assessment of foreign legislation?
Update November 2, 2022
The European Data Protection Board (EDPB) provides its framework for compliance with the GDPR in the event of data transfer outside the European Union.
Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with
the EU level of protection of personal data
Adopted on 18 June 2021.
It was expected that this framework would ease the contractual formalities for companies (Binding Corporate Rules or Standard Contractual Clauses) regarding data transfers outside the European Union.
Mais il ressort de ce cadre que l’examen minutieux des législations étrangères reste nécessaire, comme le préconise l’arrêt Schrems II (https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A62018CJ0311), dès qu’une zone territoriale est identifiée comme incertaine par les autorités européennes : https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde,
Unless they fall within the derogations provided for in Article 49 of the RGPD.
Indeed, a sovereign state may in any case access data upon specific request: only a general request for access to data could be challenged on principle.
As regards data transfers to the United States, there is still no adequacy decision by the European Commission, following the so-called Schrems I judgment of 6 October 2015 (C-362/14) (invalidation of Safe Harbour) and Schrems II judgment of 16 July 2020 (C-311/18) (invalidation of Privacy Shield). The US legislation reflects a conception of privacy centred on the protection of the American citizen, not including foreigners, which is not the universalist conception of the European Union.
The 4th Amendment to the United States Constitution provides: "The right of citizens to be secure in their person, domicile, papers and effects against search and seizure without reason shall not be violated nor shall it be issued no warrant except on serious presumption, corroborated by oath or solemn declaration and describing with precision the place to be searched and the persons or things to be seized. »
Despite efforts at approximation (see Joe Biden's recent executive order of 7 October 2022, which does provide for a delegate of the executive branch and even an independent court, but whose opinions are not binding), US law still provides for mass surveillance and the absence of effective remedies for the rights of data subjects.
It is therefore primarily up to the data exporter, in a perilous assessment exercise, to check foreign legislation. The Committee provides a list of data sources in Annex III of its recommendations.
The new Standard Contractual Clauses (“SCC”) (adopted by the European Commission on June 4, 2021 and published on June 7, 2021, which will enter into force on June 27, 2021, https://eur-lex.europa.eu/eli/ dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=fr) do not exempt from this exercise.
The Doctolib interim decision may give some clues as to how to secure a data transfer: location and encryption in France, obligation for the European subsidiary to contest the foreign "general" request, low sensitivity data, short data retention period: https://roquefeuil.avocat.fr/2021/04/transfert-de-donnees-sur-un-cloud.html