Data Protection Commissioner v. Facebook Ireland Ltd (Schrems II)
On July 16, 2020, the Court of Justice of the European Union (herein as “CJEU”) issued its decision in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (2020) (herein as “Schrems II”). The overarching conclusion resulted in the EU-US Privacy Shield (herein as “Privacy Shield”) being invalidated, while the Standard Contractual Clauses (herein as “SCCs”) remain intact for the time being.
The ruling in this matter is the successor case to a 2015 complaint (Schrems I) filed by Austrian privacy advocate Max Schrems (“Schrems”) with the Irish Data Protection Commissioner (“Irish DPC”). In the original complaint, Schrems argued that the transfer of his personal information from Facebook Ireland to the company’s main branch in the United States violated his fundamental rights under EU law. The basis for Schrems’ argument was that United States authorities were given the power to run personal data surveillance concerning any EU citizens without proper safeguards or judicial restraints. Schrems sought the suspension of those specific transfers but not the SCCs in general. In response, the Irish DPC took the position that the SCCs were an underlying systemic issue and should also be invalidated.
The Irish DPC submitted the case to the Irish High Court to either issue a ruling or seek the CJEU’s opinion on the validity of the SCCs. The case was elevated to the CJEU for its judgment on the matter. The case is a continuation of the 2015 matter which invalidated the Privacy Shield’s predecessor known as the “Safe Harbor” privacy principles. (Paragraph 42, Schrems II).
QUESTIONS PRESENTED TO THE COURT
Justice Costello of the Irish High Court posed the following questions to the European Court of Justice, found in paragraph 68 of the Court’s judgment in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (2020).
- In circumstances in which personal data is transferred by a private company from a European Union (EU) Member State to a private company in a third country for a commercial purpose pursuant to [the SCC Decision] and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter) apply to the transfer of the data notwithstanding the provisions of Article 4(2) TEU in relation to national security and the provisions of the first indent of Article 3(2) of Directive [95/46] in relation to public security, defence and State security?
- (a) In determining whether there is a violation of the rights of an individual through the transfer of data from the [European Union] to a third country under the [SCC Decision] where it may be further processed for national security purposes, is the relevant comparator for the purposes of [Directive 95/46]:
(i) the Charter, the EU Treaty, the FEU Treaty, [Directive 95/46], the [European Convention for the Protection of Human Rights and Fundamental Freedoms, signed at Rome on 4 November 1950] (or any other provision of EU law); or
(ii) the national laws of one or more Member States?
(b) If the relevant comparator is (ii), are the practices in the context of national security in one or more Member States also to be included in the comparator?
- When assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of [Directive 95/46], ought the level of protection in the third country be assessed by reference to:
(a) the applicable rules in the third country resulting from its domestic law or international commitments, and the practice designed to ensure compliance with those rules, to include the professional rules and security measures which are complied with in the third country; or
(b) the rules referred to in (a) together with such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non-judicial remedies as are in place in the third country?
- Given the facts found by the High Court in relation to US law, if personal data is transferred from the European Union to the United States under [the SCC Decision] does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?
- Given the facts found by the High Court in relation to US law, if personal data is transferred from the European Union to the United States under [the SCC Decision]:
(a) does the level of protection afforded by the United States respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter? If the answer to Question 5(a) is in the affirmative:
(b) are the limitations imposed by US law on an individual’s right to a judicial remedy in the context of US national security proportionate within the meaning of Article 52 of the Charter and do not exceed what is necessary in a democratic society for national security purposes?
- (a) What is the level of protection required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses adopted in accordance with a decision of the Commission under Article 26(4) [of Directive 95/46] in light of the provisions of [Directive 95/46] and in particular Articles 25 and 26 read in the light of the Charter?
(b) What are the matters to be taken into account in assessing whether the level of protection afforded to data transferred to a third country under [the SCC Decision] satisfies the requirements of [Directive 95/46] and the Charter?
- Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in [the SCC Decision] preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of [Directive 95/46]?
- If a third country data importer is subject to surveillance laws that in the view of a data protection authority conflict with the [standard contractual clauses] or Article 25 and 26 of [Directive 95/46] and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of [Directive 95/46] to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of recital 11 of [the SCC Decision], or can a data protection authority use its discretion not to suspend data flows?
