International data transfers post Schrems II – practical actions

Introduction:

The recent Schrems II judgment of the European Court of Justice has important implications for continued transfers of personal data from the European Economic Area (EEA) outside of the EEA.

The judgment has two important effects:

• it removed the ability of organisations to rely on the EU-US Privacy Shield as a means of ensuring adequate safeguards for personal data being transferred to the US (as required by the GDPR); and

• it indicates that organisations relying on EU Standard Contractual Clauses (SCCs) must undertake additional due diligence and have additional controls in place to ensure that personal data transferred to a country outside of Europe is subject to adequate protection. Mere reliance on the terms of the SCCs will not be enough.

Although the Schrems II decision focuses (in relation to the second point) on the SCCs, the same approach will need to be adopted to the use of Binding Corporate Rules (BCRs) to cover transfers of personal data to countries outside the EEA.

The implications of these additional requirements differ for:

• exporters, which are the EEA (or UK post-Brexit) based organisations sharing personal data with organisations outside of the EEA (or UK) and who have responsibility to ensure adequate safeguards for the transferring personal data under the GDPR; and

• importers, which are the non-EEA (or, in the case of UK exporters post-Brexit, non-UK) recipients of personal data from exporters,

The practical implications of the Schrems II judgment are still being worked through by organisations and authorities alike. There are likely to be further twists and turns before authority guidance and market practice is settled. However, this document provides some practical guidance on the actions that both exporters and importers should take based on the Schrems II judgment itself and the guidance issued to date by authorities. Organisations need to start taking these actions now to ensure they are compliant and keep the status of transfers and protection surrounding those transfers under review as authority guidance and market practice develop.

Preparatory due diligence / process - exporters:

• Create a list of international transfers of personal data and importers of the personal data (both intragroup and external). Within that list indicate which are:

  • transfers to the US subject to the EU-US Privacy Shield - alternative means of protecting the data will have to be put in place;

  • transfers to a non-EEA country subject to a means of adequate protection for the personal data - EU finding of adequacy / SCCs / BCRs - for SCCs and BCRS, an adequacy assessment as described below should be carried out; and

  • transfers to a non-EEA country without adequate protection being in place - unless an exemption applies, the SCCs or BCRs will have to be used as well as an adequacy assessment as described below.

• Ensure that notices to data subjects have been updated to remove references to the EU-US Privacy Shield and otherwise to include the information required by law

Assessment of adequacy to be conducted by exporters using SCCs / BCRs:

• Do the laws in the data importing country allow authorities access to data and/or derogations from privacy laws which go beyond those which would be necessary in a democratic society to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences, important economic / financial interests of the country, or the protection of individuals' rights? This requires a collaborative effort between an EU lawyer and local counsel to assess these points against the laws in the EU. Our set of questions below provides a framework for that analysis:

  • Does the law in the data importing country offer individuals effective and enforceable rights and judicial redress in relation to the use of their personal data? This needs to be considered by reference to:

    • General and sector specific law / regulation relating to data protection and privacy

    • General and sector specific law relating to public security / criminal law / access to data by authorities

    • Case law applicable to data protection and privacy and access to data by authorities

    • International treaties / commitments entered into by the importing country

  • Is there judicial / independent oversight / approval of authority requests or orders for access to personal data held by organisations?

  • Do individuals located in the EEA have the same rights with respect to the treatment of their data/ unlawful surveillance in the importing country as the residents / citizens of that importing country?

  • Does the importing country have an independent supervisory authority with responsibility for compliance with data protection rules?

  • Does that supervisory authority have adequate enforcement powers?

  • Does that supervisory authority provide assistance and advice to individuals?

• Can the importer comply with the SCCs / BCRs? How, in practice, will it meet the obligations set out in the SCCs / BCRs?

• What technical / practical measures could be put in place to mitigate any potential threats to the personal data?

Importers:

• In particular for importers that are service providers, it would be advisable to create a stock set of responses which can be used when exporters make due diligence requests. They should undertake the assessment of adequacy analysis for the most likely forms of data transfer and locations.

• These materials should be updated as arrangements (such as sub-contracting arrangements) change over time and as authority guidance and market practice develop.

Alternatives to transfer

If the adequacy assessment indicates that the data cannot be subject to sufficient protection (i.e. equivalent to the protection applicable to the data in the EEA / UK) the exporter will need to consider alternatives to transferring the data outside the EEA subject to the SCCs / BCRs. Such alternatives might include:

• Reliance on a derogation (e.g. consent of the individual / transfer necessary to perform a contract). However, note that derogations are to be applied sparingly and cannot cover regular, systematic transfers

• Anonymisation / pseudonymisation of the data

• Reduction in the amounts / types of personal data subject to the transfer

• Use of EEA / UK based data processing systems / personnel

Both exporters and importers should consider the availability of such alternatives. In particular, importers that are service providers should consider whether there are technical and organisational changes that could be made to their service to mitigate or remove any risk (e.g. by offering EEA / UK data hosting options).

Ongoing due diligence / process - exporter:

• Is the importer complying with the SCCs / BCRs? Is there a process in place for periodic audit or monitoring of the importer and their compliance against the SCCs / BCRs?

• Is there a process in place for periodic updating of the adequacy assessments conducting for importing countries? The exporter should determine what frequency of updating is prudent in the circumstances (by reference to the nature of the data and processing and any issues identified in the adequacy assessment conducted).

• Is there a process for the importer to notify the exporter of:

  • inability to comply with SCCs / BCRs?

  • authority requests for data?

  • accidental or unauthorised access to data?

  • data subject requests?

• Is there a process for the exporter to notify data subjects of requests for authority access to data (which needs to be done unless that notification is restricted by law)?

• Consider regular verification from the importer that it has not been required to disclose data to authorities.

• The exporter must suspend / terminate the flow of data where the importer cannot comply with the SCCs (including where the importing country laws do not meet the standards described above). Does the exporter have an exit strategy / plan to deal with such suspension / termination?

Ongoing due diligence / process - importers:

• Again particularly for importers that are service providers, consider establishing processes that demonstrate compliance with the SCCs / BCRs and deal with the process points described above.