Articoli

, ,

Data transfers: Investigations begin after Schrems II ruling

The Schrems II ruling raised a big fuss in the summer of 2020: with the invalidation of the Privacy Shield, companies are now required to carry out a detailed assessment to verify the adequacy of the legal regime of the states to which they transfer processed personal data, compared to the guarantees offered by the GDPR. This position was first affirmed by the CJEU and then confirmed by the European Data Protection Board. The data transfer assessment is legally and technically complex, but necessary, and only few – virtuous – companies have implemented a methodology to handle such requirement. In the meantime, the first investigations by the Data Protection Authorities have started, will EU companies be ready?

1. The effect of the Schrems II judgment

The Schrems II ruling by the Court of Justice of the European Union (CJEU), issued on July 16, 2020, invalidated the EU-US Privacy Shield and created new obligations, particularly for companies transferring personal data under standard contractual clauses (SCCs). On November 10, 2020, the European Data Protection Board (EDPB) published recommendations on steps companies can take to supplement transfer instruments, such as SCCs, to ensure compliance with EU data protection law. These recommendations established strict criteria for the use of standard contractual clauses as an alternative mechanism for transferring data outside the European Economic Area, requiring companies to make a case-by-case assessment of the appropriateness of such a transfer.

2. New standard contract clauses will not be enough

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries under the GDPR, making public the draft set of new standard contractual clauses (the “SCCs”). The draft standard contractual clauses will govern transfers of personal data outside the European Economic Area (EEA) to replace the current SCCs, taking into account changes introduced not only through the GDPR but also by the Schrems II ruling, and to better reflect the widespread use of new and more complex processing operations that often involve multiple data importers and exporters. Subsequently, in January 2021, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a joint opinion on the new standard contract clauses. EDPB and EDPS have welcomed the new SCCs, but have asked for several changes to be adopted. Apparently, the requested changes are numerous and relate to, among other things, the so-called “docking clause” that allows additional parties to join the SCCs and the obligations of data controllers. In addition, the EDPB and EDPS suggest that the annexes to the SCCs clarify as much as possible the roles and responsibilities of each party with respect to each processing activity, because any ambiguity would make it more difficult for controllers or processors to fulfill their obligations under the accountability principle.

The new SCCs do not resolve the issues regarding data transfers outside the EEA generated by the Schrems II ruling. In fact, both the EDPB and EDPS indicate that, with respect to specific transfers of personal data to third countries, the additional measures outlined in the EDPB’s recommendations may be necessary. Therefore it remains essential to perform a transfer impact assessment in relation to any transfer of personal data outside the EEA as reiterated by the EDPB and CJEU.

3. Data Protection Authorities investigations have started

The Swedish Data Protection Authority has issued a sanction under the GDPR for failing to adequately protect sensitive data stored on a U.S. cloud platform following the Schrems II ruling. Specifically, the authority found that Umeå University had processed special categories of personal data relating to sexual life and health through, among others, storage in a cloud service of a U.S. provider, without sufficiently protecting the data.

The decision is relevant because the Swedish authority refers to the Schrems II judgment, arguing that a data transfer to the United States is in itself likely to trigger a high risk to personal data because data subjects are subject to limited safeguards with respect to the protection of their personal data and the exercise of their privacy rights.

Most recently, the Hamburg Data Protection Authority sent out a questionnaire to German organizations with reference to personal data transfers while using Microsoft Office 365. Specifically, the authority is asking companies to disclose details about how they handle data transfers in light of the Schrems II decision, including specific reference to the legal basis for transfers and the use of standard contractual clauses.

It seems clear that there is a strong probability that also the Italian Garante will begin very shortly to ask for evidence of the evaluations on the adequacy of transfers carried out under the Schrems II Judgment and the Recommendations of the European Data Protection Board.

4. A quick solution to assess the data transfer adequacy

In quick response to the Schrems 2 decision, our global data protection team created a pioneering data transfer assessment methodology implemented through a legal tech tool, known as Transfer, which was launched to the market on 28 July 2020.

Transfer helps data exporters and importers to logically assess the safeguards available when transferring data to particular third countries and whether they are adequate.  It includes a five step assessment process, comprising a scoring matrix and weighted assessment criteria to help manage efficient decision making.  The process is facilitated by an interactive LegalTech tool which automates risk scoring and assists in reaching a justifiable decision on how to proceed with a proposed data transfer.

The output is an assessment consistent with the judgment when relying on SCCs or other transfer mechanisms, which is designed to provide an auditable report in line with the GDPR’s accountability principle.

If you wish to know more about Transfer, schedule a demo and learn how to automatize Data Transfer Assessments limiting the risk of sanction, contact me/.

Image courtesy by Lelia Adolphsen

,

𝗦𝗰𝗵𝗿𝗲𝗺𝘀 𝗜𝗜 𝗶𝗺𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 𝗲𝗮𝘀𝗶𝗹𝘆 𝗲𝘅𝗽𝗹𝗮𝗶𝗻𝗲𝗱: summary flowchart

In last week pills I shared the full Schrems II decision which invalidates the #PrivacyShield

The judgment has important implications for companies transferring data outside the EU, and potentially on service contracts with non-EU suppliers, in particular contracts for the provision of IT services which provide for the possibility for suppliers’ staff outside Europe to access the data, even if hosted in databases within the European territory.

However, as many struggle to districate within the 63 pages of the CJEU decision to identify what are the actual consequences for their contracts and what happens to the Standard contractual clauses (SCC) which they have in place, here’s a synthetic #flowchart which answers some of the Key FAQs on Scherms II implications.

Shoot me a message for the pdf file

This is just an example of how legal concepts can be made easy, and, as always, make sure to consult your legal advisor to have the full picture.
You can access the full Supervisory Authority FAQs which I used as source here.

We have already been kept really busy this week, and another hot topic we tackled is whether access from foreign personnel to EU databases constitutes a data transfer.

To help organizations identify and manage the privacy risks associated with the transfer of personal data regulated by GDPR to third countries that do not benefit from an adequacy decision by the European Commission, the law firm which I work with has developed an ad-hoc methodology, aligned with the requirements of European legislation following the Schrems II judgment. The methodology provides a basis for exporters and importers of data to assess safeguard measures, taking into account a number of factors, in order to calculate the level of risk of each transfer, and to provide an accurate, consistent, verifiable and defensible basis to support a case-by-case decision to proceed or continue a given transfer. Contact me if you wish to know more.

Get ready to negotiate with your non-EU counter-parties.