- (a) For the purposes of Article 25(6) of [Directive 95/46], does [the Privacy Shield Decision] constitute a finding of general application binding on data protection authorities and the courts of the Member States to the effect that the United States ensures an adequate level of protection within the meaning of Article 25(2) of [Directive 95/46] by reason of its domestic law or of the international commitments it has entered into?
(b) If it does not, what relevance, if any, does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the [SCC Decision]?
- Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III to the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the United States under the [SCC Decision] that is compatible with Article 47 of the Charter]?
- Does the [SCC Decision] violate Articles 7, 8 and/or 47 of the Charter?’
FINDINGS AND DISCUSSION
The Court’s approach to answering the questions presented consisted of some individual analysis in addition to consolidating some of the questions into one analysis. Below is a summary of the Court’s interpretation and opinion on each question(s):
CJEU interpretation of the question: “By its first question, the referring court wishes to know, in essence, whether Article 2 (1) and Article 2 (2) (a), (b) and (d) of the GDPR, read in conjunction with Article 4 (2) TEU, must be interpreted as meaning that that regulation applies to the transfer of personal data by an economic operator established in a Member State to another economic operator established in a third country, in circumstances where, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of that third country for the purposes of public security, defense and State security.” (Paragraph 80, Id.)
Art 2 (1) of the GDPR provides: “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” (Paragraph 82, Id.).
However, Art 2 (2) limits the scope of Art 2 (1): “This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
Art 4 (2) of the Treaty on European Union provides: “The Union shall respect the equality of Member States before the Treaties as well as their national identities, inherent in their fundamental structures, political and constitutional, inclusive of regional and local self-government. It shall respect their essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.”
The Court found that Article 4(2) applies only to member states of the European Union and not to non-member countries like the United States. Secondarily, none of the limitations enacted by Article 2(2) applies to Facebook.
In short, the GDPR must be construed as applying to the transfer of personal data for commercial purposes to a third country, irrespective of whether or not it will be later processed by the authorities in the third country as a national security measure. (Paragraphs 87-89, Id.)
Question 2, Question 3, and Question 6:
CJEU interpretation of the question(s): “By its second, third and sixth questions, the referring court seeks clarification from the Court, in essence, on the level of protection required by Article 46 (1) and Article 46 (2) (c) of the GDPR in respect of a transfer of personal data to a third country based on standard data protection clauses. In particular, the referring court asks the Court to specify which factors need to be taken into consideration for the purpose of determining whether that level of protection is ensured in the context of such a transfer.” (Paragraph 90, Id.)
Article 46 (1) of the GDPR states:
“In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
Article 46 (2) (c) states:
(2) The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorization from a supervisory authority, by
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2)……”
The Court found that a controller or processor may transfer personal data to a third country only if the there are appropriate safeguards set in place by the controller or processor. Secondarily, there must be enforceable data subject rights and effective legal redress available for any citizens who are exposed by such transfer. It follows that, the data subjects must be afforded (1) appropriate safeguards; (2) enforceable rights; and (3) effective legal remedies.
Therefore, the answer to the second, third, and sixth questions is that the GDPR Art 46 (1) and Art 46 (2)(c) must be construed to mean that the third country offers a level of protection—through either its domestic law or international commitments—that is equivalent to the fundamental rights and freedoms guaranteed with the European Union’s regulation, as outlined in the Charter of Fundamental Rights of the European Union. (Paragraph 93-94).
With that in mind, the Court noted several factors to be considered when determining the level of protection required. The factors that should be considered to determine the adequacy of protection under SCCs are those relevant to evaluate whether the conditions of a data transfer specified in GDPR Art 46(1) are satisfied. To illustrate such a case, the data controller or processor must consider the contractual clauses agreed upon, any access methods to the data by public officials or authorities in the third country, and the legal system and rights in the third country. A non-exhaustive list of factors is outlined in GDPR article 45 (2). (Paragraphs 101-105, Id.).
CJEU interpretation of the question: “By its eighth question, the referring court wishes to know, in essence, whether Article 58 (2) (f) and (j) of the GDPR must be interpreted as meaning that the competent supervisory authority is required to suspend or prohibit a transfer of personal data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured, or as meaning that the exercise of those powers is limited to exceptional cases.” (Paragraph 106).
Art 58 (2) (f) and (j) of the GDPR are as follows: “Each supervisory authority shall have all of the following corrective powers:
(f) to impose a temporary or definitive limitation including a ban on processing;
(j) to order the suspension of data flows to a recipient in a third country or to an international organization.”
Art 45 and 46 provide safeguards for the transfer of data outside of the EU. The Court noted that supervisory authorities must enforce compliance with the FDPR in accordance with the EU Charter. Each supervisory authority is required on its territory to handle complaints regarding data infringements with all due diligence. If a supervisory authority finds during its investigation that an individual’s data rights have no been afforded an adequate level of protection when being transferred to a third party, the authority must take appropriate action to remedy any findings of inadequacy regardless of the reason for that inadequacy. (Paragraph 111, Id.).
In answering the eighth question, the Court held that Art 58 (2)(f) and (j) shall be construed to mean that, unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a data transfer to a third country pursuant to standard data protection clauses adopted by the Commission, if the investigation and circumstances reveal those clauses have been or will be violated by the third country. (Paragraph 121, Id.).
At its core, the Court held that a supervisory authority has the power to act if an individual’s data is being transferred to a third country without adequate protection. At which point, the authority is required to execute its responsibility for enforcing the GDPR with due diligence whether by suspending or prohibiting the transfer pursuant to Art 58(2)(f) and (j). This also includes transfers conducted under the SCC, even if a valid Commission decision exists regarding the SCC mechanism. (Paragraph 121).
Question 7 and Question 11:
CJEU interpretation of the question(s): “By its 7th and 11th questions, which it is appropriate to consider together, the referring court seeks clarification from the Court, in essence, on the validity of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter.” (Paragraph 122, Id.).
The Court refers to the “SCC Decision” which is composed of three separate rulings:
- The original ruling was the Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC. This commission decision has been modified twice since then.
- The first modification came from the Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries.
- The second modification came from the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
In conjunction, these Decisions are the “SCC Decision.”
Article 1 of the SCC Decision provides that the standard data protection clauses set out in its annex are considered to offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals in accordance with the requirements of Article 26(2) of Directive 95/46. The latter provision was reproduced in Article 46(1) and Article 46(2)(c) of the GDPR. (Paragraph 124, Id.)
These clauses are binding on a controller in the EU and the recipient of the transfer of data in a third country where they have a contract incorporating such clauses. (Paragraph 125, Id.). However, these clauses are incapable of binding the authorities in a third country because they are not a party to the actual contract. (Paragraph 125, Id.). In any event, the Court held that the SCC mechanism is valid, notwithstanding that the Commission Decision on the SCC does not include guarantees within the clauses that are enforceable against public authorities in countries like the United States. (Paragraph 127, Id.).
“Article 46(1) of the GDPR provides that, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. According to Article 46(2)(c) of the GDPR, those safeguards may be provided by standard data protection clauses drawn up by the Commission. However, those provisions do not state that all safeguards must necessarily be provided for in a Commission decision such as the SCC Decision.” (Paragraph 128, Id.). In other words, Art 46(1) requires the controller/processor in the EU to provide the appropriate safeguards. (Paragraph 131, Id.).
By extension, where the Commission has not adopted a decision on the adequacy of the level of data protection in a third country, the processor/controller should take the steps necessary to compensate for the lack of data protection in the third country. (Paragraph 131, Id.). To do so requires (1) appropriate safeguards for the data subject; (2) those safeguards should ensure compliance with data protection requirements and the rights of data; and (3) the availability of enforceable data subject rights and effective legal remedies in either the EU or in the third country. (Paragraph 131, Id.). This analysis is determined on a case-by-case basis. (Paragraph 134, Id.).
To ensure adequate protection, it may require supplementing SCCs with secondary clauses and provisions, but only if they do not contradict any SCCs adopted by the Commission. (Paragraph 132, Id.).
