In July 2020, the Court of Justice of the European Union (CJEU) invalidated the transfer of personal data from the European Economic Area to the United States under the US-EU Privacy Shield agreement. This ruling commonly known as Schrems II, removed a key mechanism for transfer of personal data from the EU to the US in compliance with the General Data Protection Regulation (GDPR).
The ruling confirmed that businesses that have relied on the EU-US Privacy Shield for transferring personal data can no longer do so. Over 5000 businesses including the likes of Google, Amazon, Facebook, and Microsoft lost their primary mechanism for international data transfers by this judgement.
To comply with the GDPR, organizations must comply with the Schrems II ruling. Otherwise, they can expect fines of €20 million ($23.9m) or up to 4% of the total worldwide turnover of the preceding financial year i.e. the higher level of GDPR fines.
In November 2020, the European Commission and the European Data Protection Board (the EDPB) released Recommendations with the objective of helping businesses comply with the enhanced obligations under Schrems II.
The EDPB’s Six-Step Process to Comply with Schrems II
The EDPB brings to attention that right to data protection is a fundamental right of the citizens of the EU. Data protection, therefore, has a high level of accountability.
The Schrems II judgment emphasized the responsibilities of data exporters and importers to ensure that the processing of personal data will be carried out in compliance with the level of protection set by the EU. The principle of accountability requires that entities comply with the right to data protection in an active and continuous manner by implementing legal, technical and organizational measures to ensure its effectiveness.
The EDPB introduces a six-step approach for data exporters for compliance with data protection regulations. Data exporters need to document their assessment and the supplementary measures undertaken by them and also make the documentation available to the supervisory authority upon request.
Step 1. Know your transfers
Firstly, data exporters must fully record and map out all of their transfers outside EEA to third countries. Data exporters must also map any onward transfers, e.g. transfers of data from one processor to a sub-processor in another third country.
Data exporters should also ensure that the data transferred is “adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country”, as required under data minimization requirements of the GDPR.
Moreover, data exporters must map any remote access from a third country. IT support situations or storage in a cloud located outside of the European Economic Area (EEA) etc. are considered as data transfer. This also applies to the use of international cloud infrastructure that could transfer data to third countries.
Step 2. Identify the transfer tools
Data exporters must verify the transfer mechanism that they rely on. The European Commission (EC) may recognize if the third countries where you transfer personal data offer an adequate level of protection for personal data i.e. based on adequacy decisions. No further supplementary measures have to be taken if the data transfer is covered by the adequacy decisions.
In the absence of adequacy decisions, the main types of transfer tools as suggested in Article 46 GDPR are – Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), codes of conduct, certification mechanisms and ad hoc contractual clauses.
GDPR contains a third avenue for data transfer in certain situations based on the derogation listed in Article 49 GDPR. This is applicable under specific conditions.
Step 3. Assess the legislation of third countries
Data exporters should, in collaboration with the importer, assess if the law or practice in the third country may infringe on the effectiveness of the relevant transfer tool.
This assessment should also look at all the actors as identified in the mapping exercise, such as controllers, processors and sub-processors processing data in the third country.
The EDPB lists a number of factors applicable to this analysis, important among them is the European Essential Guarantees (EEG). The EEG provides a framework for evaluating whether public authorities in a third country, such as national security agencies and law enforcement authorities can be considered justifiable interference or not.
In case the data importer is unable to put an equivalent level of protection, it is the responsibility of the data exporter to either put in place effective supplementary measures or to not transfer personal data.
Step 4. Adopt supplementary measures
If the assessment under Step 3 has revealed that your transfer tool is not effective, then supplementary measures should be considered. Supplementary measures could be contractual, technical, or organizational in nature. EDPB notes that contractual and organizational measures alone will not overcome access to personal data by public authorities of the third country. In such situations technical measures have to be put in place.
Examples of supplementary measures include state-of-the-art encryption mechanism before transmission, pseudonymization of personal data, split or multi party processing. Other supplementary measures recommended by the EDPB are contractual security obligations, transparency obligations, data minimization measures, accountability measures, adoption of internal governance policies, etc.
Find detailed examples of technical measures in Annex 2 of the Recommendations.
