EDPS - 2023-0367
EDPS - Case 2023-0367 | |
---|---|
Authority: | EDPS |
Jurisdiction: | European Union |
Relevant Law: | Article 48(3)(a) Regulation (EU) 2018/1725 Article 50(1)(3) Regulation (EU) 2018/1725 Article 50(1)(d) Regulation (EU) 2018/1725 Article 57(1)(n) Regulation (EU) 2018/1725 Article 58 Regulation (EU) 2018/1725 Article 58(3)(e) Regulation (EU) 2018/1725 Chapter V Regulation (EU) 2018/1725 |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 13.07.2023 |
Published: | |
Fine: | n/a |
Parties: | Court of Justice of the European Union (CJEU) |
National Case Number/Name: | Case 2023-0367 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPS (in EN) |
Initial Contributor: | n/a |
The EDPS found, after the CJEU requested for an authorisation of contractual clauses under Article 48(3)(a) of the EU GDPR, that no data transfers took place that would fall under the scope of such authorisation in the context of the CJEU’s use of the videoconferencing tool Cisco Webex.
English Summary
Facts
Court of Justice (CJEU) had concluded a contract with Cisco International Limited UK (Cisco UK), with certain annexes concluded with Cisco Systems Inc. US (the contract). The contract provided for the use of the videoconferencing solution 'Cisco Webex' and related services.
In August 2021, the EDPS temporarily authorised the use of contractual clauses between the CJEU and Cisco Systems Inc. for transfers of personal data in the CJEU’s use of Cisco Webex and related services (EDPS Decision 2021) in the context of Chapter V of Regulation (EU) 2018/1725 (EU GDPR). In that decision, the EDPS set 14 conditions that the CJEU was required to meet for the renewal of the authorisation.
In October 2022, following an assessment of the CJEU’s implementation report, the EDPS extended temporarily and conditionally the authorisation to use the mentioned contractual clauses (EDPS Decision 2022). In that decision, the EDPS called on the CJEU to clarify several outstanding issues and to introduce further changes to the contractual obligations between the Court and Cisco Systems Inc. US. The CJEU was required to ensure an essentially equivalent level of protection within 16 months after the date of the EDPS Decision 2022 (i.e. by 1 March 2024), by remedying the compliance issues identified in that decision.
Thereafter, in May 2023, the CJEU provided a compliance report and newly redrafted contractual clauses (together ‘the documentation’) to the EDPS to demonstrate the implementation of the conditions set in the EDPS Decision 2022. The CJEU requested for an authorisation of contractual clauses under Article 48(3)(a) of the EU GDPR to be concluded between the CJEU and Cisco Systems Inc. US, in the context of transfers of personal data (Chapter V of the EU GDPR) in the CJEU’s use of Cisco Webex and related services.
Holding
(i) No transfers of personal data
The EDPS took into account that based on the documentation provided to the EDPS there were technical measures, such as end-to-end encryption (Zero Trust Security End-to-End encryption), in place that effectively prevented Cisco’s access to real time (meeting) data of the CJEU. The use of the Zero Trust Security End-to-End encryption was considered, by the EDPS, as one of several technical measures significantly contributing to the integrity and confidentiality of the processing operations.
Furthermore, the EDPS took into account that the personal data in question was processed and stored within the European Economic Area (EEA). Moreover, Cisco UK did not have access to the data of the CJEU by default, and in any case Cisco UK did not access the data without explicit authorisation. Also, none of Cisco’s sub-processors located outside of the EEA had a default remote access to the CJEU’s data processed in the EEA.
In light of the above, the EDPS found that there were no transfer(s) of personal data or otherwise making personal data available by the CJEU to Cisco UK, because the latter was contractually excluded from having access to or accessing personal data on behalf of the CJEU.
(ii) Merely potential and unforeseeable transfers do not fall under Chapter V of the EU GDPR
Nextly, the EDPS held that transfers resulting from unauthorised access by third country entities, which are merely potential and in no way foreseeable, in light of the content or purpose of a contract, do not fall under the scope of Chapter V of EU GDPR. In the EDPS’s view, the unlikely and unplanned character of such risks of such unauthorised access made them unsuitable to be ex ante subjected to the regime of Chapter V of the EU GDPR. It followed, that the EDPS held that for such potential and unplanned transfers, a transfer tool under Chapter V is not required.
In the present case, the EDPS viewed that the transfers resulting from possible remote governmental access to data located in the EEA, (possible under the laws of the United States), are not envisaged nor planned under the contract between the CJEU and Cisco UK. In that sense, the CJEU was considered not to have planned for such transfers to take place in the broader context of the execution of the contract or the CJEU’s ‘stable relationship with Cisco Webex entities’.
Based on the above, the EDPS held that potential transfers of data located in the EEA resulting from the application of third-country laws are not covered by Chapter V of the EU GDPR, and the Court does not need to provide for appropriate safeguards for them by means of contractual clauses.
(iii) Contractual exceptions that may lead to transfers of personal data
However, the contract did include exceptions to the territorial limitations on processing personal data resulting from specific actions (e.g. when a user makes a technical assistance request or contract management). The EDPS found that in those exceptional situations, transfer(s) of personal data in the context of Chapter V of the EU GDPR may take place. Based on the documentation, the EDPS found that the CJEU had mitigated the application of such exceptions, in a way, that effectively prevented the transfers from taking place. In addition, the EDPS noted that the CJEU had introduced additional organisational measures aimed at limiting the transfer(s) of personal data.
Based on the documentation, the EDPS also considered that the measures introduced by the CJEU effectively prevented the chance that such exceptions were triggered. As a result, even though transfers remained foreseen, the CJEU’s additional internal measures were seen to effectively prevent such transfers from taking place. It followed, that the EDPS held that in those circumstances the transfers did not require an authorisation under Article 48(3)(a) of the EU GDPR.
