Last week, at the time of writing this article, the Court of Justice of the European Union (“CJEU”) reached a decision for the Schrems II case. Much has been said about the decision already, but to our knowledge, its impacts on European (“EU”) funded projects have not been discussed.
European funded projects typically involves a number of organisations from EU member states as well as from a long list of further countries outside the European Economic Area (“EEA”), working all together for the aim of the project.
In this context, it is not infrequent for personal data to be collected from EU citizens in the EU and then transferred outside the EEA for research and innovation actions.
This kind of activity, while not illegal or problematic per se, requires the compliance with additional rules and provisions, in primis with Chapter V (Transfer of personal data to third countries or international organisations) of the EU General Data Protection Regulation 2016/679 (“GDPR”).
Among the requirements provided therein, the EU legislator, besides having recalled the unavoidable compliance with the principles set forth in other chapters of the GDPR, identifies a series of legal grounds pursuant to which the transfer of personal data might operate.
For the purposes of this article, it is worth to recall that there are essentially three levels of protection when it comes to personal data transfer, from the strongest to the weakest, in terms of ensuring that the fundamental rights (in particular those provided in article 7 and 8 of the Charter of Fundamental Rights of the European Union) of EU citizens are in any case respected and not undermined:
Of course, it appears clear that not all third countries successfully negotiated with the EU Commission an adequacy decision, and for this reason, SCC comes to hand.
Indeed, SCC are essentially a template agreement drafted by the EU Commission providing certain requirements and safeguards that cannot be derogated by private parties and that can be filled by EU data exporters willing to transfer personal data outside the EEA to organisations that will then process those personal data.
As a matter of fact, with the decision 2004/915/EC and 2010/87 EU, the EU Commission published two different set of SCC: one regulating the relationship between an EU data controller and an extra EU data controller, and the other regulating an EU data controller and an extra EU data processor. This distinction should be kept in mind.
In fact, last week, on Thursday 16th 2020, with the decision concerning the case C-311/18, or as publicly known as Schrems II, CJEU ruled over:
The legal consequences and implications of this ground breaking decisions are several, and we suggest reading at least one or two analyses of prominent legal scholars published over the last few these days (among the other the one published on the European Law Blog by Professor Christopher Kuner). Moreover, applying the finding of the CJEU to EU funded project, it is possible to make the following considerations:
Last but not least, in light of the finding of the CJEU, further considerations can also be formulated considering the presence in many EU funded projects of partners incorporated under Israel and/or UK laws. Indeed, the transfer of personal data to Israel is now covered by an adequacy decision; however it is also known that in Israel mass surveillance programmes are currently in place. On the other hand, the UK will exit definitely from the EU by the end of December 2020, and the possibility to transfer personal data from the EU to the UK might hinge on the issuance of an adequacy decision. However, the UK itself has been also recently (in 2018) condemned for the implementation of surveillance laws which violate fundamental rights of privacy and data protection (see the case of Big Brother Watch and Other vs The United Kingdom, held before the European Court of Fundamental Rights)
In any case, without the presumption to summarize in few words a very complex legal dilemma, here are additional sources for further information: