For organisations in the process of deciding data protection compliance priorities for 2022, a particular focus should be on the need to ensure that adequate safeguards are in place when personal data is being transferred to third countries (e.g., from the EU to the US). This may include implementing supplemental measures, in addition to Article 46 General Data Protection Regulations 2018 (GDPR) safeguards, to ensure lawful data transfers.
This article examines the Court of Justice of the European Union (CJEU) Decision of 2020, commonly referred to as Schrems II, its implications for organisations, and the activities that need to be considered ahead of a December deadline for updating transfer mechanisms.
The Schrems II decision has significant implications for data controllers who transfer personal data outside of the EU/EEA to a third country in the absence of an EU Adequacy Decision. It rendered invalid the ability to rely on the Privacy Shield Framework, which previously underpinned data transfers to the USA. It also reaffirmed the validity of the use of Standard Contractual Clauses (SCCs), one of the mechanisms used to facilitate data transfers, subject to certain additional requirements. SCCs are a valid transfer mechanism pursuant to Article 46(2)(c) of the GDPR. It is necessary, however, as set out in the Schrems II ruling, that data controllers ensure a level of protection that meets the standard of ‘essential equivalence’. Essential equivalence should be understood as providing the same protections (e.g., regarding data subject rights) to the individuals whose personal data is transferred as would be available to them within the European Union.
To address these requirements, organisations should review any data transfers that rely on transfer mechanisms such as SCCs. Examples of activities that may be in scope are:
- use of a Software as a Service (SaaS) solution hosted in a third country;
- any instance where the transfer of personal data takes place to a third country;
- the creation of digital properties (e.g., implementing websites or mobile applications) that facilitate data transfers to the third countries such as the USA (e.g., Google Analytics); and
- the storage of personal data in the EA/EEA where it is accessed remotely (e.g., for support services) from a third country.
These transfers need to be considered whether they already happening (existing transfers) or planned transfers to third countries.
First step
As a first step, it is important to identify and map any transfers of personal data to third countries within your organisation, including the mechanism relied on to facilitate the transfer. Where that mechanism is SCCs, these need to be updated to the latest version issued by the European Commission by December 27th, 2022. In order to facilitate compliance, an enhanced due diligence process should be undertaken as you review existing arrangements or plan new transfers. This should include the carrying out of a Transfer Impact Assessment (TIA) and the selection of supplementary measures, as necessary. The supplementary measures should ensure that the same rights and freedoms in relation to data protection are afforded to EU citizens in the third country as they would if their data were retained in the EU/EEA. Organisations should be aware that in some cases alternative solutions may be necessary to replace current processing arrangements.
Public sector organisations
For public sector organisations, it is worth noting that the European Data Protection Board (EDPB) recently announced the launch of coordinated enforcement on the use of the cloud by public sector organisations. This effort will consider the process and safeguards implemented by public sector organisations when acquiring cloud services, including challenges related to international transfers. It is particularly relevant for public sector organisations that use cloud services involving data transfers to third countries without an adequacy decision and may be seen as an indication of the enforcement priorities of the supervisory authorities.
Review, plan, do
Depending on the size of your organisation there may be significant activities required to ensure compliant data transfers in line with the expectations of the Schrems II decision. In that regard, we recommend reviewing your organisations existing data transfer activities, putting a plan of work in place and initiating it as soon as practicable.
Trilateral’s Data Governance and Cyber Risk Team have data protection specialists with extensive experience with assisting organisations in addressing compliance needs arising from the Schrems II ruling. Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs