Since July, many data transfers between the EU and the US have been left in limbo. The aftermath of the Schrems II case in the Court of Justice for the European Union (CJEU) saw a vital transfer framework, Privacy Shield, abruptly invalidated.
In addition, the alternative to Privacy Shield – the Standard Contractual Clauses (SCCs) framework, was also called into question, with use of this method requiring additional scrutiny. While the CJEU upheld SCCs as a valid export mechanism under GDPR, it came with the caveat that companies had to verify that the data would be safe in every country it was exported to.
Two new documents were recently released, giving further clarity to businesses grappling with this issue. One, guidance from the European Data Protection Board (EDPB), provides six steps to help companies assess third countries for the adequacy of their data protection laws.
The second document is the long-awaited draft SCCs issued by the European Commission to bring the framework in line with GDPR and to reflect the decision in Schrems II.
They offer some relief to companies that were relying on Privacy Shield and SCCs and face uncertainty over the future of transferring data outside the EU.
Digit spoke with Partner at Addleshaw Goddard Helena Brown to understand the new documents and the impact they will have on data exporters.
Ensuring that data transfers outside the EU are safe and compliant can be an expensive and time-consuming process.
Prior to Schrems II, Privacy Shield provided a comparatively simple way for companies to transfer data from the EU to the US. With its loss, and the Schrems II decision (and subsequent EDPB guidance) requiring greater analysis of transfers, data transfers to the US and beyond have become more complicated.
“There now must be an assessment of whether the territory offers a reasonable level of protection, so SCCs can’t be used like they were before – now organisations must show that they have done a ‘Transfer Impact Assessment’ (TIAs) which is effectively a risk analysis, to show that using the SCCs will be compliant,” Brown said.
With fewer resources available, there is some concern that SMEs in particular may not be able to cope with the additional requirements.
“It puts so much onus and responsibility on the business doing the transfers, smaller businesses may not be able to cope with the level of investigation and documenting,” she added.
The risk assessment involves analysing two factors – the country, its legal systems and authorities, and the nature of the data and the level of protection afforded to it. This means each verification must be done case by case.
“You could have a territory with fewer data protection laws, but if you’ve encrypted or pseudonymised all your data, the transfer might still meet the test for adequacy.”
The EDPB’s guidance aims to make the process simpler by explaining how to assess the law and the territory and reach a conclusion.
With countries like India providing valuable and affordable digital services to many companies, they are attractive destinations for outsourcing.
“Territories that offer commercially valuable services and software development will be challenging for companies,” Brown said. “SMEs who lack the resources to make extensive detailed assessments of local laws can’t benefit from the reduced cost services on offer.”
She added: “This puts the onus on suppliers in these territories to think about ways they can help their customers to carry out TIAs, and we are seeing some early signs of this with bigger suppliers.”
Despite the additional restrictions and the draft update, the future is still uncertain. While Schrems I invalidated Safe Harbour, and Schrems II invalidated Privacy Shield, there are also outstanding questions about using the SCCs, and it is evident from the EDPB guidance that SCCs will not be a solution in some cases where the territory itself does not offer enough protection for privacy.
“I still don’t think the new draft SCCs help companies wanting to transfer data to the US – there’s still the concept that the territory has to offer a reasonable level of protection for personal data, and even putting in place the new SCCs is not a fix for that,” Brown said.
With the outcome of Schrems II ultimately increasing the burden on companies, the pressure is on for a new compromise to facilitate transfers to the US, as trade and investment between it and the EU is a vital part of the global economy.
“The Privacy Shield replacement is in discussion, but that’s not in place yet. It’s simply always going to be a challenge when there’s this opposition between the conditions and requirements for privacy and the US model which enables the level of surveillance that it currently does,” she added.
As such, this impasse means it is highly unlikely that the two sides will ever fully reconcile their data protection laws. With privacy activists like Max Schrems unlikely to halt efforts to ensure EU citizens’ data is secure, there is the possibility that no framework will prove viable.
The Brexit Factor
While the recent developments surrounding Privacy Shield and SCCs have focused on US and EU transfers, they have repercussions for the UK.
With the Brexit transition period set to end on January 31st, the UK will no longer be covered by EU data transfers but will be free to form its own frameworks.
At present, the UK will utilise a full copy of GDPR from January 1st, 2021, called UK GDPR. It will initially use existing frameworks approved by the Commission, such as SCCs.
“The UK was certainly intending on adopting the old version of the SCCs and creating a UK version of them. That means that UK businesses will have the same issues with international transfers post Brexit,” Brown said.
- Leader Insights | Protecting your medical data with Elizabeth Fairley, Talking Medicines
- Data Protection | The pros and cons of end-to-end encryption
- Check Point highlights future malware threats to fintechs
In addition, the UK will be able to add or remove countries to the list of 12 countries that the European Commission deems to have adequate data protection regimes.
However, that list of adequate territories does not include the UK. As such, data transfers from the EU to the UK will need to take place within the framework of SCCs should the UK and EU fail to strike a deal in less than a month.
This comes despite the UK currently using the same data privacy regime in GDPR as the EU.
“Adequacy is a gift of the European Commission and they will not give it if the UK implements laws and practices it does not approve of. There have in the past been concerns from the Commission about the UK’s journalistic exemptions, and levels of surveillance,” she said.
“There are also question marks around our relationship with the US, particularly as we seek out trade deals, so adequacy will not be given automatically to the UK unless there is a deal.”
With such a short timeframe, the importance of resolving issues surround data transfers from the EU is vital to UK businesses.
Brown said: “We are doing a lot of work at the moment getting businesses ‘Brexit ready’ so that they do not face breach of contract claims or termination of supply from partners in the EEA as a result of transfers to the UK not being ‘adequate’ post Brexit.
“The additional complexities introduced by Schrems II mean that at the same time, UK businesses are also having to look at their international transfer portfolios beyond the EEA, so we are also assisting with a huge number of Transfer Impact Assessments. The new EDPB guidance provides welcome clarity, however, does not lessen the workload of businesses seeking to comply.”
Helena Brown is a Band 1 ranked privacy lawyer and leads the data protection team at international law firm Addleshaw Goddard.
Join the Debate
The ramifications of Schrems II and the future of data transfers will be a key area of discussion at the upcoming Data Protection Virtual Summit on 10th December.
Hear from leading experts from across the data protection landscape and explore the crucial issues facing frontline practitioners.
Register your free place now at https://www.dataprotection-summit.com/