Five Steps to Take After the Schrems II Decision

On July 16, 2020, the Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield Framework with immediate effect and strengthen the requirements for organizations relying on Commission’s Decision 2010/87/EU on controller to processor Standard Contractual Clauses (SCCs) for transfers of personal data to third countries. In the same decision the CJEU took the view that SCCs are still valid. However, the CJEU has stated that individuals whose personal data is transferred to a third country pursuant to SCCs, must enjoy the same level of protection as they would under the privacy laws of the European Union (EU). The CJEU has specified that the assessment of whether individuals will be afforded the same level of protection, must take into consideration contractual clauses between the data exporter and the data importer as well as the laws in the third country and any accesses to the personal data by public authorities. The CJEU has said that the data exporter may use additional safeguards to ensure that the individuals enjoy adequate level of protection in the third country, however, the European Data Protection Board has said in its FAQ that they are assessing what these safeguards could be, whether legal, technical or organizational measures.

What does this mean for organizations exporting personal data outof the EU? Organizations which may have only a couple of processes where they transfer personal data to third countries are in a better position, but organizations with dozens and hundreds of such processes might have to take a step back and map out their approach. However, it is very important to understand that Data Protection Officer (DPO) is not responsible for the compliance - controllers and processors are required to ensure compliance and be able to demonstrate that processing is performed in accordance with the GDPR. The DPO can inform, advise and issue recommendations to the controller or the processor, while they are the ones who are making the final decision. This means that this exercise would have to be coordinated between DPO and other stakeholders such as business process owners, senior management, IT stakeholders, Legal and similar. If your organization exports personal data out of the EU to the US and any other third non-adequate country, these are the steps to take while waiting further guidance from the regulators.

1) Review personal data flows

The best way to start this exercise is by looking into the register of processing activities (GDPR Art. 30). If it has not been updated, now might be the good time to perform that exercise. What might be an issue is that organizations might not be fully aware of the location of its processor’s sub-processors,since even access to personal data counts as a transfer (even for administration purposes). This means that organizations might have to get in touch with its vendors to understand where their processors are located, and whether third parties have access to the personal data (and from which countries).

It should be verified whether the personal data flows to the EEA countries, countries deemed adequate by the European Commission; whether the personal data is transferred under SCCs, Binding Corporate Rules (BCRs), Privacy Shield or by relying on the GDPR Article 49 derogations. In principle, the CJEU ruling applies to all safeguards, including BCRs.

If the transfers are covered under SCCs, it should be verified with the data importer (processor) if they can comply with SCCs or the legal system of that country prevents them from complying. We know that the court takes into account surveillance laws and access to personal data by the third country authorities as one of the criteria when assessing the level of protection in third countries. This is troublesome for many countries with such laws such as China and Russia. If organizations have the capacity to conduct the research for every country-Great! If not, then they will have to rely on the data importer assessment, which is not the best option as the controllers are ultimately responsible for the compliance with the GDPR. Volumes and categories of personal data for each of the processes should be combined with the previous exercises to get the full picture of personal data flows.

2) Prioritize transfers

Prioritize personal data flows by volumes and categories of personal data and exclude the ones which are transferred to the EEA or adequate countries (and not transferred further). This will most probably be the risk based assessment for most organizations having a lot of processes with transfers to third countries. In addition to the volumes and categories of personal data the processes should be broken down even further to whether the organization relies on the Privacy Shield, SCCs, BCRs or derogations from Article 49 for transfers of personal data. The Privacy Shield is dead, while SCCs are still alive with a caveat that every organization must conduct mini assessment to determine whether it could rely on them for transfers. The question is whether organization wants to deal with transfers under the Privacy Shield first, regardless of the volumes and categories of personal data, or strike the balance between volumes and categories of personal data and the transfer mechanisms. It is important to remember that transfers under the Privacy Shield are non-compliant, while transfers under SCCs and BCRs could be non-compliant, depending on the assessment of the level of protection in that country. As said earlier there should be some risk leverage in such decisions.

3) Decision making process

How can organizations make the decision? Organizations may try to put this decision on DPOs, however, organizations as controllers should make the final decision after having appropriate assessment by all stakeholders and privacy risks highlighted by the DPO. If the organization decides to stop transfers then it has to find an alternative. Right now, the only certainty is that personal data may be transferred to the EEA or any adequate country.

