A data transfer methodology to assess compliance with the criteria set forth in the Schrems II decision is a pillar of the GDPR accountability program of any business. A few days passed after the Schrems II decision of the European Court of Justice that outlawed the Privacy Shield and laid down stringent criteria for reliance on the Standard Contractual Clauses as an alternative data transfer mechanism, it is time to set your compliance strategy for the coming months.
There is no doubt that a situation of unrest followed the decision due to its broad scope. The CJEU expressly held that its purpose was not to create a legal vacuum. But a considerable burden was placed on businesses’ shoulders to assess when and why they can still perform data transfers outside the European Economic Area on the basis of the Standard Contractual Clauses.
The FAQs from the European Data Protection Board yielded some (but not many) clarifications as to data transfer methodology that they expect businesses to put in place. But the EDPB was firm in indicating that the criteria set out in the decision are already in place and need to adopted by businesses.
The current reaction of businesses to the Schrems II decision on data transfers
My impression is that some companies are still hoping that
- either all these concerns around data transfers will die down with the adoption of new standard contractual clauses by the European Commission;
- or data protection supervisory authorities will be tolerant and not issue GDPR fines.
Unfortunately, even if new standard contractual clauses were adopted, they could not be “the solution“. The CJEU took a stance outlining of how supplemental contractual terms can support the assessment of the adequacy of data transfers. But the issue also pertains to the evaluation of the foreign surveillance law and its impact on individuals and their personal data that are transferred outside of the EEA.
Also, as happened following the invalidation of the Safe Harbor, data protection authorities will start issuing fines against unlawful data transfers, if businesses cannot prove its compliance with the criteria set forth by the Schrems II decision. And this risk is now amplified by the GDPR fines which are considerably higher than those previously in place.
Any business needs a data transfer methodology based on Schrems II criteria
The GDPR accountability principle requires that businesses can prove their data protection compliance. Companies cannot just submit to privacy authorities their agreements triggering data transfers to have them validated. Besides, such an approach would not even be in line with the time of operation of any business, which would have to suspend the data transfers, waiting for an approval that might never come.
To support businesses, together with my colleagues at DLA Piper, we developed a methodology that assesses data transfers, taking into account
- the regulatory regime in the countries where the data exporter and importer are respectively based;
- the nature of, and purposes for which, the data that are being transferred;
- the extent to which the laws in the destination country provide appropriate protection to data subjects, taking account of:
- the safeguards offered by local data privacy laws;
- the risks posed by wider laws authorizing public authorities to access or conduct surveillance on private information for national security or other reasons – recognizing laws in some of these areas are likely to be applied to specific sectors only;
- the ease of access to the judicial process to protect personal rights;
- the role of local regulators and supervisory authorities in protecting data;
- the ability of individuals to raise complaints, appeals and enforce decisions;
- the impact of relevant international treaties and related commitments;
- any additional safeguards applied to the proposed transfer arrangements – whether due to other contractual clauses, industry-specific protections, or specific technical and organizational controls;
- the residual risk to a data subject.
The major advantage of such a methodology is that
- it provides a detailed assessment of the foreign surveillance laws and their impact on the data transfer through the support of our data protection DLA Piper colleagues from non-EEA jurisdictions;
- it allows supplemental clauses to be integrated into the agreements to strengthen – in case of need – the adequacy assessment; and
- through a legal tech scoring system, it allows assessing a considerable amount of contracts in a short timeframe, generating an auditable report.
The end result is a report which – in line with the accountability principle – can prove in case of challenges from data protection authorities the compliance of the data transfer to the criteria of the Schrems II decision.
You can find more details on the methodology here and I am available for further clarifications.
Image Credit Jennifer Morrow