Belgium: Council of State approves US data transfer
On 19 August 2021, the Belgian Council of State (Belgium’s administrative supreme court) confirmed the validity of data transfers to the U.S., following the CJEU’s judgment in Schrems II (C-311/18).
As discussed in earlier blog posts (e.g. see here), the Schrems II decision considered the mechanisms to transfer personal data outside of the European Economic Area (“EEA”), and particularly to the U.S. The CJEU:
- invalidated the EU-U.S. Privacy Shield – less than five years after invalidating its predecessor, the U.S. Safe Harbour; and
- held that the controller-processor “Standard Contractual Clauses” (“SCCs”) (see modernised SCCs here) remain a valid transfer solution, provided that the personal data are adequately protected.
The outstanding question is whether, and under what conditions, transfers to the U.S. on the basis of SCCs could provide sufficient protection. For the first time in Belgium, the court has addressed this important question confirming that data transfers to the U.S. remain possible, subject to certain conditions.
The case arose out of a public procurement dispute involving the large-scale processing of personal data, among which identification data (e.g. user name, login, bank details for invoicing) and special categories of data (e.g. health data).
The plaintiffs, BV Qarin and BV Rotterdamse Mobiliteit Centrale RMC, challenged a decision by the Flemish Region (the defendant, as well as the controller) to award the assignment to BV ViaVan Technologies (the processor), a Belgian subsidiary of a U.S. company that will rely on Amazon Web Services (AWS) to provide the services.
The plaintiffs alleged the award would result in a transfer of personal data to the U.S., which was – according to them – no longer allowed after the Schrems II decision. In support of this statement, the plaintiff referred to the advice of the Vlaamse Toezichtscommissie (the body who supervises the application of the GDPR by the Flemish administrative authorities) on information security and GDPR conformity of the AWS platform. This advice allegedly concluded that there were no supplementary measures that could ensure an adequate level of data protection when data would process by AWS in the U.S. (see advice here).
As a consequence, the award would put the Flemish Region in breach of Article 28.1 and 28.3 (on processors), Article 32 (on security of processing) and Article 44 (on data transfers) of the GDPR.
The Council of State’s decision
The Council of State discussed the Schrems II judgment, confirming that SCCs remain a valid data transfer mechanism for transfers to the U.S., provided that the EU data exporter implements appropriate supplementary measures, such as encryption or pseudonymisation. This would be dependent upon the concrete circumstances.
This case does indeed concern a data transfer within the meaning of the Belgian Data Protection Act of 30 July 2018, which necessitates a valid transfer solution. While the EU-U.S. Privacy Shield can no longer be relied upon for data transfers to U.S. companies, SCCs still provide a valid legal basis for such transfers. It is then up to the data exporter (where appropriate in collaboration with the data importer) to verify for each given case, and by means of a so-called Transfer Impact Assessment (“TIA”), if the SCCs can be adhered to when transferring data to a country outside the EEA.
Alternatively, supplementary measures should be taken by the controller or processor to ensure an essentially equivalent level of data protection to that guaranteed within the European Union. In this respect, the Council of State relied on the 01/2020 Guidelines issued by the European Data Protection Board (see here). Given the CJEU’s conclusion in the Schrems II that U.S. law does not generally provide a level of data protection equivalent to EU law (because of invasive U.S. state surveillance powers), additional safeguards would be needed here.
The Council of State confirmed that the advice of the Vlaamse Toezichtscommissie and the EDPB guidelines do not exclude that encryption with separate key management can constitute a sufficient supplementary measure to transfer data to the U.S., especially in the present case, where the data is fully encrypted by the Flemish Region before transferring it to ViaVan Technologies and the encryption keys are kept under the full control of the Flemish Region. Given that transfers based on SCCs require a case-by-case assessment, questions in relation to appropriate encryption schemes will still have to be examined for each individual case.
Accordingly, the Council of State decided not to suspend the decision of the Flemish Region to contract with an EU branch of a U.S. company using AWS.
This decision of the highest administrative court in Belgium contributes to a uniform understanding of the Schrems II judgment, confirming that companies can, under specific conditions, rely on SCCs as a valid legal transfer mechanism for transferring personal data to the U.S.
In carrying out the TIA, the Guidelines of the European Data Protection Board serve as a useful tool to support data exporters in identifying appropriate supplementary measures where needed and encryption may – dependent upon the concrete circumstances – constitute an appropriate supplementary measure allowing the transfer of personal data to the U.S.
Future GDPR challenges to international data transfers seem likely, in the context of public tenders and beyond, so the importance of a thorough TIA cannot be underestimated.
By Tanguy Van Overstraeten and Julie De Meyer