A data transfer impact assessment methodology to evaluate compliance with the criteria outlined in the Schrems II decision is a pillar of the GDPR accountability program of any business.
Updated after the final EDPB recommendations on data transfers and the new SCCs
After the Schrems II decision of the European Court of Justice outlawed the Privacy Shield and laid down stringent criteria for reliance on the Standard Contractual Clauses as an alternative data transfer mechanism, it is time to set your compliance strategy for the coming months.
There is no doubt that a situation of unrest followed the decision due to its broad scope. The CJEU expressly held that its purpose was not to create a legal vacuum. But a considerable burden was placed on businesses’ shoulders to assess when and why they can still perform data transfers outside the European Economic Area based on the Standard Contractual Clauses.
Article 14 of the new Standard Contractual Clauses expressly requires to run transfer impact assessment and to document it in the light of the principles laid down by the Schrems II that the European Commission specifically laid down, and that have been further developed by the European Data Protection Board in the final version of their recommendations on data transfers.
The need to run a transfer impact assessment is the rule for the future
Before the approval of the new SCCs, some companies were still hoping that the new Standard Contractual Clauses would have reinstated the need to adopt a formal document to regulate data transfers.
Unfortunately, the above-mentioned Article 14 of the new SCCs expressly nails down a stringent obligation on the data importer and exporter to “warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses“.
Besides, during the last months, some data protection authorities already issued the first fines for lack of compliance with the Schrems II principles on data transfers, and German data protection authorities are already sending checklists to companies to map their data transfers outside the EEA and seek clarifications on the measures actually adopt them to secure them. Besides, the 101 complaints filed against data transfers between the EU and the US by NOYB, the company behind Schrems, are just the tip of the iceberg. And the publication by the EDPB of the final version of their recommendations on data transfers waives the last barrier that could persuade some data protection authorities to refrain from starting investigations on data transfers.
DLA Piper’s transfer impact assessment methodology and legal tech tool based on Schrems II criteria
The GDPR accountability principle requires that businesses prove their data protection compliance, and Article 14 of the new Standard Contractual Clauses expressly requires document the transfer impact assessment. To support businesses, together with my colleagues at DLA Piper, we developed a transfer impact assessment methodology that has been then automated through a legal tech tool named “Transfer” to ease the performance of these evaluations.
DLA Piper’s transfer impact assessment and legal tech tool rely on the principles set out in the new SCCs. And takes into account the EDPB recommendations as part of a risk assessment to create strong protection against potential challenges by authorities. It relies on the following 5 steps:
- Identification of the data transfers: it requires laying down the main elements of the data transfers, including the parties involved, the data importing countries, the categories of personal data that are transferred, the legal tool on which the data transfer relies (e.g., SCCs or BCR) since the goal is to generate a report to provide to authorities together with the agreement providing the transfer;
- Assess the legal regime and practices of the third country: it provides a detailed assessment of the foreign surveillance laws and practices and their impact on the data transfer through the support of our data protection DLA Piper colleagues from non-EEA jurisdictions. Indeed, for each non-EEA data importing country, we can provide a detailed assessment of local laws and a score indicating the potential divergence from the GDPR;
- Assess additional protections available: it allows to weight and score supplemental technical, organizational, and contractual measures adopted to secure the positive outcome of the transfer impact assessment. And also on this topic, DLA Piper supports its clients with a contractual annex to the data transfer agreement, providing the potential additional measures that can be adapted and adjusted to the specific context;
- Assess severity and probability of harm to data subjects: in line with what emphasized by the European Commission in the new Standard Contractual Clauses, this step allows to attribute a specific score based on the specific characteristics of the data transfer; and
- Final decision: based on the information collected through the responses to the previous questions, the legal tech tool can attribute a score and an outcome of the transfer impact assessment together with the relevant recommendation.
The result of the assessment is a self-generated report that – in line with the accountability principle – can prove challenges from data protection authorities’ compliance to the data transfer to the Schrems II decision criteria.
During the last months, DLA Piper’s methodology and transfer impact assessment have been shown to most European data protection authorities that applauded such a detailed and easy-to-use tool. Besides, several DLA Piper clients already adopted it, making Transfer a sort of benchmark in the market.
You can find more details on the methodology here, and I am available for further clarifications. Also, on the same topic, you can read, “What changes with the new Standard Contractual Clauses on data transfers?“.
Image Credit Jennifer Morrow