It is important to remember that the right to privacy of individuals whose personal data is transferred to third countries should not depend on the commercial interests of the organization in terms of costs/technical challenges and similar related to changing the personal data flows.

Should organizations decide to employ SCCs or BCRs instead of the Privacy Shield or continue relying on SCCs or BCRs read the next step, otherwise go to the step number five.

4) Assess the state of privacy in third countries and consider additional safeguards

At the moment there isn’t clear guidance on this. The CJEU has found that for SCCs to be a valid safeguard, they should ensure the adequate level of protection of individuals’ personal data. This means in practice that the data exporter and the data importer have to verify whether that level of protection can be ensured in the third country. The court found that the US surveillance laws are interfering with the fundamental rights, thus, making Privacy Shield invalid as a transfer mechanism. The likelihood is that transfers to any country with the same or similar laws or practices would be non-compliant, even if organizations rely on SCCs. It seems that organizations will have to conduct the “mini adequacy assessment” for every third country where their personal data flows (including onward transfers), or where they intend to redirect their transfers. The GDPR prescribes the criteria for assessing the adequacy of the level of protection in Article 45. These are grouped around 3 main ideas:

a) the rule of the law, human rights and freedoms, access to personal data by authorities, general and data protection legislation, case law, effective and enforceable data subject rights, remedies for personal data of individuals whose personal data is transferred;

b) existence of supervisory authority or authorities responsible for ensuring and enforcing compliance with data protection laws and for assisting and advising the data subjects in exercising their rights and for cooperation with the DPAs in the EU;

c) the international treaties, conventions and other instruments which the country is subject to, taking into the consideration the country’s obligation under those instruments, especially in the area of the data protection.

In addition the CJEU has said that when assessing transfers,organizations should take into account circumstances of each transfer individually and if the guarantees provided by SCCs or BCRs are not enough,organization may employ additional safeguard. The EDPB has stated in its FAQs that they will assess whether those safeguards could be legal, technical or organizational measures. Without speculating what those may be, the safest option, apart from redirecting personal data flows to the EEA or adequate countries, is to look into the state of privacy in those third countries where your personal data flows and assess whether those countries meet adequacy principles outlined in the GDPR. In addition to that, it is always useful to refer to the Article 29 WP Adequacy referential endorsed by the EDPB - available here.

If organizations continue to transfer personal data to third countries and they cannot ensure the adequate level of protection of personal data transferred (by using safeguards from Article 46 or additional safeguards mentioned by the CJEU), they should notify their competent DPAs.

5) Document the decision making process

The previous steps have to be documented properly. Under the accountability principle the controller has to be able to demonstrate the compliance with the GDPR. At least following should be documented:

a) the personal data flows assessment with prioritization as described in the first two steps;

b) whether the flows were redirected to the EU or any of the adequate countries. If the personal data still flows to third countries, the organizations should document why that is the case and should be able to demonstrate that they have taken appropriate safeguards in addition to SCCs and BCRs. These could include internal assessment of the third country’s legal system as mentioned in the previous step which would show why is the adequate level of protection possible, external legal advice on the previous, additional safeguards mentioned by the CJEU once they are published or if organizations feel that they could employ additional safeguards which could ensure appropriate level of protection;

c) DPO’s advice on the matter;

d) the final decision - who has taken the decision within the organization and what was the ratio behind it.

The Privacy Shield has been invalidated and the accountability requirements for relying on SCCs or BCRs have been strengthen in a day. This has put many organizations in a very difficult position, especially because the EDPB and DPAs have not issued further guidance which would help organizations to navigate through the comparative law maze. In my view, the compliance with laws should never be a matter of choice, since the consequences of not complying with laws regulating privacy could have detrimental effect to individuals as we have seen in many cases of non-compliance in the past.

Written by

Stevan Stanojevic

Photo by ThisisEngineering RAEng on Unsplash.

Ideas expressed in this article are personal views of the author and do not constitute legal advice. If you are using this Article or any part of it publicly or for commercial purposes, include a link to the article.