With regard to a transfer of personal data resulting from a user’s technical assistance request, the EDPS held that the CJEU may rely on the derogation provided for under Article 50(1)(d) (transfer is necessary for important reasons of public interest) and (3) of the EU GDPR. In addition, with regard to transfers resulting from contract management, the EDPS held that the CJEU could also rely on the derogation provided for under Article 50(1)(d) (transfer is necessary for important reasons of public interest) and (3) of the EU GDPR. Thus, such transfers were considered to be not fall within the scope of the present decision.
Conclusion
As a result of the above assessment, the EDPS concluded that the CJEU had complied with the conditions that were imposed within the previous EDPS decisions in 2021 and 2022, and issued a decision in accordance with Article 57(1)(n) and Article 58(3)(e) of the EU GDPR. The EDPS found that there were no data transfers that would fall under the scope of an authorisation under Article 48(3)(a) of the EU GDPR.
The decision was said to be without prejudice to the investigative and corrective powers of the EDPS under Article 58 of the EU GDPR.
Comment
We note, that under authorisation procedures, the EDPS does not carry out an investigation or on-the-spot checks and audit of the processing and flows of personal data in the use of a certain service as they occur in practice and of the effectiveness of the technical and organisational measures implemented and the provider of that service. The scope of EDPS authorisations is limited to verifying that the contractual clauses between the controller and the processor with which the contract is concluded provide appropriate safeguards.
An authorisation decision issued by the EDPS is not a general endorsement nor certification of data protection compliance of the services provided by any entity of the provider which is also stated in the decision.
[The equivalent GDPR Article to Article 48(3)(a) EU GDPR is Article 46(3)(a) GDPR, and Article 50(1)(d) EU GDPR is Article 49(1)(d) GDPR.]
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
EDPS Decision on the Court of Justice of the EU’s request to authorise the contractual clauses between the Court of Justice of the EU and Cisco Systems Inc. for transfers of personal data in the Court’s use of Cisco Webex and related services 13 July 2023 (Case 2023-0367) Summary: This Decision addresses the request from the Court of Justice of the EU (the ‘Court’) for the renewal of the authorisation of the contractual clauses pursuant to Article 48(3)(a) of Regulation (EU) 2018/1725 (the ‘Regulation’) .1 Given the Court’s progress in its compliance with the conditions of the EDPS Authorisation Decision of 31 August 2021 and the EDPS Authorisation Decision of 28 October 2022, the EDPS finds that there are no transfers that fall under the scope of an authorisation under Article 48(3)(a) of the Regulation. In the context of the present Decision, the EDPS has not carried our any investigation or on- the-spot checks or audit of the processing and flows of personal data in the Court’s use of Cisco Webex and related services as they occur in practice and of the effectiveness of the technical and organisational measures implemented by the Court and Cisco. The exercise of the EDPS powers in the present Decision is without prejudice to investigative and corrective powers of the EDPS, which may be relied on in a separate procedure to allow the EDPS to verify the factual assertions made by the exporting Union institutions, bodies, offices and agencies (EUIs) in the context of authorisation procedures under Articles 48(3)(a), 57(1)(e) and 58(3)(e) of the Regulation. This Decision is not a general endorsement nor certification of data protection compliance of the videoconferencing services provided by any Cisco Webex entity. 1 Regulation (EU) 2018/1725 of the European Parliament and the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39. 1 Contents I. PROCEEDINGS..........................................................................................................................................3 II. BACKGROUNDINFORMATION........................................................................................................4 A. Previous EDPS decisions..............................................................................................................4 B. Facts..................................................................................................................................................5 III. LEGALANALYSIS......................................................................................................................................6 A. Nature of the authorisation under Article 48(3) of the Regulation...................................6 B. Transfers subject to an EDPS authorisation............................................................................7 1. Transfers that could result from exceptions to the Data Residency Programme and measures to prevent such transfers from happening...........................................7 2. Conditions of EDPS Authorisation Decision of 28 October 2022............................10 C. Transfers not subject to an EDPS authorisation..................................................................11 1. Possible non-EU/EEA governmental access requests.................................................11 2. Processing for the Court’s use of Cisco Technical Assistance Service Delivery.13 3. Transfers of business customer information.................................................................18 IV. CONCLUSION..........................................................................................................................................18 2 I. PROCEEDINGS 1. This Decision concerns the request from the Court of Justice of the European Union (‘the Court’) for authorisation of contractual clauses under Article 48(3)(a) of Regulation (EU) 2018/1725 (the ‘Regulation’) to be concluded between the Court and Cisco Systems Inc., in the context of transfers of personal data in the Court's use of Cisco Webex and related services. 3 2. The Court’s use of Cisco Webex and related services generates multiple data flows. Based on the information provided to the EDPS by the Court, none of these data flows fall under the scope of an authorisation decision under Article 48(3)(a) of the Regulation. 3. As such, this Decision does not include in its scope transfers provided for under the contractbetweentheCourtandtheUKcompanyCiscoInternationalLimited,which are effectively prevented by the Court, as described in points 21-26 of this Decision. 4. Similarly, this Decision does not include in its scope the transfers of personal data that are subject to Article 50(1)(d) of the Regulation, for which an authorisation for the EDPS is not required. Under Article 50(6) of the Regulation, the EDPS takes note of the categories of cases in which this Article is applied in the Court’s use of Cisco Webex services, as described in points 40-55 of this Decision. 5. This Decision does not include in its scope transfers potentially resulting from unauthorised remote access, as described in points 29-39. 