Your Schrems II Handbook
Let’s face it.
When the Schrems II judgement hit, many of us just wanted 2020 to give us a break.
While we still don’t know everything yet, we’re here to shed some light on Schrems II, what businesses are supposed to do now – and what they need to plan for.
Let’s take a closer look.
Schrems II in a nutshell
Any business transferring personal data internationally needs to stay up to date with the judgment. Here’s what we know so far:
- The Privacy Shield is invalid. Personal data transfers to the US that rely on the Privacy Shield are illegal.
- You may be able to rely on the SCCs but only if you’ve assessed the transfer itself and the surveillance laws of the data importer’s country to determine whether they will ultimately trump the protections provided by the SCCs.
- If those laws override the contractual protections afforded by the SCCs, either new ‘supplementary measures’ should be implemented, or the data transfer should stop entirely.
- We’re still waiting on guidance from the European Data Protection Board (EDPB) as to what those supplementary measures are – but for the time being, we should be looking at additional policy, technical and contractual measures.
The most recent updates
The EDPB has created two new task forces.
One is to investigate 101 identical claims against data controllers who use Facebook and Google as part of their data processing activities. The claimants are saying that even if Facebook or Google rely on the Privacy Shield or Standard Contractual Clauses, they still can’t prove that data transferred to the US is adequately protected to the same standards as the GDPR.
This shows that even the biggest companies are being held accountable for how they process data after Schrems II. If that isn’t evidence that the rest of us need to shape up, we don’t know what is!
The other task force is going to provide recommendations to assist controllers and processors in identifying and implementing ‘appropriate supplementary measures’ to ensure adequate protection when transferring data outside the EEA.
The challenge
Clearly, this poses difficulties for many businesses. The most immediate one is that many rely on the Privacy Shield for data transfers that are critical to daily operations. This is compounded by the absence of concrete advice as to what organisations should be doing in response to the judgment.
The ICO has previously said:
‘The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.’
However, there seems to be a lack of comprehensive guidance to date.
Although we’re expecting recommendations from the EDPB, this doesn’t help businesses here and now.
Some frequently asked questions
To help shed some light on the topic, we answer some of the most frequently asked questions we’ve received in relation to Schrems II.
What should I do now?
Now that transfers reliant on the Privacy Shield is illegal, the Standard Contractual Clauses (or the SCCs) are now taking the spotlight as the next best transfer mechanism. (There are other data transfer mechanisms, which you can read about below).
However, if surveillance laws in a country override the protections provided for in the SCCs, this effectively renders them ineffective and you’ll either need to put supplementary measures in place to secure your data transfers or stop the transfer entirely.
If you’ve determined that SCCs will be effective for your personal data transfer, they must be included in all Data Processing Addendums to Master Service Agreements / T&Cs / whatever the main contract is that requires transferring personal data outside the EEA.
What about other transfer mechanisms?
The SCCs are the best option for smaller organisations. Other mechanisms exist – such as Binding Corporate Rules (BCRs) or Article 49 derogations under the GDPR – however, these mechanisms are not always the easiest or most practical mechanisms to rely on.
In a nutshell, BCRs require approval from the local supervisory authority and tend to be used by large, multinational companies for intra-group data transfers. They also suffer from the same problems as the SCCs in terms of having to assess local surveillance measures. If you’re a start-up or scale-up, these aren’t likely to be suitable for you.
Article 49 derogations only apply in very specific circumstances (for example, important reasons of public interest) and transfers must be occasional and non-repetitive (i.e. not a standard and repeated transfer for a company). These restrictions will rule out this option for most businesses and processing activities.
If I have the SCCs, am I good?
No! This is the caveat of Schrems II that is really important to note – the SCCs will only be considered a valid transfer mechanism if the parties have assessed the importing country’s surveillance laws and determined the transfer can be appropriately safeguarded.
This assessment will ultimately determine whether the SCCs alone aren’t going to cut it, if the government of the importing country ultimately has the ability to access your personal data whether or not these protective agreements are in place.
Think of the SCCs as your starting point. But the devil is in the detail, and your transfer assessment is key, which ultimately places a lot more responsibility on both parties to thoroughly check and assess whether personal data being transferred outside the EEA will actually be protected or not.
Can I wait and see what happens, or do I need to do something now?
We’re still waiting for the EDPB and Information Commissioner’s Office (ICO) to release more information about what the Schrems II judgment means for everyone. Although we still do have some questions, there is still plenty to do while we wait.
The first thing to note is that Schrems II doesn’t just affect data transfers to the US: it applies to all data transfers outside the EEA, such as to India or China. This requires a much wider piece of work for companies to ensure compliance, so you should start acting on this now.
