Industry Seeks Guidance on Secure Global Data Flows in the Wake of Schrems II
In the July ‘Schrems II’ case, the EU Court of Justice issued a landmark ruling affecting how businesses may transfer personal data to most countries around the world. The judgment has raised many legal and operational questions for businesses’ routine data transfers which require practical guidance from the European Commission and privacy regulators. In a new policy document, the Computer & Communications Industry Association (CCIA) offers several suggestions for guidance to support sustainable data flows and help companies in their compliance efforts.
Unencumbered and protected data flows between the EU and the rest of the world ensure that companies in every sector can participate in the global economy, innovate, securely process data, and maintain and expand their global supply chains, particularly in times of lockdowns. That’s why it is so important that the EU continues to provide sustainable mechanisms for transferring data abroad.
While the EU Court of Justice struck down the EU-U.S. Privacy Shield data transfer framework in July, it also affirmed the validity of one of the most popular tools to transfer data outside the EU, Standard Contractual Clauses. Contrary to what some may have argued, Standard Contractual Clauses can still be used to transfer data to the 152 countries which the EU does not formally recognise as providing ‘adequate’ data protection, providing that the entities involved in the transfer can provide a level of protection of the personal data that is essentially equivalent to the General Data Protection Regulation.
How can companies provide sufficient protection for personal data transferred to countries that don’t legally guarantee equivalent protection as the EU?
The Court tells us that answering this question first requires an analysis of government data access legislation in each jurisdiction where EU personal data travels, and a thorough understanding of the evolutive European case-law on the intersection between privacy and government access to data for security and law enforcement purposes. This process will require highly technical legal fact-finding and analysis and companies are not, and will never be, in a position to make this sort of assessment.
This is where the European Commission, working alongside the European Data Protection Board (EDPB) can come in. These authorities have a crucial role to play in enabling companies to make and consistently apply this analysis, and can issue non-binding guidance on the existence and application of third-country laws and practices in countries where data transfers merit further scrutiny by parties to a data transfer.
The Court also tells us that the existence and application of government data access laws and practices is only one of the circumstances that companies should take into account when assessing the level of protection afforded to data transferred overseas. The EDPB should therefore clarify the legal and factual factors that companies, their vendors, and customers should use to assess “all the circumstances surrounding a data transfer.” For example this could include the potential relevance of the entities, the data at issue, and the context of processing to foreign government intelligence activities.
The EDPB should further fill in the blanks left by the Court’s decision by developing a ‘toolkit’ of ‘supplementary measures’ including contractual, technical, and organisational safeguards that parties to a data transfer can use to mitigate any residual risks to privacy.
Finally, the EDPB can clarify the documentation procedures that companies can use to perform and demonstrate their data transfer assessments. Rather than creating formal new procedures that could become a ‘check-the-box’ compliance exercise, companies should have some flexibility to demonstrate their self-assessment as well as their adherence to any relevant supplementary measures that they have put in place.
Ultimately, each company will answer the question of when and how they should be expected to provide sufficient protection of EU personal data differently depending on their situation. But there is plenty of space for consistent and practical guidance from the EDPB and the European Commission to assist companies in their compliance efforts and guide privacy regulators’ enforcement in coming weeks and months.
You can read CCIA’s full recommendations to the European Commission and the European Data Protection Board here.