6. The EDPS issues this Decision in accordancewithArticle57(1)(n)andArticle58(3)(e) of the Regulation. 7. This Decision is addressed to the Court. 2 Regulation (EU) 2018/1725 of the European Parliament and the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39. 3 The Court concluded a contract (the Enterprise License Agreement - ‘ELA’) with Cisco International Limited UK, with certain annexes concluded with Cisco Systems Inc. US. The contract provides for the use of Cisco software on premises (Cisco Video Mesh, Cisco Meeting Server, Cisco Unified Communications Manager), as well as the provision of Cisco cloud services (Cisco Webex Meetings, Cisco Webex Events) and maintenance/support services (Cisco Technical Assistance (‘TAC’) Service Delivery). This information was provided to the EDPS in the context of the EDPS Authorisation Decision of 31 August 2021. 3 II. BACKGROUNDINFORMATION A. PreviousEDPSdecisions 8. On 31 August 2021, the EDPS temporarily authorised the use of contractual clauses between the Court and Cisco Systems Inc. for transfers of personal data in the Court’s use of Cisco Webex and related services (‘EDPS Decision of 31 August 4 2021’). In that Decision, the EDPS set 14 c5nditions that the Court was required to meet for the renewal of the authorisation. 9. On 30 September 2022, the EDPS issued an interim Decision which prolonged the effects of the EDPS Authorisation Decision of 31 August 2021 until 31 October 2022. 10. On 28 October 2022, following an assessment of the Court’s implementation report to the EDPS Decision of 31 August 2021, the EDPS extended temporarily and conditionally the authorisation to use the mentioned contractual clauses (‘EDPS Decision of 28 October 2022’). In that Decision, the EDPS called on the Court to clarifyseveraloutstandingissuesandtointroducefurtherchangestothecontractual obligations between the Court and Cisco Systems Inc. 11. The Court was required to ensure an essentially equivalent level of protection within 16 months after the date of the Decision of 28 October 2022, i.e. by 1 March 2024, by remedying the compliance issues identified in that Decision. The Court was also required to provide to the EDPS an intermediate compliance report 12 months after the date of that Decision, i.e., by 1 November 2023, demonstrating steps taken to implement the conditions set in that Decision. 12. On 22 May 2023, the Court submitted the following documents: Final compliance report; Redrafted draft Supplementary Agreement No. 1 to ‘CISCO and Court of Justice of the European Union Enterprise License Agreement (ELA)’, together with its ◦ Exhibit A: ‘ Contractual Clauses’ (‘contractual clauses’) with its Annex 1a: ‘Cisco Webex Meetings: Transfers of Personal Data’, Annex 1b: ‘Cisco Technical Assistance (‘TAC’) Service Delivery: Transfers of Personal Data’; ▪ Exhibit B: ‘List of Sub-processors’; ▪ Exhibit C: ‘Information Security Exhibit’; ▪ Exhibit D: ‘Data Privacy Sheets’ with its Attachment 1: ‘Webex Meeting Privacy Data Sheet’, Attachment 2: ‘TAC Privacy Data Sheet’. Revised ‘Data Transfer Impact Assessment for the Use of CISCO Webex by the Court of Justice of the European Union’ (‘Revised TIA’) with Annexes: 4 EDPS Authorisation Decision of 31 August 2021 (case 2021-0255). 5 The conditions are listed under Section 3 of the EDPS Decision of 31 August 2021. 6 EDPS Authorisation Decision of 28 October 2022 (case 2022-0902). 4 ◦ Annex I: ‘Videoconference Policy’; ◦ Annex II: ‘OSU Cisco TAC management procedure’; ◦ Annex III: ‘Registre des activités de traitement des données personnelles - Services de vidéoconférence et de communication unifiée’ and ‘Information notice on the protection of personal data - Video Conferencing Services (Cisco Webex Meetings)’. B. Facts 13. The EDPS explained its understanding of the contractual obligations between the Court and Cisco Systems Inc., and other Cisco entities in points 2.1.-2.6. of the EDPS Decision of 28 October 2022. These findings of fact are not being repeated here for the sake of brevity. 14. Based the submitted documents, the EDPS understands the following as new or clarified facts: 14.1. ‘User-Generated Information’ refers to Meeting Recordings, Transcriptions of meeting recordings, Uploaded Files, which include real-time meeting data such as VoIP, video and high frame rate sharing data. 7 14.2. The ‘Webex Data Residency for EU countries’ programme, deployed by Cisco International Limited, is activated with regard to all of the Court’s personal data and ensures that personal data processed by Cisco International Limited and its affiliates under its agreement with the Court is processed in Frankfurt, Germ8ny, with a back-up data centre in Amsterdam, The Netherlands. The Court verified the application of this choice through the Control Hub of Webex. 9 14.3. The deployment of the Webex Data Residency programme for the Court’s personal data, including real-time data, means that all processing operations, including storage, take place in the Court’s geographic region mentioned in point 14.2. Based on assurances from Cisco International Limited 10 and the specific11ontractual obligations between the Court and Cisco International Limited , Cisco International Limited located in the UK does not access the data of the Court by default, and in any case does not access the data of the Court without explicit authorisation. In addition, none of the Cisco sub- processors located outside of the European Economic Area (EEA) have a default remote access to the Court’s data processed in the EEA. 7 Point 2 of Annex 1a to Exhibit A to the Supplementary Agreement. 8 Article 1(4)(iii) of the Supplementary Agreement. 9 Point 26 of the Revised TIA. 10 Emails received by the Court from Cisco with clarifications concerning remote access received, transmitted to the EDPS on 13 and 17 February 2023 (registered in the internal EDPS case management system). 11 Article 4(4)(c) of the Supplementary Agreement (last paragraph on page 5 thereof). This paragraph incorporates the EDPS requirements under Condition 13 of the EDPS Decision of 31 August 2021. 5 III. LEGALANALYSIS A. NatureoftheauthorisationunderArticle48(3)oftheRegulation 15. Under Article 46 of the Regulation, any transfer of personal data which are undergoingprocessingorareintendedforprocessingaftertransfertoathirdcountry or to an international organisation shall take place only if, subject to the other provisionsoftheRegulation,theconditionslaiddowninChapterVoftheRegulation are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in Chapter V of the Regulation shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined. 16. In the absence of a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 12 or to Article 36(3) of Directive (EU) 2016/680 1, a controller or processor may transfer personal data to a third country or to an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. 17. Subject to the authorisation from the EDPS, appropriate safeguards may be provided for by, in particular, contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or 14 international organisation. 18. The EDPS authorisations granted under Article 48(3)(a) of the Regulation have for their object such transmissions of personal data that qualify as transfers under the 12 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR), OJ L 119, 4.5.2016, p. 1. 13 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal pen- alties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA 14 (Law Enforcement Directive), OJ L 119, 4.5.2016, p. 89. Article 48(3)(a) of the Regulation. 6 Regulation. Observing the authorising nature of such EDPS decisions, the EDPS6 in this role aims to check contractual compliance with the Regulation of the exporting EUIs. Under authorisation procedures, the EDPS does not carry out an investigationoron-the-spotchecksandaudit of the processing and flows of personal data in a EUI’s use of a certain service as they occur in practice and of the effectiveness of the technical and organisational measures implemented by the EUI and the provider of that service. The scope of EDPS authorisations is limited to verifying that the contractual clauses between the controller and the processor with which the contract is concluded provide appropriate safeguards. This does not exempt the controller from fulfilling its obligations under Article 29 of the Regulation, including in relation to transfers. 19. The exercise of authorisation powers is without prejudice to investigative and corrective powers of the EDPS which may be relied on in a separate procedure to allow the EDPS to verify the factual assertions made by the exporting EUIs in the context of authorisation procedures under Articles 48(3)(a) and 58(3)(e) of the Regulation. 20. An authorisation decision issued by the EDPS is not a general endorsement nor certification of data protection compliance of the services provided by any entity of the provider. B. TransferssubjecttoanEDPSauthorisation 1. Transfers that could result from exceptions to the Data Residency Programmeandmeasurestopreventsuchtransfersfromhappening 21. In light of the facts presented in point 14.3, the EDPS finds that in the case at hand there is no disclosure by transmission or otherwise making personal data available by the Court to Cisco International Limited UK. It is because the latter is contractually excluded from having access to or accessing Court’s personal data 15 Since the Regulation introduces no legal definition of a ‘transfer’, the EDPS relies in particular on the cumulative criteria to qualify a processing operation as a transfer as identified by the EDPB Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, Version 2.0 adopted on 14 February 2023 (‘EDPB Guidelines 05/2021’). In the interest of a coherent approach to personal data protection throughout the Union, and the free movement of personal data within the Union, the legislators aligned the Regulation as far as possible with the data protection rules adopted for the public sector in the Member States. In line with Recital 5 of the Regulation, whenever the provisions of the Regulation follow the same principles as the provisions of the GDPR,those two setsof provisions should,under thecaselawof the Court of JusticeoftheEuropeanUnion, be interpreted homogeneously, in particular because the scheme of this Regulation should be understood as equivalent to the scheme of the GDPR. Consequently, the EDPS by analogy relies on guidance issued by the EDPB in the context of its interpretation of the Regulation where the interpreted provisions and 16 principles, like in this case, are the same. As opposed to corrective and investigative powers of the EDPS under Article 58(1) and (2) of the Regulation. 7 located in the EEA. In addition, based on the description in the documentation provided to the EDPS, technical measures such as Zero Trust Security End-to-End 18 encryption effectively prevent Cisco’s access to real time meeting data. As such, the transmission of personal data by the Court to data centres located in the EEA under the Data Residency Programme does not meet all of the criteria identified by 19 the European Data Protection Board (EDPB) that would qualify it as a transfer. Considering they are not transfers in the sense of Chapter V of the Regulation, these processing operations are not includ20 in the scope of this Decision under Article 48(3)(a) of the Regulation. It follows that when the Webex Data Residency programme is deployed for the personal data in Court’s use of Cisco Webex services, there are no transfers of personal data. 22. While there are contractual exceptions to the deployment of the Webex Data Residency programme because of ‘specific actions or use of functions by the user administratororuser’ ,asaresultofwhichtransfersof personal data may take place, the EDPS considers that, based on the information provided, the Court has mitigated their application in a way that effectively prevents the transfers from taking place in the following manner 2: Description of an exception to Mitigating measures introduced 23 Webex Data Residency by the Court Customer or user registers a user on any The users of the Court do not need Cisco platform (for example, through to register themselves on any Cisco www.webex.com or www.cisco.com) or platform or a Cisco service in order 17 Section 6 of Annex 1a to Exhibit A to the Supplementary Agreement as well as point 25 of the Final Compliance Report where the Court certifies that ‘access to data stored in the EEA by the Supplier, i.e., Cisco International Limited, and its sub-processors has been contractually excluded under Art. 1(4)(c)(second last paragraph) of the Supplementary Agreement and confirmed by Cisco through clarifications provided in emails 18 to the CJEU of 13 and 17 February 2023.’ For description of its functioning see section 3.1.10 of the EDPS Authorisation Decision of 28 October 2022. The EDPS notes that the Court updated its documentation and information notice to be provided internally and externally, including technical requirements for the use of Zero Trust Security End-to-End encryption. This documentation was provided to the EDPS as Annex III to the Revised TIA. 19 The EDPB has identified three cumulative criteria to qualify a processing operation as a transfer in its Guidelines 05/2021, point 9 (see footnote 15). In the case at hand, condition 2 is not fulfilled because there is no disclosure by transmission or otherwise making available of data. 20 Even if one was to consider that condition 2 of the EDPB Guidelines 05/2021 is fulfilled, the EDPS notes that these transmissions would take place to the UK that is covered until 27 June 2025 by the adequacy decision under Article 45 of the GDPR and therefore such transfers would have to comply with Article 47 of the Regulation. It follows that even if these transmissions were qualified as transfers, they would not fall under the scope of this Decision under Article 48(3)(a) of the Regulation. 21 Section 6 of Annex 1a to Exhibit A to the Supplementary Agreement. 