GDPR, a never ending story?

UPDATE recent developments in privacy and data protection
1. Data transfers - First Belgian guidance on the interpretation of Schrems II

Although we have been in lockdown for quite a while, personal data has continued to travel across borders in ever increasing quantities. In this regard, the infamous Schrems II decision from July 2020 left many stakeholders and practitioners in the dark on the legality of personal data transfers to third countries, in particular to the U.S.

Recently, the Belgian Council of State (Conseild'État/Raad van State) gave its first guidance on the issue in the ViaVan-case, in furtherance of earlier guidance published by several data protection authorities (e.g. the EDPB and the Flemish Supervisory Commission), and the French Council of State’s (Conseil d'État) Doctolib-case.

In short, the Council had to assess whether ViaVan’s (a Dutch company fully owned by a U.S. company) reliance on Amazon Web Services (AWS) for the processing of personal data in the framework of ViaVan’s performance of a public contract awarded to it by the Flemish government, violated GDPR as interpreted in Schrems II.

The Council of State stated that:

  • Standard Contractual Clauses remain a valid mechanism to provide sufficient safeguards for data transfers to the U.S.;
  • These Standard Contractual Clause need to be complemented with supplementary measures for transfers to third countries which do not offer an adequate level of protection (including the U.S.);
  • In conclusion, ViaVan provided a sufficient framework of measures and did not infringe upon GDPR.

Although the Belgian Council of State, in contradiction to its French colleagues, did not enter into a detailed analysis of the supplementary measures put in place by the data processor (ViaVan), it did state that “neither the EDPB, nor the Flemish Supervisory Commission, oppose to entire encryption of the data prior to being stored with the service provider and where the encryption keys are retained solely under control of the (Flemish) exporter” (own translation).

This decision thus confirms that data transfers to non-adequate countries are not prohibited as of the outset, and highlights the need for supplementary measures.

The full decision can be consulted here:

https://www.ie-forum.be/documents/ecli/61279322-57cc-4f46-9cda-3c32c35ff8c2.pdf

2. Where does GDPR ends?

In its recent Opinion* of October 6th2021, Attorney General (AG) Bobek gave its opinion on the scope of ‘acting within its judicial capacity’ as referred to in Article 55(3) GDPR. In essence, the main question referred to the CJEU was whether a judicial authority granting a journalist access to procedural documents containing personal data for the purpose of enabling the latter to better report on a public hearing, constitutes ‘processing operations of courts acting in their judicial capacity’.

Although the specific reasoning of the AG and main conclusion that “Article 55(3) GDPR must be interpreted to mean that the practice of the disclosure of procedural documents to a journalist for the purpose of better covering a public hearing is carried out by courts ‘acting in their judicial capacity’” is an interesting read as such, the AG’s rather fierce criticism on the GDPR’s broad scope of application is probably even more interesting.

The AG stated that “in my view, I suspect that either the Court, or for that matter the EU legislature, might be obliged to revisit the scope of the GDPR one day. The current approach is gradually transforming the GDPR into one of the most de facto disregarded legislative frameworks under EU law (emphasis added). That state of affairs is not necessarily intentional. It is rather the natural by-product of the GDPR’s application overreach, which in turn leads to a number of individuals being simply in blissful ignorance of the fact that their activities are also subject to the GDPR. While it might certainly be possible that such protection of personal data is still able to ‘serve mankind’, I am quite confident that being ignored as a result of being unreasonable does not in fact serve well or even contribute to the authority or legitimacy of any law, including the GDPR.”

Whether the AG’s criticism will get any reference in the final judgment is doubtful. Nevertheless, the AG strikingly reflects the general sentiment around GDPR which our clients encounter on a daily base.

The full AG’s Opinion can be consulted here:

https://curia.europa.eu/juris/document/document.jsf?text=&docid=247105&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=5763643

If you would have any questions in relation to personal data protection-related issue, please contact us and we will be happy to assist you.

*Disclaimer: please be aware that the Opinion of an AG at the CJEU only serves as a guidance for the final decision and has no binding force. The criticism expressed by the AG in its Opinion cannot be interpreted as a free-pass to ignore the applicability of the GDPR.