IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called ‘Schrems II’ case. The IAPP will aim to update the register on an ongoing basis.
The link is below:
While privacy pros advise to seek to put in place SCC as a substitution for the invalidated Privacy Shield, it should, however, be noted that SCC are by itself a safeguard with a limited scope of application as: (i) it still does not cover many processing scenarios (e.g., processor-to-controller, processor-to-sub-processor); (ii) it is quite outdated (issued in 2001, 2004 and 2010 in the pre-GDPR world); (iii) its validity has been put on several conditions by the ‘Schrems II’ decision.
As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC.
Arguments against Privacy Shield has changed little since the ‘Schrems I’ decision that invalidated Safe Harbour – governmental intrusion, lack of proportionality, ineffective role of ombudsperson.
What is really new is that a EU-based data controller relying upon SCC is now expected to assess how public authorities in third countries obtain access to personal data and how legal system in those countries works.
Two questions still remain:
1. How such controllers in question are expected to conduct such evaluation? Any methodology in this regard? It may seem somewhat similar to what we have in Article 45(2) – which factors Commission shall evaluate when issuing adequacy decisions. However, a private entity living with SCC is not a EU body and often does not have sufficient resources and understanding as to how to conduct the research and put necessary safeguards in place.
2. Enforcement. Amid DPAs facing lack of financial resources and manpower, the CJEU’s decision puts even extra burden on them. Thus, a newly invented (by CJEU) requirement may easily end up becoming unviable with no practical effect due to insufficient oversight.
Bonus question: taking into account the ‘accountability’ principle, how exporting controllers should demonstrate their compliance with the new obligation?
Hopefully, answers are yet to come.