Before any data transfer occurs, the data exporter and data importer need to evaluate the legislation in the third country. If and only if the level of data protection is satisfactory under EU laws enabling them to comply with the SCCs should the transfer be initiated. (Paragraph 141, Id.). Although Clause 5(d)(i) of the annex to the SCC Decision allows a data importer to disclose personal data to law enforcement officials without alerting the data exporter, it must still inform the data exporter of the inability to comply with the SCCs pursuant to Clause 5(a). (Paragraph 139, Id.). Upon being informed, a data exporter has the obligation to suspend or terminate the data transfer and/or contract, otherwise there will be a breach of duty under Clause 4(a). (Paragraph 140). If, after being notified that a data importer cannot satisfy the SCC requirements, and the data exporter decides not to suspend/terminate the transfer, it must provide notice to the data protection authority, whom may investigate on its own. (Paragraph 145, Id.).
That being said, pursuant to a Clause 5 footnote, a request by law enforcement officials from a third country will not constitute a breach if the mandatory requirements of that country’s legislation do not “go beyond what is necessary in a democratic society to safeguard national security, defense, and public security” concerns. (Paragraph 141, Id.). Simply put, a third country’s national security concerns may permit a data transfer in some instances.
The issue was then raised regarding Member States adopting contrasting decisions on data transfer infringements. The Court reconciled this issue by stating:
“It should be added that, as is clear from Article 55(1) and Article 57(1)(a) of the GDPR, the task of enforcing that regulation is conferred, in principle, on each supervisory authority on the territory of its own Member State. Furthermore, in order to avoid divergent decisions, Article 64(2) of the GDPR provides for the possibility for a supervisory authority which considers that transfers of data to a third country must, in general, be prohibited, to refer the matter to the European Data Protection Board (EDPB) for an opinion, which may, under Article 65(1)(c) of the GDPR, adopt a binding decision, in particular where a supervisory authority does not follow the opinion issued.” (Paragraph 147, Id.).
In short, the Court answered the seventh and eleventh questions by stating the “examination of the SCC Decision in the light of Articles 7, 8 and 47 of the Charter has disclosed nothing to affect the validity of that decision.” (Paragraph 149, Id.). In other words, the SCCs remain valid subject to the guidelines outlined above.
Question 4, Question 5, Question 9, and Question 10:
CJEU interpretation of the question(s): “By its ninth question, the referring court wishes to know, in essence, whether and to what extent findings in the Privacy Shield Decision to the effect that the United States ensures an adequate level of protection are binding on the supervisory authority of a Member State. By its 4th, 5th and 10th questions, that court asks, in essence, whether, in view of its own findings on US law, the transfer to that third country of personal data pursuant to the standard data protection clauses in the annex to the SCC Decision breaches the rights enshrined in Articles 7, 8 and 47 of the Charter and asks the Court, in particular, whether the introduction of the ombudsperson referred to in Annex III to the Privacy Shield Decision is compatible with Article 47 of the Charter.” (Paragraph 150, Id.).
PRIVACY SHIELD DECISION
To begin, “as to whether the Privacy Shield Decision has binding effects, Article 1(1) of that decision provides that, for the purposes of Article 45(1) of the GDPR, ‘the United States ensures an adequate level of protection for personal data transferred from the [European] Union to organizations in the United States under the EU-U.S. Privacy Shield’. In accordance with Article 1(3) of the decision, personal data are regarded as transferred under the EU-US Privacy Shield where they are transferred from the Union to organizations in the United States that are included in the ‘Privacy Shield List’, maintained and made publicly available by the US Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II to that decision.” (Paragraph 155, Id.).
The Privacy Shield Decision is binding on the supervisory authorities in so far as it finds that the United States ensures an adequate level of protection and, therefore, has the effect of authorizing personal data transferred under the EU-US Privacy Shield. (Paragraph 156, Id.). Consequently, the supervisory authority cannot suspend or prohibit a transfer of data to an organization, like Facebook, until the Court declares that decision is invalid. (Paragraph 156, Id.). Such a decision must result from, contrary to the finding made by the Commission in that decision [Privacy Shield Decision], that the US legislation governing the access to personal data transferred under that privacy shield and the use of that data by the public authorities of that third country for national security, law enforcement and other public interest purposes does not ensure an adequate level of protection. (Paragraph 156, Id.).
