In this client update we cover some of the practical challenges that should be considered in the design and implementation of framework to manage international data transfers and for compliance with the Schrems II decision. To address these challenges, we propose a pragmatic framework for data transfers management, taking into account the EDPB’s recommendations and building on past initiatives for GDPR compliance.
Towards the end of 2020, the European Data Protection Board (EDPB) published its formal recommendations in response to the CJEU’s ‘Schrems II’ judgment. One of the crucial aspects in the judgment was the CJEU’s assertion that data exporting organisations would be responsible for assessing, on a case-by-case basis, if the laws and regulations in the jurisdiction of the data importer detract from the effectiveness of the applicable transfer safeguards – most pertinently the standard contractual clauses (SCC) and binding corporate rules (BCR). In other words, tried and tested transfer mechanisms, like SCCs and BCRs, might not in every case be up to the task of guaranteeing adequate protection of personal data transferred outside the EU. This is because these mechanisms are contractual in nature and thus do not extend to limiting government surveillance activities in the jurisdiction of the data importer, as contractual provisions cannot bind national authorities.
How then do organisations provide appropriate safeguards – ensuring that the data is protected to a level essentially equivalent to that available in the EU – for personal data that could potentially end up in the possession of a foreign national authority?
If the destination country has a legal framework that protects personal data in much the same way as the EU does, then theoretically there should be no impediment to the flow of personal data subject to the safeguards provided for in the SCCs or BCRs. If it does not, then supplementary measures must be implemented before those transfers can take place. If no supplementary measures can be identified, or cannot be implemented, those data transfers should cease – potentially presenting some major headaches where existing contractual relationships are concerned, as well as challenges in maintaining services and operational effectiveness.
This of course implies comprehensive knowledge of the legal systems of destination countries, or at least it implies an ability to have access to this knowledge when required and awareness of legal and regulatory changes which impact on previous analysis. While the Schrems II judgment was concerned principally with transfers to the USA, the responsibility extends to any other destination country, some of which may have opaque or highly complex national security laws which many of its own citizens may not be aware of or do not fully understand. There may also be a distinction between the level of legal rights and protections provided to nationals or residents of the destination countries and those provided to citizens of other countries. Furthermore, organisations operating outside of heavily-regulated sectors such as telecommunications and financial services may legitimately question the likelihood that datasets which they process are of any interest or value to a foreign intelligence agency or law enforcement body, or the likelihood of their data being subject to a disclosure order is remote.
In this regard, the EDPB has provided a helpful six-step ‘roadmap’ businesses can use to determine whether they need to implement supplementary measures before transferring personal data outside of the EU, which aligns with our recommendations published soon after the judgment in July 2020, as well as examples of what those measures could be as well as use cases. It has also published a separate recommendation on European Essential Guarantees for surveillance measures to undertake guided assessments of third country legal frameworks granting access to data by public authorities.
Importantly, the EDPB has linked this assessment to the GDPR’s accountability principle and, although these are recommendations rather than guidelines, businesses should consider these tools when revising policies and procedures covering data transfers and any rationale in deviating from them.
Towards a Pragmatic and Robust Framework for Transfers Assessments
What then can organisations do to comply with their responsibilities in good faith and address these considerations in a way that does not create undue organisational disruption? Implementing a pragmatic and robust framework for responsibly managing the risks to the individuals whose personal data is processed and, importantly with the requirements under the GDPR, will support a demonstrable accountability-led approach.
Dataflow Mapping and Enhanced RoPA
Invest time and resources in a refreshed dataflow mapping exercise in order to identify all key data transfers taking place throughout across the organisation. The obvious starting point is to refer to the Article 30 Record of Processing Activities and evaluate whether further work is required either to update it or obtain greater detail. The results of this dataflow mapping exercise should be used to group and prioritize your transfers. This exercise will enable the identification of transfers requiring immediate remediation and the approach for ongoing monitoring of data transfers.
This should not be seen as a one-off exercise. Rather, the RoPA can be used to maintain records relating to Schrems II compliance on an on-going basis by recording the transfer impact assessment, any risks or issues and the supplementary measure (if any) adopted.
The approach to complying with transfers obligations inevitably will contain steps that involve the interests of stakeholders or require direct engagement with them. These stakeholders are likely to comprise service providers, customers, clients, employees, IT department, senior management and possibly even supervisory authorities. It is important to keep these stakeholders in mind when building a framework to assess data transfers. For example, what approach should be taken to deal with a third party service provider that is unresponsive to requests for more information? Is the IT function in a position to support implementation of technical supplementary measures? Could it readily report to senior management or provide information to clients on request?
Technical Capability and Resource Constraints
Many of the EDPB’s supplementary measures are technical in nature. Consider encryption, anonymisation, pseudonymisation and, if feasible, split or multi-party processing/computation. Each of these measures can take different forms and be implemented in different ways, however they all require technical capability and resources to properly implement. Therefore, when designing a data transfers management framework, it is important to consider potential limitations on implementing the supplementary measures, the likelihood that a service provider would be able or willing to implement the measure, as well as the potential knock-on or disruptive effects of the measures to business operations once implemented.
Towards the end of 2020, the European Data Protection Board (EDPB) published its formal recommendations in response to the CJEU’s ‘Schrems II’ judgment. One of the crucial aspects in the judgment was the CJEU’s assertion that data exporting organisations would be responsible for assessing, on a case-by-case basis, if the laws and regulations in the jurisdiction of the data importer detract from the effectiveness of the applicable transfer safeguards...