We share some takeaways on data transfers outside the EEA gathered with my Irish colleague at DLA Piper, John Magee, at the Privacy Symposium.
Here are our top 5 takeaways on data transfers from the Privacy Symposium in Venice
- The U.S. Department of Justice is keeping the details of Privacy Shield II confidential, however, it has confirmed that the new judicial review and oversight mechanisms will apply not only to the Privacy Shield but to all data transfer mechanisms;
- National privacy authorities are giving the announcement of the new Privacy Shield a lukewarm reception. While they welcome the fact that it is designed to directly address the problems identified in the Schrems II ruling, they are also noting that there are fundamental conflicts between the legal systems and signalling a detailed and critical review of the adequacy decision;
- The European Commission is supportive of the new agreement, although they noted that it will take time to come into effect, with the need to go through the adequacy decision proposal process, drafting, consultation with the Parliament and EDPB, and approval. They did not want to indicate exact timelines;
- There was a heated exchange about the risk-based approach to conducting transfer impact assessments (TIA). The data protection authorities continued to argue that the CJEU did not provide for consideration of subjective elements, such as the importer’s prior experience with claims, while the European Commission endorsed the view that Article 24 of the GDPR and the SCCs require a risk-based approach that considers all relevant facts, provided that a company conducts a “credible, serious and documented assessment“. Authorities have noted that they are seeing organizations submit poor quality TIAs with most of the criteria being subjective in nature. The German Privacy Authority noted the need for authorities to start moving toward more proactive enforcement rather than just reacting to complaints.
- Measures to ensure compliance with the Privacy Shield will most likely be introduced via executive orders that could add an additional element of uncertainty because they can easily be revoked by an order of the President of the United States, as happened for example after Trump’s appointment.
It is likely that many companies will decide to continue to execute TIAs, even after SP approval so as not to find themselves defenceless in the event of a Schrems III case, with the understanding that TIAs will remain necessary for transfer to other countries deemed inappropriate.
Still, some companies don’t know how to perform TIAs, and DLA Piper’s legal tech Transfer tool to support companies in TIAs in this activity can be of considerable help and is already used by 150+ companies. You can find more information about Transfer on DLA Piper’s dedicated page HERE.
I hope this is helpful!
P.s. sorry for the informal photo, but after seeing so many very formal photos of the event, I wanted to make everyone appreciate the beauty of the place they were in!
Read more about the potential Privacy Shield II in the article “Is a Privacy Shield 2.0 a solution to data transfers under the GDPR?“.