Schrems II in a nutshell
The most recent updates
The EDPB has created two new task forces.
One is to investigate 101 identical claims against data controllers who use Facebook and Google as part of their data processing activities. The claimants are saying that even if Facebook or Google rely on the Privacy Shield or Standard Contractual Clauses, they still can’t prove that data transferred to the US is adequately protected to the same standards as the GDPR.
This shows that even the biggest companies are being held accountable for how they process data after Schrems II. If that isn’t evidence that the rest of us need to shape up, we don’t know what is!
The other task force is going to provide recommendations to assist controllers and processors in identifying and implementing ‘appropriate supplementary measures’ to ensure adequate protection when transferring data outside the EEA.
Some frequently asked questions
How to assess your data transfers
Time for some of the practical guidance we’re all looking for. Here’s a look at what you need to know when assessing your transfers.
What is involved in that assessment?
Reach out to your data processors to check that they can comply with all data protection laws in light of Schrems II, using our downloadable data processor questionnaire. Obtaining their written confirmation of their GDPR compliance will reduce any potential risks applicable to that particular data transfer.
Should I stop transferring personal data to the US or other third-party countries?
Although it’s not entirely clear right now, we don’t think you need to stop sharing personal data with the US at this stage. Big players in the game like Facebook, Amazon and Google have taken steps to remediate their contracts to ensure they are relying on valid transfer mechanisms, and are continuing on with transferring personal data outside the EEA. However, as we’ve explored above, just amending your contracts to incorporate the SCCs doesn’t mean you’re compliant – but it’s a step in the right direction.
Further guidance may require you to stop transfers to certain third-party countries in due course, which we’ll keep you updated on.
Your Schrems step by step guide
Still unsure where to start?
To quickly reiterate:
- Remove the Privacy Shield from your agreements if you are still relying on it for your personal data transfer mechanism
- Replace it with a valid transfer mechanism (most likely the SCCs) while simultaneously conducting an assessment of the local laws of the importing country to determine whether the SCCs will be effective in protecting your personal data
- These assessments must be carried out on a case-by-case basis for each and every agreement that involves the transfer of personal data outside the EEA
Below is a brief outline to take you through things step by step.
The first step is to collate all of your agreements. This typically means that you should have a contract database where every single contract can be found, acting as a single source of truth for who you are currently contracting with. The database needs to be a fluid document that can be frequently updated to ensure any new contracts, amendments to existing contracts, or expired contracts are documented.
The next step is to review each agreement found on the contract database that involves the transfer of personal data to a third-party country. Flag what data transfer mechanism is used (i.e. Privacy Shield, SCCs or other) and the location of the personal data, as this information will be vital to your initial risk assessments.
Risk assess each agreement you’ve reviewed that involves the transfer of your personal data outside the EEA. This needs to be done on an agreement-by-agreement basis, taking into account what type of personal data is being processed, to which country and for what purpose. Assign a ‘high’, ‘medium’, or ‘low’ rating to each agreement, depending on how sensitive the personal data is and whether it would be subject to any surveillance laws by the importing country’s government or local authorities.
Require your data processors to confirm that they have appropriate policies and supplementary measures in place to ensure their compliance with new requirements under Schrems II. Additionally, they must attest that their sub-processors are also in compliance with these new obligations. We recommend obtaining a written confirmation from them.
Based on your review and your data processors responses, you can determine whether or not the contract required remediation.
Ensure that all assessments, addendums, confirmations, and the rest are properly documented in your contract database. This will make life easier should you ever be audited, as you can easily demonstrate that you have conducted thorough assessments and can confirm that your processors and their sub-processors are relying solely on valid transfer mechanisms.
Or… sit back and let us do it
You may also like…
Optimising Legal needs to begin with a dedicated strategy Strategy is one of the most overused...
Article #1 from our new Legal Optimisation Blog SeriesWhether you’re the first in-house lawyer in...
‘Tis the season to get spooky. Who doesn’t love a good horror story? We asked people to tell us...