Below you will find some highlights from the pleading which can be found here.
“With regard to the first question on standard contractual clauses (SCCs):
- The SCCs adopted by the COM are instruments with a general scope. They are not related to any specific third country. They are provided for an individual transfer contract from an EU-exporter to a third country importer.
- Therefore, the EDPB considers that the COM is not obliged to examine whether the access of the public authorities of a given third country to the data transferred respects the level of protection required by EU law.
- The EDPB considers that this is primarily the responsibility of the exporter and the importer, when considering whether to enter into the SCCs.
- This means that it is also for SAs, in particular on the basis of a complaint, to assess whether the continuity of the protection afforded by Union law is ensured once the data were transferred, including whether the exporter and importer complied with their obligations under the SCCs. If not, SAs may suspend transfers.
- Under SCCs, SAs are only empowered to assess individual cases but do not have the power to issue a general ban of transfers to a specific third country.
As far as the second question is concerned, on data during the stage of transit:
- On the first part of the question: The EDPB takes the view that the continuity of the protection afforded under EU laws needs to be ensured, also during the stage of transit to a third country, no matter which transfer tool is used.
- In the context of an assessment of adequacy, when assessing the level of protection of the laws of a third country the EDPB has stated that COM’s analysis should not be limited to the law and practice allowing for surveillance within that country’s physical borders. It should also cover the law and practice allowing for surveillance outside or on its way to its physical borders, as far as EU data are concerned.
- The EDPB takes the view that, no matter which Chapter V GDPR transfer tool is used, the assessment should be limited to applicable laws and practices in the third country where the recipient is. The EDPB sees no obligation to assess any other country’s laws which could provide for the possibility to intercept data on their way to the third country where the recipient is.
- With regard to the U.S., the EDPB included the Executive Order 12333, which applies to the collection of data by the U.S. authorities outside the U.S. territory, and the Presidential Policy Directive 28 (PPD-28), when commenting on the Privacy Shield decision and its joint reviews.
- On the second part of the question: the adoption of an adequacy decision may create a presumption, if the respect for the level of protection during the stage of transit was made part of the adequacy finding.
- Though the EDPB notes that reference is made to data in transit in the Privacy Shield adequacy decision, the level of protection during the stage of transit was not discussed during both Privacy Shield Joint Reviews, as the U.S. Government stated that the stage of transit is not covered by the Privacy Shield.
With reference to the fourth question, on access to personal data by a public authority:
- In our view, as the screening of communications and access to data in this context are inextricably linked to the process of collection of data, the access to data by means of selectors for the purposes of screening communications is part of the processing of the data collected.
- I would like to refer to the specific context of the Privacy Shield, in particular with regard to US programmes run under the authority of 702 FISA, which aim at collecting personal data by means of selectors following the screening of communications. The EDPB, in its reports on the 1st and 2nd Joint Reviews of the Privacy Shield, stressed the importance of more specific safeguards for these measures, for example for precise targeting to determine whether an individual or a group can be a target of surveillance, and for strict scrutiny of individual targets by an independent authority ex-ante.
Regarding the fifth question, on the Privacy Shield Ombudsperson:
- The EDPB welcomed the establishment of the Ombudsperson mechanism as a new redress mechanism.
- At the same time, the EDPB expressed concern with regard to effective judicial redress before the courts of the U.S., and examined if the Ombudsperson mechanism could have offset these deficiencies with respect to individual judicial protection. The EDPB took the view that the Ombudsperson mechanism could only offset the deficiencies of judicial redress if the requirements of Art. 47 of the Charter are met.
- The EDPB thus focused on the question how independent the Ombudsperson is and what powers she/he has.
- The EDPB stated in the last Privacy Shield joint review issued earlier this year that it is not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non- compliance. The EDPB went on to say it can thus not state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Art. 47 of the Charter of Fundamental Rights.
Finally, I would like to make some additional remarks:
- Personal data of Europeans are well protected through the high European standards provided and enshrined in the Charter of Fundamental Rights and the GDPR.
- As one of the judges of this court said after the Schrems I ruling, this protection “is sailing with the data, wherever the data are transferred to”.
- We, the SAs, used our powers and capacities to uphold this standard and to spread it, bearing in mind consideration 42 of the Schrems I ruling stating “that national SA must in particular ensure a fair balance between, on the one hand, observance of the fundamental right to privacy and on the other hand, the interests requiring free movement of personal data”, and recital 4 of the GDPR.”