Here are some top 5 recommendations on the management of personal data transfers after Schrems II decision to help companies during these chaotic days.
The Schrems II decision of the Court of Justice of the European Union led to the invalidation of the Privacy Shield and created uncertainties around the Standard Contractual Clauses, raising several questions on how the situation shall be dealt with.
The FAQs from the European Data Protection Board on data transfers after Schrems II
The European Data Protection Board issued some FAQs clarifying its position on some of the points emerging from the decision that can be laid out as follows:
- The threshold set by the CJEU applies not only to the Privacy Shield but to any data transfer mechanism, including the standard contractual clauses and the binding corporate rules;
- There will be no grace period, the Privacy Shield is immediately invalid, but the EDPB does not say whether data protection supervisory authorities will immediately start issuing fines against data transfers that do not comply with the threshold set by the CJEU;
- The decision does not apply only to data transfers to the US, but its threshold applies to any data transfer outside the EEA;
- A data transfer occurs not only when data are stored outside the EEA, but also providing access to data from a third country, for instance for administration purposes, also amounts to a transfer;
- You can no longer rely on the Privacy Shield, but – even if you are using other data transfer mechanisms – you need to run a case-by-case assessment taking into account the circumstances of the transfers, including whether the legislation of the non-EEA country enables to comply with the obligations set out in the SCCs and the BCRs, and the supplementary measures you could put in place;
- The obligations deriving from the Schrems II decision also apply to follow up transfers performed by sub-processors, and therefore the whole process shall be reviewed;
- If you conclude that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured on the data transfer, you are required to suspend or end the transfer of personal data outside the EEA; and
- If your conclusion on the compliance of the data transfer to the threshold set forth by the CJEU is negative, but you are intending to keep transferring data despite this conclusion, you must notify your competent data protection supervisory authority.
Top 5 recommendations on how to deal with data transfers after the Schrems II decision
This picture was taken three years ago when Max Schrems and I were both speakers at a data protection conference in Berlin. I had “thanked” him for the headache caused after the invalidation of the Safe Harbor, but the worst had still to come…
With our DLA Piper colleagues, we finalized a methodology to assess the risk arising from the data transfer in the light of the threshold set forth by the CJEU and the actions to be undertaken, also through supplemental clauses and recommended technical measures. This tool is brilliant since it relies on a scoring system that is meant to provide an assessment that is as objective as possible to underpin your decision taken against potential challenges.
To perform the assessment and adopt the measures enabling the mitigation of risks deriving from the data transfer after the Schrems II decision, the recommendations are the following:
- Identify data transfers, starting from your record of data processing and from the most relevant agreements for the business and the data transfers towards the countries that are most at risk of challenges which include not only those towards the United States but also to countries like China o Russia;
- Assess the legal regime in place in the third country, for this purpose we are liaising with our DLA Piper colleagues in the different jurisdictions to provide the most accurate evaluation;
- Assess the additional protections available which can include technical measures such as encryption and/or the additional contractual safeguards adopted, bearing in mind that – as stressed by the EDPB – even the mere access to personal data triggers a data transfer;
- Assess the potential harm and its probability for individuals, taking into account – among others – the types of personal data that are transferred and the risk of surveillance actions by the foreign country; and
- Take your final decision, relying on our scoring system that will be support for an internal self-assessment report, which is necessary for accountability purposes in case of challenges.
On the last point, the reference by the EDPB to the need to notify the data transfer to the data protection authority if you are intending to keep transferring data, despite the negative conclusion of your assessment, is quite unclear. If the evaluation is negative, why would the data transfer continue? What is the purpose of the notification? Is it equal to the prior consultation as per article 36 of the GDPR?
I don’t believe that the invalidation of the Privacy Shield mechanism as a whole impinges on the GDPR compliance of any data transfer to the United States, and I don’t think that any such transfer shall be notified to the competent data protection authority. But there is no doubt that the assessment mentioned above is necessary to defend your business from potential challenges and fines.
On the same topic, you may find interesting the article “Privacy Shield invalidated, but SCCs might not be enough for data transfers“.