Schrems II & GDPR: Why data transfer assessment matters for your business

In July 2020, the Court of Justice of the European Union (CJEU) announced in its Schrems II decisions that the Privacy Shield was not an adequate mechanism to ensure a safe transfer of personal data to the US. The Privacy Shield was declared invalid, hence making transfers of personal data using it, non-compliant with the General Data Protection Regulation (GDPR).

This same judgement also noted that the Standard Contractual Clauses (or SCCs) could not be used alone to transfer personal data in countries where laws would not allow for the full application and enforcement of these clauses.

This is particularly true for transfers to the US, were surveillance laws grant almost unlimited access to data to US surveillance agencies; but this decision must be applied to transfers to any countries that are not part of the European Economic Area or that do not benefit from an adequacy decision (Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay).

Standard Contractual Clauses cannot be used blindly anymore, companies first need to perform a Transfer Impact Assessment (TIA) for new and existing transfers towards third countries.

The European Data Protection Board (EDPB) published recommendations in November 2020 to perform such TIA. Their recommendation foresees a 6-step plan for companies exchanging data with third countries:

1. Identifying and mapping personal data transfers, including what onward transfers: transfers performed by processors and sub-processors towards additional third parties;
   
   
2. Identifying the transfer tool used, such as an adequacy decision, SCCs, or Binding Corporate Rules;
   
   
3. Assessing whether the transfer tool is effective, taking into account the law and general practices of the third country (data protection, surveillance, respect of individuals’ rights…), the possibility for data subjects to exercise, efficiently and effectively, their rights and to obtain judicial redress, and the presence and activities of independent supervisory authorities.
   
   
4. Implementing supplementary measures (see below) or stopping the transfers when they cannot offer the same level of protection as in the EU.
   
   
5. Take any formal procedural steps needed for the implementation of identified supplementary measures, such as getting an authorization from the Data Protection Authority should the supplementary measures contradict the SCCs.
   
   
6. Re-evaluate at appropriate intervals the legal or practice changes in third countries, that your supplementary measures remain effective, and that your processors are complying with the supplementary measures.

The performance of such assessment is particularly difficult for companies, even with a well-staffed legal department, as this requires extensive and up-to-date knowledge of the laws and practices of each countries where personal data is transferred. Only for the USA is this assessment simple (it was done by the CJEU): any transfer toward companies subject to the Foreign Intelligence Surveillance Act (FISA) section 702 and/or to the Executive Order 12333 are at risk. This represents a big chunk of the providers many companies use.

Supplementary measures mentioned by the EDPB are possible to implement to legitimate data transfers to the USA, but in practice they are extremely impractical.

Except for a limited set of case studies described in the EDPB recommendations, the recommended supplementary measures will not prove efficient or effective to ensure continued operations using US-based services. Some of the examples provided by the EDPB include:

1. Implementing strong end-to-end encryption of personal data, without the processor having access to the decryption key.
   This is a valid solution when the processor only needs to archive a set of data; but removes the possibility for the processor to manipulate or use the data as would be required, for example, to send communications, to make anti-fraud controls or to verify the identity of a user.
2. Anonymization or pseudonymization (the data received by the processor should be anonymous for them) of the personal data being processed, with the certainty that the provider cannot re-identify any data subjects.
   This is a solution that can be used when the processor does not need the complete data set to provide their services (such as statistics or business intelligence) but will not prove implementable when the processor needs more data to perform the required processing, such as providing a cloud-based software.

Even though the GDPR is a risk-based law, allowing for the definition and implementation of solutions that consider the risks to the data subjects; data transfers are not an element of the regulation that can be subjected to such risk-based decisions. Meaning that even if the risks to the rights and freedoms of persons is low, all data transfer must comply with the requirement defined by the GDPR and the recommendation of the EDPB and relevant supervisory authorities.

As seen, however, today it may not be possible for companies to implement supplementary measures that will allow for a compliant transfer of personal data to third countries; and stopping such transfers may hinder the business objectives.

The EDPB has taken this feedback into consideration and is working on a new version of its November 2020 recommendations.