How it started/how it’s going
In July 2020, while the world was dealing with the COVID-19 pandemic’s summer surge, the Court of Justice of the European Union (SJEU) issued the Schrems II decision, which declared that the Privacy Shield, one of the primary EU-U.S. personal data transfer mechanisms, was no longer a lawful means of facilitating personal data transfer from the EU to the United States. This sent companies around the world scrambling to adjust data protection processes, driving both near- and long-term impacts. We generally start the conversation around Schrems back in 2015, when the Safe Harbour Agreement, the predecessor to the Privacy Shield, was invalidated. A year later, the EU-US Privacy Shield was approved and implemented by the U.S. Department of Commerce and the European Commission. Following the Schrems II decision and as a direct response to it, in November 2020, the European Data Protection Board issued draft guidance on supplementary measures and the European Commission published a draft update to the Standard Contractual Clauses. What’s next? We hope to see adoption of the revised Standard Contractual Clauses, final guidance regarding supplementary measures and hopefully, we will see a Privacy Shield 2.0. But let’s dive into where we are today.
Why is Schrems II a board level issue?
In a recent webinar we conducted on this topic, we asked our audience whether Schrems II is recognized as a board level issue within their organization. Just nine percent indicated they had full support of their board while 77 percent said their board had yet to acknowledge Schrems II or they weren’t sure about what level of board support they had. Clearly, there’s work to be done.
Boards of directors have two primary concerns that are impacted by the Schrems decision: profitability and risk. A board’s fiduciary duties include ensuring the organization’s management has an effective compliance program, that oversight of the program is being exercised and that regular steps are being taken to keep the board informed of the program’s content and operations. In this case, we’re talking about data transfers. There are monetary fines and litigation liabilities, which fall within the domain of the board’s interest. A breach of those duties could result in shareholder derivative litigation, other stakeholder claims, fines and sanctions and, in some circumstances, may even subject board members to personal liability.
Six steps to building a defensible position
There are six steps that any company engaged in international personal data transfers should take now.
Let’s look at each.
Step 1: Know your transfers
Ask: Where is the organization exporting personal data to recipients outside of the European economic area?
Mapping all transfers of personal data to third countries can be a big lift for any organization. Consider where data is being transferred to and which jurisdictions apply. This will assist in identifying where local regulations or governmental practices may create constraints on individuals’ privacy rights and, therefore, drive the need for additional measures. Data sovereignty (subjecting the data being stored to the laws of the country in which it is physically stored) and data localization (requiring the data to be created within certain borders and to stay within those borders) are both important factors. Consider the parties involved, including sub-processors and onward transfers. Do not overlook the importance of maintaining records of the processing, both for Schrems’ purposes but also for general compliance with the GDPR.
Step 2: Verify the transfer tool
Ask: What are data exporters using to transfer? What mechanisms are being used in accordance with GDPR’s provisions?
Every organization has an obligation to know it’s international transfer mechanisms. Most organizations should have this covered, thanks to earlier GDPR compliance, but if this area has not been addressed, now is the time to do so. While GDPR Article 46 details binding corporate rules, standard contractual clauses, code of conduct and certification mechanisms, in Schrems, both the Privacy Shield and standard contractual clauses were the focus.
Step 3: Assess third country laws and practices
Ask: Are there any local regulations or other constraints that would impact data transfers or limit how that data could be protected or secured?
Perhaps the most important criteria for assessing the impact of local law and practices on data transfers is to consider whether the transfer tool is effective. We suggest examining the characteristics of the transfer, including: purposes of the transfer, types of entities, the sector in which the transfer occurs, categories of personal data and, particularly challenging for most companies, evaluating how the European “Essential Guarantees” are met in light of government surveillance activities and individual remedies. Organizations that go through this analysis and determine that the country in question does not meet the level required for Schrems II should then consider supplemental measures to provide adequate safeguards.
Step 4: Identify and adopt supplementary measures
Ask: If there are local regulations or constraints inconsistent with the EU data protection principles, what additional considerations or measures does the data exporter need to have in place?
The EDPB has issued draft guidance on supplemental measures which must be identified on a case-by-case basis to “ensure consistency in the application of EU data protection law”. We help our clients look at how to group sets of transfers and build best practices on decision criteria and decision trees for the selection of supplemental measures. We also consider the cost of these measures and the effectiveness of such supplemental measures.
Step 5: Implement procedural steps
Ask: What formal procedures or documentation is required for the data exporter or the data importer?
After identifying supplementary measures on an individualized basis, the EDPB recommends moving on to procedural steps, requiring a review to determine whether adjustments are needed to the standard contractual clauses, binding corporate rules or other contractual clauses to supplement and to accommodate for the supplementary measures. This step may trigger a cessation of transfers or notification and/or the solicitation of guidance from a Supervisory Authority. The supplementary measures should not contradict, directly or indirectly, any existing contractual clauses. Should that happen, the standard contractual clauses are not being relied upon and authorization should once again be sought from the authorities
Step 6: Periodically reevaluate
Ask: What type of ongoing monitoring do the data exporters and the importers need to form on an ongoing basis?
The EDPB recommends implementing a process to periodically evaluate data transfers and identify any changes in the level of protection in third countries.
What to do now
One thing is certain: the privacy regulatory landscape will continue to evolve in the coming years. Here’s where we suggest organizations focus their efforts:
Act now to ensure sufficient insights into data transfers. There is no “grace period” to conduct a data transfer impact assessment; we recommend immediate assessment as to the scope of the impact of the Schrems II Decision and, as a first step, mapping out the flow of personal data from the EU to jurisdictions which have not been deemed “Adequate” by the European Regulators. Know the full scope of international data transfers and the accompanying risk exposure.
Evaluate and document approach and supplemental actions. Establish a process to create documentation for mapping your company’s data flows. A simple Excel spreadsheet or Visio file may suffice, but in more complex environments, a purpose-built tool is recommended. While the EDPB does not necessarily endorse a risk based “subjective” approach, it is practical to start the exercise by taking a risk-based approach to prioritizing which data transfers must be documented and recorded and then begin to evaluate those. Start assessing those transfers to determine which present a higher risk and begin addressing those through the supplementary measures we discussed earlier.
Consider privacy by design implications. Privacy by design involves how organizations design systems to accomplish business objectives while meeting regulatory requirements. We suggest identifying must-haves vs. nice-to-haves and ask:
- Can the transfer of this personal data be prevented by localization?
- Is the personal data needed in the data transfer to accomplish the transfer’s goal?
- Can the personal data be de-identified in the data transfer?
It’s no longer business as usual. The Schrems II ruling marks the end of an era and the beginning of another in how organizations conduct international business. It may be some time before the impacts of the ruling are fully understood in all boardrooms but eventually, companies will adapt to these new privacy compliance requirements in international operations, much as we have in the past. Keep calm and carry on.