Step 5. Implement procedural steps
Depending on the supplementary measures identified, the data exporter must then take any procedural steps required to implement them.
In case the data exporter wants to use supplementary measures in addition to SCCs, the exporter does not need a supervisory authority’s authorization to do so. The data exporter and importer need to ensure that additional clauses do not restrict the rights and obligations in the SCCs or in any other way lower the level of data protection. Data exporters should be able to demonstrate this, including the unambiguity of all clauses to the supervisory authority.
Under Schrems II judgement, transfer of personal data on the basis of Binding Corporate Rules (BCR) and ad hoc contractual clauses are still relevant. But, the EDPB notes that further details on “precise impact of the Schrems II judgment” on both BCR and ad hoc contractual clauses are still under discussion.
Step 6. Re-evaluate at appropriate intervals
In line with the GDPR principle that “accountability is a continuing obligation,” the Recommendations suggest that data exporters consistently monitor their compliance. Businesses should collaborate with data importers and monitor any developments in the third countries that could change or modify the initial assessment done about the level of data protection afforded.
In case the data importer has breached or is unable to honour the commitments or the supplementary measures are no longer effective in that third country, the data exporter should put sound mechanisms in place to ensure the termination of data transfers.
The Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data are now available here: https://t.co/agY2BHZVku For a quick overview of the different steps data exporters need to take, check out the infographic: pic.twitter.com/sYTMdNgBkn
— EDPB (@EU_EDPB) November 11, 2020
New Standard Contractual Clauses
Standard Contractual Clauses (SCCs) are still a valid data transfer mechanism under the GDPR. However, the Schrems II ruling expressed concern if the local laws of third countries could negate the safeguards meant to be provided by SCCs.
After the release of the Recommendations, for the first time in nearly 20 years, the European Commission published new versions of the SCCs. The new draft SCCs on data transfer addresses the transfer of personal data from an EEA country to a non-EEA country.
The draft SCCs were open for public consultation and are anticipated to be formally adopted to replace the current SCCs. In January 2021, the EDPB and the EDPS adopted joint opinions on the new SCCs noting that the drafts presented a “reinforced level of protection for data subjects”.
The draft SCCs adopt a “modular” approach and accommodate four different personal data transferring scenarios namely – Controller to Controller, Controller to Processor, Processor to Processor, and Processor to Controller.
While the first two versions i.e. Controller to Controller and Controller to Processor are addressed under the existing SCCs, the updated version caters to a wide range of data processing activities.
In relation to Processor to Processor and Processor to Controller, the EU Commission has for the first time facilitated active compliance by processors as data exporters. Data exporters are also required to list all the controllers for which it is a processor.
The draft SCCs reflect Schrems II judgement that it is the shared responsibility of both the data exporter and importer to ensure that adequate safeguards are applied to cross-border transfer of personal data.
The draft SCCs also set out to consider government access to data, an issue at the center of the Schrems II judgement. Specifically, it contains safeguards to assist data exporters and importers to comply with the obligations mandated by Schrems II such as to notify the exporter of the legally binding request from the government, and the obligation to question or challenge any governmental data access requests under certain circumstances.
The Way Forward for Businesses
- Businesses exporting personal data to the US or to other third countries outside the EEA need to assess and analyze their data transfer arrangements as outlined in Steps 1 to Step 3 of the Recommendations summarized above.
- Complete the assessment described in Step 4 to Step 6 to implement appropriate safeguards, whether it is BCRs, SCCs or code of conduct.
- Businesses who rely on the current SCCs as a data transferring mechanism may continue to do so. After the draft is formally adapted by the EU Commission (expected in 2021), businesses have to implement the new SCCs within the one-year grace period.
- Supplementary measures are not required if third countries where business transfers personal data to, are covered under the adequacy decisions by the EU Commission. However businesses should adopt a framework to continuously monitor the data transfer practices so that the adequacy decisions remain valid and in effect.
- To ensure GDPR compliance, put in place appropriate frameworks for continued evaluation of privacy and surveillance laws of third countries, and implement technical and organizational measures to protect any personal data transferred.
The Schrems II judgement puts additional demands on organizations regarding data transfer obligations under the GDPR.
Sign up for free today!