Introduction
As many of you know the Schengen Agreement (Named after the Luxemburg City "Schengen" where it was signed) introduced the free flow of goods and people across the European Union and many claim it to be on of the core backbone agreements of the European Union.

Synopsis
Germany decided to introduce border controls following the SARS-CoV-2 Epidemic during  March-Mai 2020. Luxembourg has a particular situation that is best displayed via this illustration: every day over 1/3 of the entire working population enters the country via Germany, France, and Belgium to drive home in the evening thus passing these very borders every day. 



Germany decided, for reasons that are still not clear to me as of today, that Luxembourg nationals (not germans) need to have a justified reason to enter Germany (a limited list of these existed). It appears that German State Heads believed that the virus somehow differentiates between nationalities and that this made total sense considering the thousands of German border commuters enter and exit every day "freely".

Back to the topic.  The Schengen agreement allows for the introduction of border controls under certain rules and under certain requirements. I have been curious to find out what Germany brought forward as reasons as I could not imagine a scientific reason to do just that.

Title3, Chapter 2 of the Schengen Accord details under which conditions and form the border control could be introduced.Relevant Articles:

Art. 25.1 & 25.2  :

  • Where [..] there is a serious threat to public policy or internal security in a Member State, that Member State may exceptionally reintroduce border control [..] for a limited period of up to 30 days or for the foreseeable duration of the serious threat [..]

  • Border control at internal borders shall only be reintroduced as a last resort, and in accordance with Articles 27, 28, and 29. The criteria referred to, respectively, in Articles 26 and 30 shall be taken into account in each case where a decision on the reintroduction of border control at internal borders is considered pursuant, respectively, to Article 27, 28, or 29.
Art 26 ("Criteria") :

  • Where a Member State decides, as a last resort, on the temporary reintroduction of border control [..] it shall assess the extent to which such a measure is likely to adequately remedy the threat to public policy or internal security, and shall assess the proportionality of the measure in relation to that threat.
Art. 27  : 
  • Where a Member State plans to reintroduce border control [..], it [...]  shall supply the following information :
    (a) the reasons for the proposed reintroduction, including all relevant data detailing the events that constitute a serious threat to its public policy or internal security;
    (b) the scope of the proposed reintroduction, specifying at which part or parts of the internal borders border control is to be reintroduced;
    (c) the names of the authorized crossing-points;
    (d) the date and duration of the planned reintroduction;
    (e) where appropriate, the measures to be taken by the other Member States.

Art. 28 :
  • If the serious threat to public policy or internal security persists beyond the period provided for in paragraph 1 of this Article, the Member State may decide to prolong the border control at internal borders for renewable periods of up to 20 days. In doing so, the Member State concerned shall take into account the criteria referred to in Article 26, including an updated assessment of the necessity and the proportionality of the measure, and shall take into account any new elements.

Requesting Acces to the Documents
Germany appears to have a solid Information Access law ("Informations Zugangs Gesetz") that even allows foreign nationals to request documents that are even sent free of charge across the European Union. 

My Initial Request for Information from the 04.05.2020 included the Information and requests below :
  • A copy of the Notification Letter addressed to the European Commission
  • Which reasons, data, and other factors led to the conclusion that proportionality of the measure in relation to that threat is adequate. (Quoting Art 26)
  • During the time the BMI decided to forbid Luxemurgish nationals entry to Germany (unless they demonstrated important reasons). Luxemburg had on average 15 (!) infections per week including German commuters, so my question was: In light of 15 infections per week how did Germany come to the conclusion that "proportionality of the measure in relation to that threat that Luxembourg nationals pose is adequate".

My Request to the BMI
Answer


One of their answers included the following quite revealing sentence :
  • "We are not required to communicate legal assessments that have yet to be done"

I am publishing these documents because they may have historic value and offer food for thought. 

Why food of thought you might as? Well, Germany didn't really give a reason as required by the Articles 25/26/27/28 that would explain how closing the borders is necessary and proportional. In the first letter, it states it's intent and simply "that it is required" and in every followup letter extending the closure (a total of 4), Mr. Seehofer just points to the first letter creating a circular non founded argument.  Especially in the context of thousands of daily german commuters that stay for a minimum of 9 hours in Luxembourg (In offices, Hospitals, and so forth) closing the border to Luxemburgish nationals made absolutely no sense whatsoever and could be even seen as being discriminatory.

Summary of my Analysis (There may be more in these letters but that's currently all I am being equipped to answer). Please feel free to contact me in case you stumble across something you want to point out.

  • 15 March 2020 (Letter1): Notification per Article 28 of the planned 10 days of Border Controls. Art. 28 is referenced.

    Reason given :

    German
    "Unser Gemeinames Ziel muss  angesicht der raschen Zunahme der Infektionen sein, möglichst frühzeitig Reisende aus Risiko gebieten sowie diejenigen mit Anzeichen für eine derartige Infektion zu erkennen um auf diese weisen durch unverzügliche medizinische Massnahme eine weitere Verbreitung bestmöglich einzudämmen"

    "Auch unter Berücksichtigung der grossen Bedeutung de Grenzkontrollfreien reisens innerhalb das Schengenraums bin ich der Ueberzeugung dass die vorübergehende  Wiedereinführung  von Binnen Grenzkontrollen eine notwendige flankierende Maßnahme zur Eindämmung der Ausbreitung und Unterbrechung der Infektionskettendarstellt.

    English (Translation)
    "In view of the rapid increase in infections, our common goal must be to identify traveler from risk areas early as possible and to identify those who show signs of such an infection in order to reduce its spread as far as possible through immediate medical measures.

    Also consider the importance of border control-free travel within the Schengen area, I am convinced that the temporary reintroduction of internal border controls is a necessary accompanying measure to contain the spread and interruption of the infection chain."


    Commentary: What a display of nativity and a simplistic view of the world. As if somehow the virus would differentiate between Germans and Luxemburgih nationals and that refusing entry to the country would allow for "Immediate medical measures".  Also of note is that Luxemburg is quite clearly an area of collateral damage where no data whatsoever justified closing the borders to Luxemburgish nationals.  We see no analysis of whether or not the measures are proportionate to the threat. My opinion is simple, in case of Luxembourg, there is a very very high probability they were not.

    Also, note the choice of words: "Flankierende Massnahme" is usually used to describe the political approach to immigration of third party nations (outside of the EU).

  • 19 March 2020  (Letter 2): Adds  Air Travel ways to the list of border controls

  • 25 March 2020 (Letter 3): Extends Border Control another 20 days
    Reason given : "Based on the previous communications"

  • 14th of April 2020 (Letter 4): Extends Border Control by another 20 days
    Reason given : "Based on the previous communications"

  • 4th of May 2020: Extended by 14 days
    Reason given:  "Fragile situation development"& "Based on previous communication"

Copies of the letters

Letter 1




Letter 2




Letter 3




Letter 4




Letter 5










Other posts in this series :
By now you should know about the EUJC ruling on the Privacy Shield. I am going to keep this one short and sweet - I believe the judgment to be more far-reaching than NOYB is explaining on their website. The reasoning is very simple.

To demonstrate this let's take a look at the questionnaire that NOYB made available for companies.
The first question is :



We can stop right there. The problem is that for every US-based company that isn't solely working with Paper and pigeons only (and even then) the answer is always YES. Your potential Data Processor in the USA is going to use Verizon / ATT / (you name it) and as such you will always have a data processor that is subject to FISA702 in the middle somewhere.  As the leaks of Edward Snowden have clearly shown, Telcos are being used as an entry vector for mass surveillance. It is irrelevant whether or not your direct counterpart is subject to surveillance laws.

Let's continue regardless :


Answer to 5a) is: You can't (Quote me on this - I know what I am talking about). There is no way to escape mass surveillance as a company in the US. You would have to build all of your communication channels on 0 knowledge type protocols. Even if they exist for your use case they are most likely not supported by other businesses you will have to communicate with, or by your remote workforce.  You also need to consider other laws, such as "Export Restrictions" and "Anti-Money Laundering" also giving the US HQ access to a lot of information, sometimes even via a direct data pipe to the EU. (A vector that NOYB is forgetting about)

The companies that can confidently answer yes to the above may exist in some niche segments or some niche use cases. As an example - I hear you say "But we use TLS" - that's a pretty naive view and ridiculous protection against a nation-state adversary given capabilities and funding for mass surveillance by law. 

So unless you can demonstrate that every digital communication is "unbreakable" by a nation-state you are still subjecting EU data subjects to mass surveillance. So even if you are using SCCs as a legal basis of transfer, unless you communicate via Pidgeons your SCCs can be challenged and likely aren't valid. 

In other words, by the end of the NOYBs'  questionnaire, you will have understood that realistically you can't use SSCs as a means to legally transfer EU Personal data in 99.9% of the cases. 

So what does that mean for inter-company transfers to the US? (Example: Apple Ireland to Apple US). Well, they are unlikely to come to the conclusion that they can't protect the data, and whoever sits on the button in Europe has been chosen to follow along with the logic of the US HQ (not just on that issue). Hint: The performance review within US Companies of EU employees is always done in the US at some level. 

How can you spot that? The Data Privacy Notice will somewhere say "You agree that your personal data is shared within the group of companies". That means you agree to transfer your data to the US. Want to object? Ask your DPA to enforce that the company can no longer transfer your personal data to the US. You will see your account closed and your agreement terminated. Why? I don't know any Big US company that would be able to offer the service without exchanging any personally identifiable (as defined in GDPR) information with the US at this point in time.

Examples:

Mastercard Data Privacy Notice 


Amazon Germany - Deep into the Reference Circle between Data Privacy Notice and
Terms and conditions


Sight, we all know how this will work out - we will just pretend we can protect the data adequately in the US. As they say in Germany "Wo kein Kläger, da kein Richter" - hence Support NOYB via Donation here.

As a summary: you are given a questionnaire that you will always end up answering negatively too if you'd answer it truthfully and equipped with known unknowns.  I liked the title too much to let go of it. Sue me.