The Privacy Shield Decision also states, in paragraph I.5. of Annex II, that adherence to those principles may be limited; to the extent necessary to meet national security, public interest, or law enforcement requirements. (Paragraph 164, Id.). For that reason, those requirements have primacy over those principles [adequate level of data protection], primacy pursuant to which self-certified United States organizations receiving personal data from the European Union are permitted to disregard the principles without limitation where they conflict with the requirements and therefore prove incompatible with them. (Paragraph 164. Id.). More particularly, programs such as PRISM and UPSTREAM, which are surveillance programs enacted under section 702 of the FISA and E.O. 12333, pose monumental obstacles to adequate data protection rights. (Paragraph 165, Id.). For that reason, the Court held that the Privacy Shield Decision enables interference with the data of EU citizens. As a result, the Court chose to invalidate the Privacy Shield Decision in its entirety.
ADEQUATE LEVEL OF DATA PROTECTION
Contrary to the Privacy Shield Decision, the CJEU stated that the introduction of a Privacy Shield Ombudsperson cannot, in its view, remedy the judicial protection deficiencies since an ombudsperson cannot be regarded as a tribunal within the meaning of Article 47 of the Charter. (Paragraph 168, Id.). Furthermore, Article 7 of the Charter states that everyone has the right to respect for his or her private and family life, home and communications. Article 8(1) of the Charter expressly confers on everyone the right to the protection of personal data concerning him or her. (Paragraph, 169, Id.).
Access to a natural person’s personal data with a view to its retention or use affects the fundamental right to respect for private life guaranteed in Article 7 of the Charter, which concerns any information relating to an identified or identifiable individual. Such processing of data also falls within the scope of Article 8 of the Charter because it constitutes the processing of personal data within the meaning of that article and, accordingly, must necessarily satisfy the data protection requirements. (Paragraph 170, Id.).
The Court has held any transfer of data to a third party, including authorities, is an interference with fundamental rights under Articles 7 and 8 of the Charter, regardless of whether the personal data at issue relates to private life or whether the persons concerned have been inconvenienced in any way because of the data transfer. (Paragraph, 171, Id.). Although the rights are not “absolute”, it may only be processed “for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.” (Paragraph 173, Id.).
Following Article 52 of the Charter, “any limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others.” (Paragraph 174, Id.). Secondarily, the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned. (Paragraph 175, Id.).
The Court followed by stating Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programs for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programs. (Paragraph 180, Id.). Consequently, it cannot ensure a level of protection essentially equivalent to that guaranteed by the EU Charter. (Paragraph 180, Id.).
Despite the Privacy Shield Decision’s reference to a commitment from the US Government that the Privacy Shield Ombudsperson of the intelligence services is required to correct any violation of the applicable rules, there is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards or legal redress that would ensure any political commitment on which data subjects could reasonable rely on for data protection. (Paragraph 198, Id.).
The Court held, and it logically follows that the Privacy Shield Decision is incompatible with Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter, and is therefore invalid.
A. EU-US Privacy Shield
The Privacy Shield law has been invalidated due to concerns with data collections that abridge fundamental rights. In particular, the CJEU was weary of government surveillance programs such as PRISM and UPSTREAM and their adverse effect on the privacy rights of EU citizens and their personal data. Consequently, the Court found US law does not put stringent enough limitations or safeguards on the access and use of EU citizens’ data. On that basis, the CJEU also found that EU citizens do not have adequate legal redress in situations where their personal data is compromised by US public authorities.
B. Standard Contractual Clauses (SCCs)
On the heels of invalidating the Privacy Shield Decision, the CJEU did not nullify the SCCs, which are used by many businesses operating internationally. Despite the SCC’s survival in this case, they will still be affected by the judgment. The CJEU stressed the heightened obligation on all data controllers, importers, and exporters, to perform an assessment of the protection afforded by a country, rather than a company itself, where data is to be transferred.
If you have any questions about this memo, please contact Christopher L. Rasmussen, Managing Partner, Inventus Law, PC., at firstname.lastname@example.org, Abhilipsa Panda, Commercial Law Clerk, Inventus Law, PC., at email@example.com, or Timothy Kemp, Intern, Inventus Law, PC. at firstname.lastname@example.org.
Disclaimer: The information on this page is being provided for information purposes only and is drafted entirely on the basis of public resources. Information contained on or made available herein is not intended to and does not constitute legal advice, recommendations, mediation or counseling under any circumstance. This information and your use thereof do not create an attorney-client relationship. You should not act or rely on any information provided herein without seeking the advice of a competent attorney licensed to practice in your jurisdiction for your particular business.