22 As regards exceptions to the Data Residency Program resulting from (i) a user making a technical assistance request to the Cisco Technical Assistance Center and (ii) the Court providing ordering 23 information to Cisco, see respectively Sections C.2.and C.3. of this Decision. Para 45 of the Revised TIA, page 24 of Annex 1a to Exhibit A and Point 4 of Attachment 1 to Exhibit D. 8 through any Cisco service to learn more to use Webex. External users are about Cisco products or events also not required to perform such a registration.4 A user engages in collaboration with The Court deactivated the option users outside of the EU region Global Distributed Meetings, as a result of which data transfers do not take place when there is a collaboration with users outside of the EEA region. 25The processing operations take place on media nodes located in the EEA. Webex Meetings users located out of the EEA and participating in a videoconference organised by the Court connect to a media node located in the EEA. Customer, user, or user administrator The Court blocks optional functionalities that might enables certain optional functionalities; or a user or user administrator enables necessitate a transfer of personal cell phone “push” notifications (in which data without appropriate case the cell phone provider associated safeguards.26 In addition, the Court with iOS or Android functionality may requires that only professional transfer data outside of the region). devices be used for work related communications, and explained that these devices have ‘push’notifications disabled at default.7 23. The EDPS considers that the use of the Webex Zero Trust Security End-to-End, applicable to the User Generated Data , is one of several technical measures significantly contributing to the integrity and confidentiality of processing operations under Article 4(1)(g) of the Regulation, as well as the security and confidentiality of electronic communications, systems and networks Article 36 of the Regulation. 29 24. In addition, the Court introduced additional organisational measures aimed at limiting the transmission of personal data. With regard to User Information: for the 24 25 Paras 132(a) and 143 of the Revised TIA. 26 Point 6 of Annex 1a to Exhibit A. 27 Para 132(e) of the Revised TIA. Para 132(f) of the Revised TIA. The Court has provided the EDPS with copies of its internal policies that confirm that such instructions are given to its staff – attachment to the revised TIA titled Lignes directrices relatives aux communications électroniques à la Cour de justice de l’Union européenne, adopted on 13 28 December 2021. 29 Point 3.72 of the EDPS Authorisation Decision of 28 October 2022. For description of its functioning see section 3.1.10 of the EDPS Authorisation Decision of 28 October 2022. 9 phone number, mailing address, password and user information included in the Court’s directory, the Court uses an identity provider (F5) to identify the users of the Court and transmit their data to Cisco through a Security Assertion Markup Language (‘SAML’) protocol. Hence, the personal data transmitted is restricted to the name and e-mail address. For the avatar, the Court allows its users to choose it themselves, and if no choice is made, the avatar is not processed. 30 25. With regard to the Host and Usage Information: for internal users’ IP Addresses and IP Addresses along the Network Path, including internal users connected remotely, the Court will use the IP addresses of the Court. For call attendee information, including email addresses, username, phone numbers and room device information, the Court will: a) not require a user name for external users in a manner allowing for the identification of a physical person unless this is required for the proper conduct of the meeting or event organised; b) not require external users to provide the email addresses, phone numbers or room device information when joining a meeting. In addition, according to the Court, meetings are conducted with Voice Over Internet Protocol only, which avoids transmission of phone numbers to conduct a Webex meeting. 31 26. Based on the information provided, the EDPS considers that the measures that the Court has introduced effectively prevent the chance that the contractual exceptions to the Webex Data Residency are triggered. As a result, even though transfers remain foreseen under the ELA between the Court and Cisco Systems Inc., the Court’s additional internal measures effectively prevent such transfers from taking place. It follows that in these circumstances there are no transfers which would require an authorisation under Article 48(3)(a) of the Regulation. 2. ConditionsofEDPSAuthorisationDecisionof28October2022 27. Based on the Final Compliance Report, the EDPS’ understanding of facts under points 13 and 14 above and considering that some (possible) transfers are not subject 32 to an EDPS authorisation , the EDPS finds that the Court complied with all the conditions imposed in the EDPS Authorisation Decision of 28 October 2022. 28. In relation to Condition 6 of the EDPS Authorisation Decision of 28 October 2022 as regards the relevance of compliance with Protocol No. 7 to the Treaties on the 33 Privileges and Immunities of the European Union (the ‘Protocol’) , the EDPS concludes the following: the protections afforded by the Protocol extend to personal data contained in the archives of the EUIs insofar as such archives contain personal 30 Point 143 of the Revised TIA. 31 Point 143 of the Revised TIA. 32 33 See below Section C. Transfers not subject to an EDPS authorisation. Condition 6 of the EDPS Authorisation Decision of 28 October 2022 reads as follows: ‘Assess to what extent thePrivilegesandImmunitiesoftheCourtbasedonArticle2ofProtocolVIIoftheTreatyontheFunctioning of the European Union are recognized in the legal framework of Cisco Systems Inc. US or of its sub- processors’. 10 data. The high level of protection that Article 16 TFEU and Article 8 of the Charter afford to personal data include, whenever applicable, the protection afforded by the Protocol insofar as inviolable archives of the Union contain personal data. In that sense, Article 8 of the Charter should be interpreted in conformity with the provisions on the secrecy of Union archives in Article 2 of the Protocol in order to protect against disclosure of personal data which are part of such archives. The assessment of the compliance with the Protocol is however not required for the purposes of this Decision. Nevertheless, the EDPS recommends that the Court consider the provisions on the secrecy of Union archives in Article 2 of the Protocol. C. TransfersnotsubjecttoanEDPSauthorisation 1. Possiblenon-EU/EEAgovernmentalaccessrequests 29. In the EDPS Authorisation Decision of 28 October 2022, the EDPS stressed that ‘[e]ven if the personal data was stored and processed in the data centres located in the EU, the EDPS highlights that such data localisation in the EU in itself and on its own does not preclude risks of remote access, in particular in the context of third countries’ public authorities possible access to data stored (and processed) in the EU. The EDPS required that the Court assess, and if finds to be present, properly mitigate, the risk of unauthorised disclosure as a result of third-country laws with extra-territorial reach.36 30. Following the additional explanations provided by the Court, in particular in revised documents submitted on 22 May 2023 , the EDPS has reassessed the above risk in relation to both the applicable legal framework (i), and the circumstances of the case (ii). (i) Applicability of Chapter V of the Regulation to merely potential transfers and obligations to ensure integrity and confidentiality of personal data against risks of remote access. 