New hurdles to transferring European personal data to Mauritius
Shalinee Dreepaul Halkhoree, Partner-Barrister at Juristconsult Chambers, explains how a data privacy decision in the case of Facebook Ireland has had far-reaching implications on how EU-based companies are now expected to approach the activity of transferring data to Mauritius for processing
On July 16, 2020, the Court of Justice of the European Union (CJEU), delivered its decision in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (the Schrems II decision) which invalidated the EU-US Privacy Shield1 and created new obligations, notably for businesses transferring personal data outside the European Economic Area (EEA)2.
This case concerns Maximillian Schrems, an Austrian national residing in Austria, who had been a Facebook user since 2008. Some or all of Mr Schrems’s personal data were being transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, for processing. Mr Schrems lodged a complaint with the Irish supervisory authority seeking to prohibit those transfers by claiming that the law and practices in the United States did not offer sufficient protection against access by the public authorities to the data transferred to that country.
What the Schrems II decision means for Mauritius
Following the decision of the CJEU, prior to transferring personal data outside the EEA, organisations must verify on a case by case basis if the protection for personal data in the third country to which the personal data is transferred is ‘essentially equivalent’ to that provided within the EEA.
Consequently, companies which used to transfer data to Mauritius for the purpose of data processing (for example as part of BPO3 operations or shared services functions) have started undertaking third country assessments to assess whether they can continue to transfer such data to Mauritius. This assessment consists of understanding the legal, regulatory and surveillance regime of Mauritius to ascertain if there is anything in the Mauritian regime that would impact on the ability of the data exporter to export data to Mauritius.
Recommendations of the EDPB after the Schrems II decision.
On November 10, 2020, the European Data Protection Board (EDPB)4 issued recommendations on measures that businesses can adopt to supplement transfer tools, such as Standard Contractual Clauses (SCC)5 , in order to ensure that the third country, complies with EU data protection law.
It may be noted that the EDPB has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or the European Economic Area (EEA). It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or the EEA.
Since Mauritius has not yet received an adequacy decision in its favour and is therefore not considered by the European Commission as having an adequate level of protection to personal data, the data importer has to enter into SCCs with its data exporter.
The EDPB has also issued recommendations regarding the essential guarantees afforded by EU law in respect of surveillance measures, to serve as a guide for assessing the laws of countries where personal data is being transferred.
The recommendations of the EDPB contain a non-exhaustive list of supplementary measures that may be sufficient to ensure essential equivalency. These supplementary measures are grouped as technical, contractual or organizational safeguards.
The technical measures include the encryption or pseudonymization of data by the data importer6 or ensuring that the data importers are exempt from government access. The contractual measures include obligations on the data importer to implement specific technical measures or be more transparent when processing data by the proactive disclosure of law enforcement requests or government access to data.
The organizational measures: would include implementing policies and procedures regulating data transfers or having in place transparency and accountability measures, such as publication of transparency reports or the adoption of standards and best practice, such as codes of conduct or ISO standards.
The European Essential Guarantees for surveillance measures (EEG recommendations) of the EDPB supplement the recommendations on supplementary measures and provide specific guidance on how to assess whether a destination country’s surveillance7 laws that allow government access to data that interfere with the right to privacy, are justifiable in accordance with EU law.
The recommendations establish four EEGs that must be considered as part of the overall assessment:
1. Processing should be based on clear, precise and accessible rules;
2. Necessity and proportionality with regards to the legitimate objectives pursued by the laws need to be demonstrated;
3. There should be the existence of an independent oversight mechanism; and
4. There should be effective remedies available to the individual.
Modernized SCCs as per the draft decision of the European Union after the Schrems II decision
The European Commission (EU) launched, on 12 November 2020, a public consultation with respect to new SCCs (the new SCCs) which are intended to provide appropriate safeguards within the meaning of the GDPR8 for the transfer of personal data from a controller or processor subject to the GDPR (data exporter), to a controller or (sub-) processor not subject to the GDPR (data importer). Once the new SCCs are adopted by the European Union, data importers in Mauritius will need to phase out and replace all existing SCCs they have entered into within 12 months of its adoption by the EU, an enormous task for many.
Consequence for Mauritius
Adopting new SCCs would entail that the data importer (i.e. the Mauritian entity) guarantees that it has provided appropriate safeguards to the data being imported and that enforceable data subject rights and effective legal remedies for data subjects are available in Mauritius. In addition, supplementary measures as highlighted above will need to be taken by the data importer. The latter will also need to satisfy the data exporter that its surveillance laws do not interfere with the right to privacy (including government access to data) and are justifiable in accordance with EU law.
Having said that, providing for adequate safeguards may not be a big challenge as our Data Protection Act 2017 (the Act) already imposes on controllers/processors the obligation to provide for such safeguards when they are processing data. The challenge may lie in showing that the exchange of information between Ministries, Government departments and public sector agencies as provided by the Act as well as the exemption of the Act on grounds of national security, defence or public security are justifiable in accordance with EU law.
This article was published in the Mauritius Finance Publication - May 2021 - Issue 1
2EEA means the EU and Iceland, Liechtenstein and Norway)
3Business Process Outsourcing
4The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. It is composed of representatives of national data protection authorities, and the European Data Protection Supervisor (EDPS).
5The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally. It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA. Since Mauritius has not yet received an adequacy decision in its favour and is therefore not considered by the European Commission as having an adequate level of protection to personal data, the data importer has to enter into SCCs with its data exporter.
6The organisation which is receiving the personal data for processing purposes.
7Surveillance is the monitoring of behavior, activities, or information for the purpose of information gathering, influencing, managing or directing. This can include observation from a distance by means of electronic equipment, such as closed-circuit television (CCTV), or interception of electronically transmitted information, such as Internet traffic. It can also include simple technical methods, such as human intelligence gathering and postal interception.
8General Data Protection Regulation (Regulation (EU) 2016/679)