It’s been more than two weeks since CJEU announced its ‘Schrems II’ decision, introducing the requirement to evaluate legal landscape in third countries (those of data importers) and put additional safeguards in place, as necessary, – even if the data are transferred to other than USA third countries based on SCC or BCR. FAQ issued by EDPB on 23 July probably left more questions then answers.
Since then, media space has been overwhelmed with various guidances, legal digests and discussions about how to make assessment and what safeguards can be put in place.
The truth is, as of now, nobody really knows 100% workable answers. From FAQ issued by EDPB we know that “it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice”.
However, below are two tips on how begin with the assessment without engaging reputable law firms with exorbitant prices.
1. It comes from the EDPB FAQ itself – contact your data importer and ask for collaboration with regard to the assessment. E.g. require data importers to state whether public authorities in their countries are entitled to have an access to personal data and on which conditions; whether the data importers are under a legal obligation to make personal data available to public authorities for any purposes.
2. Conduct your own assessment using WP237 (‘Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)’) issued by Working Party 29.
In this document, WP29 identified 4 Essential Guarantees to be taken into account for all data transfers to third countries:
A. Processing should be based on clear, precise and accessible rules;
B. Necessity and proportionality with regard to the legitimate objectives pursued must be demonstrated;
C. An independent oversight mechanism should exist;
D. Effective remedies need to be available to the individual.
At least two of them were used by CJEU when invalidating Privacy Shield. Are all of them respected in the country of your data importer?
Will the above work? Not really a fact. As they say, the answers are hopefully yet to come soon. At least, this can help you understand a general landscape prior to signing a legal service supply contract with a law firm.