38 31. According to the EDPB , a processing operation may be qualified as a transfer when three cumulative criteria are met: (1) a controller or a processor (‘exporter’) is subject to the GDPR for the given processing, 2) the exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (‘importer’), and 3) the importer is in a third 34 CJEU, 17 December 2020, Commission v. Slovenia, C-316/19, ECLI:EU:C:2020:1030, para 73-75 and 78. 35 Point 3.9 of the EDPS Authorisation Decision of 28 October 2022. 36 Ibid. 37 See point 12 of this Decision. 38 As indicated above (footnote 15), the EDPS by analogy relies on guidance issued by the EDPB in the context of its interpretation of the Regulation where the interpreted provisions and principles, like in this case, are the same 11 country, irrespective of whether or not this importer is subject to the GDPR for the 39 given processing in accordance with Article 3, or is an international organisation. 32. The EDPS finds that for transfers meeting the three cumulative criteria and which are envisaged under a contract, i.e., transfers that the controller knows or should foresee in the broader context of the execution of the contract, or under other organised relationship, a transfer tool under Chapter V of the Regulation must be relied upon before any such transfers occur. 33. In that vein, remote access from a third country constitutes a trans40r when it happens if the three above-mentioned criteria are met. Equally, remote governmental access under third-country laws to personal data located and processed in the EEA, when it takes place, results in transfers of personal data. 41 34. However, in the EDPS opinion, the mere risk that remote access by third country entities to data processed in the EEA may take place, does not constitute a transfer subjected to Chapter V of the Regulation. 35. The EDPS considers that transfers resulting from unauthorised access by third country entities, which are merely potential and in no way foreseeable in light of the content or purpose of a contract or another stable relationship between the parties, do not fall under the scope of Chapter V of the Regulation. The unlikely and unplanned character of such risks of such unauthorised access renders them unsuitabletobeexantesubjectedtoregimeofChapterVoftheRegulation.Itfollows that for such potential and unplanned transfers a transfer tool under that Chapter is not required. 36. The EDPS recalls that the risks of such potential transfers resulting from the application of third-country laws to processors located in the EEA must be part of 42 controller’s analysis and assessment in line with the principle of accountability. Before engaging a processor, the controller must assess the possible application of third country extra-territorial laws in order to ensure that, as required by Article 29 of the Regulation, it only uses processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing is in line with the Regulation. 43Where the processor complies with a disclosure request in violation of the controller’s instructions and thus Article 29 of the Regulation, that processor shall be, in line with Article 29(10) of the Regulation, considered an independent controller of that processing. 39 EDPB Guidelines 05/2021, point 9. 40 EDPB Guidelines 05/2021, point 16. 41 By analogy see point 24 of the EDPB Guidelines 05/2021. 42 See also Section 3.6 ‘Risk of access by foreign governments when using non-EU CSPs storing data in the EEA’ of the ‘EDPB report ‘2022 Coordinated Enforcement Action Use of cloud-based services by the public sector’ adopted on 17 January 2023. 43 By analogy, see point 24 of the EDPB Guidelines 05/2021. See also Section 5 ‘Points for attention for public bodies’, in particular page 32, of the EDPB Report on the 2022 Coordinated Enforcement Action. 12 37. When concluding contractual arrangements and providing instructions to the processor in line with Article 29 of the Regulation, particular attention should be paid to the observance of the principles of integrity and confidentiality under Article 4(1)(f),andtherelatedArticles33and36oftheRegulationlayingdownrequirements for security of the processing operations and security and confidentiality of electronic communications, systems and networks. (ii) Assessment of the processing operations relevant for the present Decision 38. In the case at hand, transfers resulting from possible remote governmental access to data located in the EEA, while theoretically possible under the laws of the United States , are not envisaged nor planned under the contract between the Court and Cisco International UK. In that sense, the Court does not plan for such transfers to take place in the broader context of the execution of that contract or its stable relationship with Cisco Webex entities. (iii) Conclusion 39. Based on the above, the potential transfers of data located in the EEA data centres resulting from the application of third-country laws are not covered by Chapter V of the Regulation, and the Court does not need to provide for 45 appropriate safeguards for them by means of contractual clauses. As such, the EDPS does not include these transfers in the scope of this Decision under Article 48(3)(a) of the Regulation. 2. ProcessingfortheCourt’suseofCiscoTechnicalAssistanceService Delivery 40. One of the exceptions to the Data Residency Program, mentioned in point 22 above, iswhenausermakesatechnicalassistancerequesttotheCiscoTechnicalAssistance Center (‘TAC’). As a result, transfers to the United States of personal data included in the TAC Support Information and Customer Case Attachment take place. In7 48 order to provide support, Cisco can also access and process User Information as well 49 as Host and Usage Information. 44 Point 3.11 of the EDPS Authorisation Decision of 28 October 2022. 45 However, should Cisco or any sub-processors receive a request from a third country for access or disclosure of data in the Court’s use of Cisco Webex services and the Court intends to positively respond to such a request, the Court must ensure that such a transfer pursuant to the access request complies with Chapter V of the Regulation. 46 Categories of personal data: name, email address, phone number of the employee appointed to open the service request, authentication information (exclusive of passwords), work organization and responsibilities, current employer name (see point A.2 to Annex 1b to Exhibit A to the Supplementary Agreement). 47 Personal data contained in Customer Case Attachments depend on what is included those Attachments by the customer (see point A.2 to Annex 1b to Exhibit A to the Supplementary Agreement). 