Does your company engage in data transfers outside the EU? Then this New Year might have some changes for you to look out in your existing privacy policies. Businesses that are involved in global data flows regularly come under the attack of privacy watchdogs for potential breaches when transferring personal data outside of the EU. Hence they need to be mindful of EU policy changes and recommendations.
If however, your transfers are to countries deemed adequate then the changes are less impactful and you need only watch for legislative changes that might affect implementation of your privacy safeguards.
In this article we recognize the main recommendations of the European Data Protection Board (EDPB) which were put forward recently in order to guide companies on secure data transfers without falling prey to fines and customer dissatisfaction incidents.
Schrems II – Before and After
A large number of businesses were affected by the recent judgment in the Data Protection Commissioner v. Facebook Ltd., Schrems [Schrems II] case. EU-US data transfers are once again under the microscope of campaigners due to the invalidation of EU-US Privacy shield by the CJEU.
Prior to Schrems II
Before Schrems II came the safe harbour privacy principles which were in place till 2015. They were designed to prevent private organizations within the EU or US who stored customer data from accidentally disclosing or losing personal information. The safe harbour principles were brought down on the grounds that they failed to guarantee all the protective rights guaranteed under EU Law and in addition lacked a specific authority to enforce data protection related rights.
Right after the first case, an updated version of the principle- the “EU-US Privacy shield” was broadly welcomed as it claimed to provide more coverage in it’s EU Data Protection principles. In reality it was not much different from the safe harbour principles. The CJEU in July 2020, ruled in the case commonly called Schrems II, that Privacy Shield also did not offer the necessary protection to the personal data of EU residents.
2021 GDPR Compliance Checkup
With a view to ensure that the protection granted to personal data in the European Economic Area (EEA) travels with the data wherever it goes, the EDBP has made recommendations on supplementary measures that companies may adopt to assure protection when transfers are made to territories whose protective measures are deemed inadequate.
The recommendations include an initial 6-step process to evaluate the company’s current status and potential sources of information along with some examples of supplementary measures that could be put in place. This step by step roadmap must be completed and documented by all data exporters and be made available to the competent supervisory authorities upon request. This roadmap is presented in a short video below with an accompanying list below the video.
Step 1: Map all data transfers to third countries and verify that the data transferred is adequate, relevant and limited to what is necessary.
Step 2: Verify your transfer tool relied on amongst those listed under Chapter V of GDPR. “If you transfer personal data to third countries, regions or sectors covered by a Commission adequacy decision (to the extent applicable), you do not need to take any further steps as described in these recommendations. However, you must still monitor if adequacy decisions relevant to your transfers are revoked or invalidated.”
Step 3: Ensure there is no law or practice of the third county that may impinge the effectiveness of the safeguards offered by the transfer tools you are relying on. This involves a close review of the third county’s legislations alongside Article 46 of GDPR.
If you find anything that might undermine the level of protection provided then,
Step 4: Identify and adopt supplementary measures to bring the protection level at par with what is offered by GDPR within the EU (EU standard of Essential equivalence).
Step 5: Take appropriate measures required to adopt supplementary measures and to efficiently put EU guaranteed data protection into practice.
Step 6: Constantly review and gauge the level of protection that you guarantee on the data transferred at regular intervals and keep an eye on any developments that might tamper the guarantee that you provide to the data from EU.
Standard Contractual Clauses (SCCs)
As of January 2021, Standard data protection clauses (“SCCs”) remain a sufficient guarantee for data protection provided, the identified supplementary measures implemented in addition to the SCCS do not contradict with the provisions of GDPR. A data exporter ought to have the responsibility to ensure that these additional clauses neither restricts the rights and obligations in SCCs nor tarnish the level of protection offered. SCCs, therefore, are left untouched by the Schrems II decision and remain a safe practice to ensure privacy in data transfers.
The Road Ahead
A demand for careful scrutiny by privacy experts of existing protective measures is on the rise hence, data exporters need to keep an eye on legal developments both in the EU and the third countries where the data is being transferred to. Reviews and evaluations must be conducted periodically at regular intervals. The EDBP advises data exporters to cease data transfers to a third country if ambiguity on the level of protection continues to exist. Dr. Andrea Jelinek, Chair of EDBP also reminds us that “The competent supervisory authority has the power to suspend or end transfers of personal data to the third country if the protection of the data transferred that EU law requires”.
The EDBP recommendations remain an illustrious guide for alternative adequacy methods companies can adopt to continue with global data transfers. These recommendations came as a breeze in between the heat and struggles of companies to enable global data flows when Privacy Shield was struck down. As the CJEU uncovers hidden discrepancies in the EU-US privacy shield, the working of data protection standards continues to redefine itself.
– Article by Aparna Radhakrishnan –
Senior Legal Analyst DPO Solutions