A data transfer methodology to assess compliance with the criteria outlined in the Schrems II decision is a pillar of the GDPR accountability program of any business.
Updated after the draft EDPB recommendations on data transfers
After the Schrems II decision of the European Court of Justice outlawed the Privacy Shield and laid down stringent criteria for reliance on the Standard Contractual Clauses as an alternative data transfer mechanism, it is time to set your compliance strategy for the coming months.
There is no doubt that a situation of unrest followed the decision due to its broad scope. The CJEU expressly held that its purpose was not to create a legal vacuum. But a considerable burden was placed on businesses’ shoulders to assess when and why they can still perform data transfers outside the European Economic Area based on the Standard Contractual Clauses.
The FAQs from the European Data Protection Board yielded some (but not many) clarifications about data transfer methodology that they expect businesses to put in place. But the EDPB was firm in indicating that the criteria set out in the decision are already in place and need to be adopted by businesses. And this approach has been confirmed in the recent EDPB recommendations on data transfers.
The current reaction of businesses to the Schrems II decision on data transfers
Some companies are still hoping that
- either all these concerns around data transfers will die down with the adoption of new standard contractual clauses by the European Commission;
- or data protection supervisory authorities will be tolerant and not issue GDPR fines.
Unfortunately, the new cannot t be “the solution“. This aspect was clarified in the new draft EU standard contractual clauses published by the European Commission, which expressly refer to the need to perform a data transfer assessment and adopt supplemental contractual and technical measures.
The CJEU took a stance outlining how supplemental contractual terms can help assess the adequacy of data transfers. But the issue also pertains to the evaluation of the foreign surveillance law and its impact on individuals and their personal data transferred outside of the EEA.
Also, as happened following the invalidation of the Safe Harbor, data protection authorities will start issuing fines against unlawful data transfers if businesses cannot prove its compliance with the criteria set forth by the Schrems II decision. The 101 complaints filed against data transfers between the EU and the US by NOYB, the company behind Schrems, are just the tip of the iceberg. And this risk is now amplified by the GDPR fines, which are considerably higher than those previously in place.
Any business needs a data transfer methodology based on Schrems II criteria
The GDPR accountability principle requires that businesses can prove their data protection compliance. Companies cannot just submit to privacy authorities their agreements triggering data transfers to have them validated. Besides, such an approach would not even be in line with the time of operation of any business, which would have to suspend the data transfers, waiting for approval that might never come.
To support businesses, together with my colleagues at DLA Piper, we developed a methodology that assesses data transfers, taking into account
- the regulatory regime in the countries where the data exporter and importer are respectively based;
- the nature of, and purposes for which, the data that is being transferred;
- the extent to which the laws in the destination country provide appropriate protection to data subjects, taking account of:
- the safeguards offered by local data privacy laws;
- the risks posed by wider laws authorizing public authorities to access or conduct surveillance on private information for national security or other reasons – recognizing laws in some of these areas are likely to be applied to specific sectors only;
- the ease of access to the judicial process to protect personal rights;
- the role of local regulators and supervisory authorities in protecting data;
- the ability of individuals to raise complaints, appeals, and enforce decisions;
- the impact of relevant international treaties and related commitments;
- any additional safeguards applied to the proposed transfer arrangements – whether due to other contractual clauses, industry-specific protections, or specific technical and organizational controls;
- the residual risk to a data subject.
Such a methodology takes into account the draft EDPB recommendations, reflecting their 6-step methodology. However, the recommendations are not binding, and, for instance, we believe that the residual risk for data subjects deriving from data transfers shall be considered.
The methodology is supported by our DLA Piper legal tech tool named “Transfer” which can expedite and automate the process that shall impact a high volume of contracts.
The major advantage of such a methodology and the legal tech tool, Transfer, is that
- it provides a detailed assessment of the foreign surveillance laws and their impact on the data transfer through the support of our data protection DLA Piper colleagues from non-EEA jurisdictions;
- it allows supplemental clauses to be integrated into the agreements to strengthen – in case of need – the adequacy assessment; and
- through a legal tech scoring system, Transfer, it allows assessing a considerable amount of contracts in a short timeframe, generating an auditable report.
The result is a report that – in line with the accountability principle – can prove challenges from data protection authorities the compliance of the data transfer to the Schrems II decision criteria.
You can find more details on the methodology here, and I am available for further clarifications. Also, on the same topic, you can read, “The EDPB issues its recommendations on data transfers after Schrems II case.”
Image Credit Jennifer Morrow