, ,

Data transfers: Investigations begin after Schrems II ruling

data transfer investigation

The Schrems II ruling raised a big fuss in the summer of 2020: with the invalidation of the Privacy Shield, companies are now required to carry out a detailed assessment to verify the adequacy of the legal regime of the states to which they transfer processed personal data, compared to the guarantees offered by the GDPR. This position was first affirmed by the CJEU and then confirmed by the European Data Protection Board. The data transfer assessment is legally and technically complex, but necessary, and only few – virtuous – companies have implemented a methodology to handle such requirement. In the meantime, the first investigations by the Data Protection Authorities have started, will EU companies be ready?

1. The effect of the Schrems II judgment

The Schrems II ruling by the Court of Justice of the European Union (CJEU), issued on July 16, 2020, invalidated the EU-US Privacy Shield and created new obligations, particularly for companies transferring personal data under standard contractual clauses (SCCs). On November 10, 2020, the European Data Protection Board (EDPB) published recommendations on steps companies can take to supplement transfer instruments, such as SCCs, to ensure compliance with EU data protection law. These recommendations established strict criteria for the use of standard contractual clauses as an alternative mechanism for transferring data outside the European Economic Area, requiring companies to make a case-by-case assessment of the appropriateness of such a transfer.

2. New standard contract clauses will not be enough

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries under the GDPR, making public the draft set of new standard contractual clauses (the “SCCs”). The draft standard contractual clauses will govern transfers of personal data outside the European Economic Area (EEA) to replace the current SCCs, taking into account changes introduced not only through the GDPR but also by the Schrems II ruling, and to better reflect the widespread use of new and more complex processing operations that often involve multiple data importers and exporters. Subsequently, in January 2021, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a joint opinion on the new standard contract clauses. EDPB and EDPS have welcomed the new SCCs, but have asked for several changes to be adopted. Apparently, the requested changes are numerous and relate to, among other things, the so-called “docking clause” that allows additional parties to join the SCCs and the obligations of data controllers. In addition, the EDPB and EDPS suggest that the annexes to the SCCs clarify as much as possible the roles and responsibilities of each party with respect to each processing activity, because any ambiguity would make it more difficult for controllers or processors to fulfill their obligations under the accountability principle.

The new SCCs do not resolve the issues regarding data transfers outside the EEA generated by the Schrems II ruling. In fact, both the EDPB and EDPS indicate that, with respect to specific transfers of personal data to third countries, the additional measures outlined in the EDPB’s recommendations may be necessary. Therefore it remains essential to perform a transfer impact assessment in relation to any transfer of personal data outside the EEA as reiterated by the EDPB and CJEU.

3. Data Protection Authorities investigations have started

The Swedish Data Protection Authority has issued a sanction under the GDPR for failing to adequately protect sensitive data stored on a U.S. cloud platform following the Schrems II ruling. Specifically, the authority found that Umeå University had processed special categories of personal data relating to sexual life and health through, among others, storage in a cloud service of a U.S. provider, without sufficiently protecting the data.

The decision is relevant because the Swedish authority refers to the Schrems II judgment, arguing that a data transfer to the United States is in itself likely to trigger a high risk to personal data because data subjects are subject to limited safeguards with respect to the protection of their personal data and the exercise of their privacy rights.

Most recently, the Hamburg Data Protection Authority sent out a questionnaire to German organizations with reference to personal data transfers while using Microsoft Office 365. Specifically, the authority is asking companies to disclose details about how they handle data transfers in light of the Schrems II decision, including specific reference to the legal basis for transfers and the use of standard contractual clauses.

It seems clear that there is a strong probability that also the Italian Garante will begin very shortly to ask for evidence of the evaluations on the adequacy of transfers carried out under the Schrems II Judgment and the Recommendations of the European Data Protection Board.

4. A quick solution to assess the data transfer adequacy

In quick response to the Schrems 2 decision, our global data protection team created a pioneering data transfer assessment methodology implemented through a legal tech tool, known as Transfer, which was launched to the market on 28 July 2020.

Transfer helps data exporters and importers to logically assess the safeguards available when transferring data to particular third countries and whether they are adequate.  It includes a five step assessment process, comprising a scoring matrix and weighted assessment criteria to help manage efficient decision making.  The process is facilitated by an interactive LegalTech tool which automates risk scoring and assists in reaching a justifiable decision on how to proceed with a proposed data transfer.

The output is an assessment consistent with the judgment when relying on SCCs or other transfer mechanisms, which is designed to provide an auditable report in line with the GDPR’s accountability principle.

If you wish to know more about Transfer, schedule a demo and learn how to automatize Data Transfer Assessments limiting the risk of sanction, contact me/.

Image courtesy by Lelia Adolphsen

0 commenti

Lascia un Commento

Vuoi partecipare alla discussione?
Fornisci il tuo contributo!

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.