Essentially there are two steps that you can take now:
- Risk assess. Conduct a risk assessment of all transfers of your personal data to third (non-EEA) countries. This needs to be done on an agreement-by-agreement basis, taking into account what type of personal data is being processed, to which country and for what purpose. With this information in mind, complete a short risk assessment that takes into account the sensitivity of the personal data and whether it would be subject to any surveillance laws by the importing country’s government or local authorities. If the personal data being transferred is particularly sensitive and would be likely to fall under certain surveillance laws, this would be considered a ‘high risk’ transfer. If the personal data is minimal and low-risk, and will be sent to a country with stringent data protection laws, this can be considered a ‘low-risk’ transfer.
- External assurances. Once you have completed an initial risk assessment for all data processing activities that involve the international transfer of your personal data, the next step is to ask your third party processors how they are maintaining their GDPR compliance in light of the new obligations under Schrems II. This can be done by sending out a questionnaire to your medium- and high-risk data processors to confirm what policies and supplementary measures they have in place, as well as whether they are subject to, or likely to be subject to, any surveillance laws that may impact the security of your personal data. In addition, all data processors should attest that their sub-processors are in compliance with all GDPR obligations.
How to assess your data transfers
Time for some of the practical guidance we’re all looking for. Here’s a look at what you need to know when assessing your transfers.
What is involved in that assessment?
Reach out to your data processors to check that they can comply with all data protection laws in light of Schrems II, using our downloadable data processor questionnaire. Obtaining their written confirmation of their GDPR compliance will reduce any potential risks applicable to that particular data transfer.
Should I stop transferring personal data to the US or other third-party countries?
Although it’s not entirely clear right now, we don’t think you need to stop sharing personal data with the US at this stage. Big players in the game like Facebook, Amazon and Google have taken steps to remediate their contracts to ensure they are relying on valid transfer mechanisms, and are continuing on with transferring personal data outside the EEA. However, as we’ve explored above, just amending your contracts to incorporate the SCCs doesn’t mean you’re compliant – but it’s a step in the right direction.
Further guidance may require you to stop transfers to certain third-party countries in due course, which we’ll keep you updated on.
Your Schrems step by step guide
Still unsure where to start?
To quickly reiterate:
- Remove the Privacy Shield from your agreements if you are still relying on it for your personal data transfer mechanism
- Replace it with a valid transfer mechanism (most likely the SCCs) while simultaneously conducting an assessment of the local laws of the importing country to determine whether the SCCs will be effective in protecting your personal data
- These assessments must be carried out on a case-by-case basis for each and every agreement that involves the transfer of personal data outside the EEA
Below is a brief outline to take you through things step by step.
Collate
The first step is to collate all of your agreements. This typically means that you should have a contract database where every single contract can be found, acting as a single source of truth for who you are currently contracting with. The database needs to be a fluid document that can be frequently updated to ensure any new contracts, amendments to existing contracts, or expired contracts are documented.
Review
The next step is to review each agreement found on the contract database that involves the transfer of personal data to a third-party country. Flag what data transfer mechanism is used (i.e. Privacy Shield, SCCs or other) and the location of the personal data, as this information will be vital to your initial risk assessments.
Assess
Risk assess each agreement you’ve reviewed that involves the transfer of your personal data outside the EEA. This needs to be done on an agreement-by-agreement basis, taking into account what type of personal data is being processed, to which country and for what purpose. Assign a ‘high’, ‘medium’, or ‘low’ rating to each agreement, depending on how sensitive the personal data is and whether it would be subject to any surveillance laws by the importing country’s government or local authorities.
Confirm
Require your data processors to confirm that they have appropriate policies and supplementary measures in place to ensure their compliance with new requirements under Schrems II. Additionally, they must attest that their sub-processors are also in compliance with these new obligations. We recommend obtaining a written confirmation from them.
Remediate
Based on your review and your data processors responses, you can determine whether or not the contract required remediation.
Document
Ensure that all assessments, addendums, confirmations, and the rest are properly documented in your contract database. This will make life easier should you ever be audited, as you can easily demonstrate that you have conducted thorough assessments and can confirm that your processors and their sub-processors are relying solely on valid transfer mechanisms.
Or… sit back and let us do it
This will be a lot of work, and we’re happy to take it off your plate.
We’re experts when it comes to helping businesses stay compliant, which is why we offer a range of data protection services. Our team is on-hand to help.
Get in touch today.
You may also like…
The dos and don’ts of in-house legal strategy
Optimising Legal needs to begin with a dedicated strategy Strategy is one of the most overused...
Optimise Legal, to survive and thrive
Article #1 from our new Legal Optimisation Blog SeriesWhether you’re the first in-house lawyer in...
Data Protection Horror Stories
‘Tis the season to get spooky. Who doesn’t love a good horror story? We asked people to tell us...
0 Comments