A personal data transfer impact assessment is necessary after the Schrems II case, but shall not go beyond what required to ensure GDPR compliance.
In a period of economic downturn when global economies exponentially rely on data, setting clear rules on personal data transfers is pivotal. The Schrems II decision did not help either EU and non-EU companies to overcome this difficult period. On the contrary, the current political debate on data transfers is boiling over, triggering further uncertainties in the data protection compliance program of businesses.
The white paper of the US Government against CJEU view in Schrems II case
The backlash from the US Government to the Schrems II decision was laid out in a white paper where it contested the stance taken by the CJEU on US surveillance law which can be summarised as follows:
- “most US companies do not deal in data that is of any interest to US intelligence agencies” and therefore they have never received disclosure orders under 702 or any intelligence power -> The likelihood of harm on personal data of individuals originating from data transfers is limited in the majority of cases;
- The FISA court approves a program of surveillance rather than the targeting of individuals, and the targeting rationale for each acquisition of personal data under US law must be then assessed and recorded by intelligence agency operatives and then reviewed by lawyers of the Department of Justice -> There is actual judicial supervision of surveillance orders, unlike what held by the European Court of Justice;
- There is a possibility for individuals (including non-US citizens) to bring a lawsuit against the US Government for unlawful surveillance under FISA -> There is a possibility of individual redress, but its actual enforcement is limited since it would not allow the exercise of data subject rights such as erasure, but to just seek a compensation.
The European Commission is accelerating the revision of the Standard Contractual Clause
In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs in early September, Commissioner for Justice Didier Reynders expressed hope that the long-awaited revision of standard contractual clauses would be finalized by the end of this year.
The issue is whether the revised SCCs could become a useful tool to secure data transfers as the current Standard Contractual Clauses before the Schrems II case. It is likely that the new SCCs will impose new cooperation obligations on data importers in determining the adequacy of the laws of the country of destination, and some safeguards to limit the risks of access to data from the third country.
However, at the end of the day, the assessment as to the adequacy of the data protection laws of the third country to comply with GDPR requirements will remain on data controllers which shall perform the so-called “transfer impact assessment” (TIA). Unless there are major changes to global surveillance laws through some sort of international agreement, the scenario is unlikely to go back to where it was before the Schrems II case where the adoption of the SCCs sufficed.
The transfer impact assessment is a compliance exercise also after the Schrems II
We are assisting several companies in their transfer impact assessments based on the criteria set out in the Schrems II case. A frequent objection pertains to the potential cyberattacks that foreign authorities can perpetrate to access to transferred data, hijacking systems to obtain their targeted data.
Albeit data is becoming an extraordinarily valuable resource, the GDPR principles, also after the Schrems II case, don’t require to ensure that under no circumstances can foreign authorities or hackers access to data. There is no strict liability regime.
Based on the accountability principle, companies need to prove to have run a deep analysis of the data protection and surveillance laws of the importing country, of the technical and contractual measures put in place, and of the likelihood of harm for affected individuals. Once, they can reasonably prove that, taking into account all these parameters, the data transfer is compliant with the threshold set out by the GDPR and the CJEU, it can take place.
TIAs are only data protection compliance assessments aimed at showing that the company abided with applicable privacy laws, and any further investigation would go beyond what data protection supervisory authorities can require during their audits.
On the same topic, you may find useful the article “Do you have a data transfer methodology based on the Schrems II decision?“.
Image credit beachmobjellies