IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called ‘Schrems II’ case. The IAPP will aim to update the register on an ongoing basis.
While privacy pros advise to seek to put in place SCC as a substitution for the invalidated Privacy Shield, it should, however, be noted that SCC are by itself a safeguard with a limited scope of application as: (i) it still does not cover many processing scenarios (e.g., processor-to-controller, processor-to-sub-processor); (ii) it is quite outdated (issued in 2001, 2004 and 2010 in the pre-GDPR world); (iii) its validity has been put on several conditions by the ‘Schrems II’ decision.
In the flurry of (my) excitement after the Schrems II judgement I got to thinking, isn’t this what we have been saying all along? Anyone who knows me, or who has attended one of my training sessions knows that I usually start with “compliance is not just about doing the right thing, but showing you are doing the right thing”. This is exactly what the judgement is asking us to do now.
The Privacy Shield has been invalidated – mainly because the access is not “necessary” and “Proportional” and EU data subjects lack actionable remedy. So in practice, companies will need to look for an alternative legal basis to enable transfers under GDPR. There are options of consent or other derogations, but the only practicable way of making transfers valid is by Standard Contractual Clauses (“SCC”) . These clauses remain valid, albeit with some questions raised.
Companies will now have to do proper 3rd party due diligence and develop actionable protections for data transfer, either through existing recipient country laws, or through their own contractual measures – or a mix. So what does “appropriate due diligence” mean in practice? It could mean creating a checklist to understand clearly to which third country the data is being transferred; collecting best practices in relation to the laws of well known “importers”; what security measures can be taken to further protect the data?
In reality, these SCCs were almost “too good to be true”. Some practitioners had developed a bad habit of “throwing” them into a contract, and never looking back. It is of great benefit to the privacy community to see that SCC are upheld. I reinforce the message that companies should understand fully (if they do not already) what EU safeguards require, do a case-by-case due diligence to see if the foreign government (not only US) protections regarding access to data meets the EU standards and if this is not the case, put in place additional safeguards.
This is exciting for privacy lawyers like me, as we get the opportunity to reinforce our collaborative efforts with our infosec colleagues. This development brings us closer together in determining what the landscape looks like, what is required and how we make it happen. We can now come to the table together and determine how to do these transfers safely, relying on our infosec colleagues for expertise and our legal colleagues to get it airtight in the contract. Then both functions work together to raise awareness in the organisation.
Companies will have to start looking outwards to see if their industry is one that is regulated or targeted and what is the “likelihood” of an interference. This means good things for data subjects as there will be a natural effort to reduce the amount of data transferred to reduce risk – thereby strengthening the minimisation and necessity / purpose principles.
Recipients will have to ensure that they really do have a solid plan in place for end of life – of the contract and of the data within it. We will likely see more complex rolling retention periods established in order to reduce the amount of data held by 3rd parties and thereby reducing risk (of breach and of government interference)
I’m confident the guidance from the Irish Data Protection Commission will contain these principles and I will continue to monitor the developments and report regularly on practical steps companies can take.