48 Points 22 and 66 of the Revised TIA. 49 Point 63 of the Revised TIA. 13 41. According to the Court, the use of TAC support leads to the processing of TAC Support Information and the Customer Case Attachments that both include personal data. In any case, to provide support, Cisco can access and process User Information as well as Host and Usage Information. The TAC Support Information and Customer Case Attachments are transferred in all situations to the United States: to Salesforce for TAC Support Information and to AWS for Customer Case Attachments. 42. The Court took organisational measures to limit or avoid transfers of personal data outside of the EU/EEA in the context of TAC requests. In the adopted and distributed internalpolicytoitsstaffmembers,theCourtlaiddowntheproceduretobefollowed should support be needed in staff’s use of Cisco Webex services. First, no user can directly open a support case with Cisco. Any support request must be first directed to the internal help desk (single point of contact) of the Court, which provide a first level of support to Court’s staff. Should this first level of support provided by the internal help desk not suffice, the request is transferred to the second layer of support, i.e. Court’s network engineers. Should any problem related with the infrastructure need an escalation to the Cisco TAC support service, this activity is organised and done respecting the following rules: Only the authorized Court network engineers can introduce support requests to the Cisco TAC service. No personal data relating to the problem is provided to Cisco TAC. The requests shall be sent to Cisco during the normal Luxembourg working hours (8h-19h). If further Court data is requested by the Cisco TAC service, the information requested should be analysed to determine if it contains personal data. In case personal data is involved, the Court network responsible, the Court’s DPO and the SSI service shall be informed. The Court network engineers, in collaboration with the DPO, shall analyse the content of the data and the measures to be taken in order to ensure the protection of personal data. In case Cisco needs to have remote access to the Court’s Cisco Webex infrastructure, the DPO of the Court, in collaboration with the Court network engineers, shall analyse the possible risks for the data subjects and decide on the legitimacy of this access. 43. The EDPS understands that in practice the number of TAC requests initiated by the Court does not exceed to 2-3 tickets per year and only takes place where the internal Court services cannot solve the issue itself. 50 Ibid. 51 Annex II to the revised TIA titled ‘OSU Cisco TAC management procedure’; it was made available to the Court’s staff members on 31 January 2023. 52 Assertions made by the Court’s representatives, including the DPO, during an internal meeting at the EDPS premises of 25 November 2021. 14 44. With regard to technical safeguards, the Court confirmed that TAC Support Information and Customer case attachments are only accessed by Cisco staff, and that no personnel from third-party service providers have access to this data. The53 TAC Support Information is encrypted in transit, while Case Attachments are encryptedbothintransitandatrest,inordertosecurepersonaldatafromaccidental 54 loss and unauthorised access, use, alteration, and disclosure. The keys for encryption are managed by Cisco. 55 45. The EDPS considers that the Court transfers personal data, whether by electronic transmission or by making it available to Cisco Systems Inc., for the provision of technical support, and that this data is not effectively pseudonymised nor encrypted because the processing requires accessing data in the clear. 56Based on his understanding of facts, the EDPS is of the opinion that the residual sets of transfers resulting from TAC requests cannot be covered by appropriate safeguards, despite reasonable efforts of the Court to provide for organisational and technical measures vis-à-vis unlikely and small risks of such transfers to data subjects’ rights and freedoms. It follows that in these circumstances the Court is unable to provide for appropriate safeguards in the form of contractual clauses because effective supplementary measures are not conceivable without undermining the aim of the providing TAC support. Therefore, these transfers do not fall in the scope of this Decision under Article 48(3)(a) of the Regulation. 46. However, having regard to the need for the Court to dispose of stable services provided by Cisco in order to perform its tasks in the public interest, as well as the safeguards put in place, the EDPS is of the opinion that these transfers resulting from TAC requests can take place in accordance with Article 50, notably by relying on Article 50(1)(d) of the Regulation. 47. Article 50(1) of the Regulation provides that in the absence of an adequacy decision pursuant to Article 45(3) of GDPR or to Article 36(3) of the Law Enforcement Directive, or of appropriate safeguards pursuant to Article 48 of this Regulation, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only where specific conditions are met. Point d) of Article 50(1) lists one of these conditions, namely ‘when the transfer is necessary for important reasons of public interest’. Such public interest shall be recognised in 57 Union law. 48. In parallel to what is provided for in Article 49 of the GDPR 58, derogations under Article 50 of the Regulation are exemptions from the general principle that personal 53 Para 67 of the Revised TIA. 54 Para 93 of the Revised TIA. 55 Point 5 of the Court’s answer of 15 September 2022. 56 See Use Case 6 of the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, adopted 18 June 2021 (‘EDPB Recommendations 01/2020’). 57 Article 50(3) of the Regulation. 58 See footnote 15. 15 data may only be transferred to third countries or international organisations if an adequate level of protection is provided for in the third country or international organisation or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. Due to this fact and considering that Article 50 60 of the Regulation must be interpreted in accordance with the Charter , derogations can apply only in so far as is strictly necessary and must be narrowly construed. 61 Derogations must also be interpreted restrictively so that the exception does not 62 become a rule. This is also supported by the wording of the title of Article 50 which statesthatderogationsaretobeusedforspecificsituations(‘Derogationsforspecific situations’).3 49. When considering transferring personal data to third countries or international organizations, data exporters should therefore favour solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards to which they are entitled as regards processing of their data once this data has been transferred. As derogations do not provide adequate protection or appropriate safeguards for the personal data transferred and as transfers based on a derogation are not required to have any kind of prior authorisation from the supervisory authorities, transferring personal data to third countries on the basis of derogations leads to increased risks for the rights and freedoms of the data subjects concerned. 64 50. The derogation of Article 50(1)(d) of the Regulation requires that the transfer of personal data is necessary for important reasons of public interest recognised in Union law. In the first place, the data exporter must identify and document the existence of such ‘public interest’. Examples of public interest may include management and functioning of the EUIs 65, or public security or health . The identified public interest must be explicitly ‘recognised’ in ‘Union law’, which encompasses EU primary laws, general principles of EU law, international agreementsrecognisingacertainobjectiveorprovidingforinternationalcooperation to foster that objective (as long as EU and/or the Member States are party to these 67 agreements ), EU secondary laws, case law of the Court of Justice of the EU, as well as internal rules of the EUIs as long as they meet the requirements to be considered ‘Union law’ under Recital 23 of the Regulation. 59 EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 (‘EDPB Guidelines 2/2018’), page 4. 60 CJEU, 13 May 2014, Google Spain and Google, C-131/12, ECLI:EU:C:2014:317, para 68 and case-law cited. 61 CJEU, 11 December 2014, František Ryneš, C-212/13, ECLI:EU:C:2014:2428, paras 28-29 and case-law cited. 62 EDPB Guidelines 2/2018, page 4. 63 Ibid. 64 65 EDPB Guidelines 2/2018, page 4. Recital 22 of the Regulation. 66 Recital 69 and Article 25(1)(a) of the Regulation. 67 EDPB Guidelines 2/2018, page 10. 16 51. As any processing operation, such as a transfer, is an interference with the fundamental rights, provisions of Article 50 of the Regulation must be interpreted in light of the Charter, in particular its Article 52(1). Therefore, in the second place, the data exporter must assess and document whether the planned transfer of personal data respects the essence of the rights and freedoms that the transfer interferes with, and whether the planned transfer is in accordance with the principles of proportionalityandnecessity.Inotherwords,thedataexportermustsatisfyitself that it is necessary to process the personal data in question to attain the identified important public interest and that there are no less intrusive measures which would be comparably effective , as well as that, on balancing of interests, the identified public interest is important enough to justify the interference in question. As part ofthatanalysis,thedataexportermustconsider,interalia,thecategoriesofpersonal data transferred and of data subjects, character (e.g., large-scale 70) and regularity of the transfers (systematic , or occasional and non-repetitive). Article 50(1)(d) of the Regulation may not be relied on for transfers that are both large-scale and systematic. 72 52. In the case at hand, the EDPS finds that there is a public interest of ensuring management and functioning of the Court, as also confirmed by Recital 22 of the Regulation: being auxiliary to the main service of video-conferencing, technical assistance support is a quintessential element for proper functioning of video- conferencing software in line with state-of-the-art integrity and security standards. In turn, having a properly functioning video-conferencing tool has become indispensable to the daily functioning of the EUIs, such as the Court, as it allows for remote communication of staff members working from home. 53. Further, there is no alternative measure which would be less intrusive to the rights and freedoms of data subjects, and which would be comparably effective to the current set-up of TAC requests at the Court. Considering that, based on the information provided, the processing operations involve limited categories of personaldata,transfersareveryrareandaffectverylimitednumberofdatasubjects, the Court may rely for transfers resulting from TAC requests on the 68 See Step 4 of steps to be followed are described in ‘Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit’. 69 See ‘Checklist for assessing proportionality of new legislative measures’, p. 12-33, in EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data. 70 Article 29 Working Party (‘WP29’) indicated that the following factors should in particular be consider when determining if a processing operation is ‘large-scale’: the number of data subjects concerned - either as a specific number or as a proportion of the relevant population, the volume of data and/or the range of different data items being processed, the duration, or permanence, of the data processing activity, the geographical extent of the processing activity (see WP29 Guidelines on Data Protection Officers, endorsed by the EDPB, p. 8). 71 Transfers are systematicwhen they regularlyoccurwithina stablerelationship (seeEDPBGuidelines2/2018 on derogations of Article 49 under Regulation 2016/679, p. 9). WP29 defined ‘systematic’ as meaning one or more of the following: occurring according to a system, pre-arranged, organised or methodical, taking place as part of a general plan for data collection, carried out as part of a strategy (see WP29 Guidelines on Data Protection Officers, endorsed by the EDPB, p. 9). 72 EDPB Guidelines 2/2018, page 11. 17 derogation provided for under Article 50(1)(d) and (3) of the Regulation. It follows that such transfers do not fall within the scope of the present Decision. 3. Transfersofbusinesscustomerinformation 54. One of the exceptions to the Data Residency Program, mentioned in point 22 above, is when a Customer, i.e., the Court, provides ordering information (business contact information). The Court explained that the ordering information is handled in the contract between the Court and Cisco International Limited UK. No further business 73 contactinformationisrequiredfortheuseofWebexservicesbytheCourt. Personal data transferred are the name and surname of the representative of the Court empowered to enter into the contract, as well as names, surnames and email addresses of Court’s contacts for service management and technical matters. That data may be handled at a Cisco data centre in any location, and certainly is transferred to the United States. 55. Similartothereasoninginpoints49-53above,theEDPSisoftheopinionthatRecital 22 of the Regulation recognises the public interest of the Court in concluding and managing contracts for necessary services that are linked with the management of that institution. Likewise, there is no alternative measure which would be less intrusive to the rights and freedoms of data subjects, and which would be comparably effective. Considering that, based on the information provided, the processing operations involve very limited categories of personal data, transfers are very rare and affect very limited number of data subjects, the Court can, for transfers resulting from contract management, make use of the derogations provided for under Article 50(1)(d) and (3) of the Regulation. It follows that such transfers do not fall within the scope of the present Decision. IV. CONCLUSION 56. Pursuant to Article 58(3)(e) of the Regulation, the EDPS finds that there are no transfers of personal data that would fall under the scope of an authorisation decision of contractual clauses referred to in Article 48(3)(a) of the Regulation. 57. This Decision is without prejudice to EDPS’ investigative and corrective powers under Article 58 of the Regulation. Done at Brussels, 13 July 2023 Wojciech Rafał WIEWIÓROWSKI (e-signed) 73 Point 132 b) of the Revised TIA. 18