It’s been more than two weeks since CJEU announced its ‘Schrems II’ decision, introducing the requirement to evaluate legal landscape in third countries (those of data importers) and put additional safeguards in place, as necessary, – even if the data are transferred to other than USA third countries based on SCC or BCR. FAQ issued by EDPB on 23 July probably left more questions then answers.
Since then, media space has been overwhelmed with various guidances, legal digests and discussions about how to make assessment and what safeguards can be put in place.
The truth is, as of now, nobody really knows 100% workable answers. From FAQ issued by EDPB we know that “it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice”.
However, below are two tips on how begin with the assessment without engaging reputable law firms with exorbitant prices.
1. It comes from the EDPB FAQ itself – contact your data importer and ask for collaboration with regard to the assessment. E.g. require data importers to state whether public authorities in their countries are entitled to have an access to personal data and on which conditions; whether the data importers are under a legal obligation to make personal data available to public authorities for any purposes.
2. Conduct your own assessment using WP237 (‘Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)’) issued by Working Party 29.
In this document, WP29 identified 4 Essential Guarantees to be taken into account for all data transfers to third countries:
A. Processing should be based on clear, precise and accessible rules;
B. Necessity and proportionality with regard to the legitimate objectives pursued must be demonstrated;
C. An independent oversight mechanism should exist;
D. Effective remedies need to be available to the individual.
At least two of them were used by CJEU when invalidating Privacy Shield. Are all of them respected in the country of your data importer?
Will the above work? Not really a fact. As they say, the answers are hopefully yet to come soon. At least, this can help you understand a general landscape prior to signing a legal service supply contract with a law firm.
Excellent post, Konstantin! Thanks.
Excellent article, thanks Konstantin!
Just to give some context from the SMB (small business) of which Privasee (to which I am CEO) is one. Most SMBs will NOT do anything, it’s too complex, they have enough on their plates. But what Privasee AB has done is as follows, as we are a GDPR-shop, we must, and it was interesting to work this out and to feel from the SMB perspective, how the hell to get this to work in practice…and even what we did was not perfect, as you say Konstantin, there is no ‘golden bullet’.
1. Stopped using all US businesses dependant on Privacy Shield, and their Privacy Notices look inactive.
2. Retain those US orgs using SCCs, and updated Privacy Notices since the decision, reflecting proactive measures.
3. Taken contact with DPO of a critical architectural component (i.e. Zoho) to discuss their measures. They are very on!
4. Collection Limitation – Rethought new on a specific functionality which a customer had requested, and ended up deleting/changing the way a function was done, i.e. hand over to customer in a different way.
5. Data Minimisation – Separated this essential personal data into a format which can be deleted/anonymised throughout the application with a simple-click.
6. Updated Privasee’s Privacy Notice to reflect the changes, both in and out of my control as CEO.
It was quite some work, I think I lost at least 2 working days. And still I don’t have an alternative for SurveyMonkey which was using Privacy Shield and felt compelled to remove as a processor. Just about finished with migrating card payments from Stripe over to PayPal, and still have some work to add functionality for the customers in the learning platform, due to the functionality I removed from the GDPR compliance portal product (4).