In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. 

The European Commission produced a list of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations used the scheme, among which Amazon, Facebook, and Google. 

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in 88% of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.

As if this were not enough, the court left no grace period for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.

Step-by-step guide to international data transfers after the CJEU ruling

Step 1 – Audit existing transfers 

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).

Step 2 – Choose appropriate safeguards

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers whether they are subject to national laws that:

• require indiscriminate surveillance / data collection from them by government bodies;
• prohibit deletion of the transferred data at the end of your relationship with them;
• limit the rights of concerned individuals (data subjects), such as the right to be informed, right to access, rectify and erasure, upon the request.

The restrictions above will be difficult to overcome by the available EU privacy safeguards, which was confirmed by the CJEU judgement. This is exactly the case with the transfers to the United States: under 702 FISA (50 USC § 1881a), all “electronic communication service providers”, which are providers of remote computing services, electronic communication services, or telecommunications carriers must share the data that they store about foreigners with the U.S. national enforcement agencies. As a result, it is considered that the SCC cannot be used for transfers of data to these types of providers at all. 

For other types of partners and services providers, the SCC and BCR remain a possible option, though additional examination will be necessary.

To make matters worse is that foreign companies can be prohibited from informing you about such requirements due to their statutory provisions. The option, in this case, is to look into media-coverage of such scenarios, as well as to check their national enforcement and judicial practice on data protection.
Best practice, however, is to regard those companies who claim they cannot disclose that information to be under that statutory obligation and interpret that answer as those likely to be subject to such national requirements.

Step 3 – Consider derogations or restructure the transfers

Art. 49 of the GDPR provides derogations from the rule described above. For case-by-case transfers, you can ask for explicit consent from the data subject. However, such an option seems unrealistic for transferring the whole database as it may prove impractical to ensure collecting consent from all concerned users. 

You can also transfer personal data to third countries if it is necessary to perform the contract with your users or other data subjects. Unfortunately, it is only available to the transfers that are strictly necessary, i.e. where the execution of the contract takes place on U.S. territory (or another third country). That said, the mere convenience to transfer the data to the U.S. cannot be regarded as the “necessity”, neither can the cost of the offered solution be a determining factor alone.

Finally, as a temporary measure, the company can argue that it has legitimate interests in international transfers. This option can serve as a temporary relief for those companies that need time for re-architecting their processing activities following the CJEU judgement. The transfer based on the legitimate interests should not be repetitive. It must concern only a limited number of data subjects, and must not be overridden by the interests or rights and freedoms of the data subject. Two conditions come when relying on  this derogation: the need to inform your supervisory authority and data subjects about the transfers. Thus, legitimate interests might be used as a temporary measure while searching for a more reliable transfer mechanism.

There are many situations where none of the above options can be used by the EU company. For example, it is fairly difficult to come up with a solution for transferring personal data to cloud hosting providers in the U.S. or EU subsidiaries of those companies. In such cases, a strong decision is needed: that of restructuring your data processing and stop transfers of personal data outside of the EU. In such a case, only local EU service providers will be used, particularly those not under legal or contractual obligation to transfer data back to the US -or merely allow access to other entities.

Conclusion: what to do after the Schrems-II ruling

Until new guidance from the EU regulators is issued, in particular the EDPB and the EU Commission, the situation with international transfers remains rather vague, to say the least. In accordance with its announcement in the assessment of the last 2 years of the GDPR, the European Commission is also working on new transfer mechanisms. The new safeguards should allow transferring personal data outside of the EAA more easily. This is a much awaited work considering the fact that current SCCs date back prior to the GDPR, thus not being fully in line with the GDPR provisions

In the meantime, the companies are left with few options:

1. To amend their processing infrastructure and limit transfers of personal data outside of the EU; or
2. To take a risk and try to come up with protective measures to complement these unstable mechanisms, in an attempt to consolidate the current mechanisms. However, until the European Data Protection Board drafts guidance on such measures, choosing them ought to be carefully examined by data protection professionals.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

If your business relies on international transfers of personal data, the TechGDPR team provides practical and actionable assessments for organisations to find a solution for each case. Feel free to reach out if you need further help.

The post International Transfers of Personal Data after the Schrems II ruling appeared first on TechGDPR.

Reshaping how personal data is handled and raising awareness

This regulation is aimed at fundamentally reshaping the way personal data is handled across every sector in Europe. One year later, we can clearly see that this regulation raised professionals and individuals’ awareness of data protection issues. The regulation gave extensive new powers to individuals in how they can control their data. For example, data subjects can demand from organisations to tell them how their data are used and ask them to destroy their data,  “the right to be forgotten.” and the fines for non-compliance were significantly increased.

According to the Eurobarometer of March 2019, the increase in queries and complaints confirms the rise in awareness about data protection rights among individuals. Indeed, 67% of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition, 57% of them indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results according to the European Commission.

How has the GDPR been enforced so far?

On February 26, 2019, the European Data Protection Board released an overview on the implementation and enforcement of the GDPR.

According to this report, cooperation mechanisms within national data protection authorities have been heightened. Between May 2018 and February 2019, 444 mutual assistance requests, both formal and informal, have been triggered by Data Protection Authorities (DPAs) from 18 different EEA countries. Furthermore, 45 one-stop-shop procedures were initiated by DPAs from 14 different EEA countries, 23 cases are currently at the informal consultation stage, 16 are at the draft decision stage and 6 cases have been finalised. These cases are mainly related to the exercise of individual rights, consumer rights and data breaches. The EDPB has adopted 28 consistency opinions regarding the national lists of processing subject to a data protection impact assessment.

The total number of cases reported by DPAs from 31 EEA countries totalled 206,326 with 94,266 complaints and 64,684 of those cases initiated on the basis of data breach notification by controllers. 52% of the above cases have concluded while 1% are being challenged before national courts. DPAs from 11 EEA countries reported imposing administrative fines under the GDPR totalling €55,955,871.

GDPR fines in the first year

In 2018, based on a complaint by the non-profit organisation NOYB (“None Of Your Business”)  the french supervisory authority imposed the world’s stiffest privacy fine against Google. In January, the CNIL impose a fine penalty of 50 million euros to the company in over how it uses data for ad-targeting by violating the GDPR principles of transparency, adequate information and valid consent regarding ads personalisation. While there is limited transparency of the enforcement and only some DPAs have published their results to date, some details for the different states in Germany are known:

As recent as last Tuesday, May 21st 2019, a fine was imposed for breaches of the General Data Protection Regulation in Lithuania. The  data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimisation, adequate security measures and data breach reporting requirements of GDPR.

A transition year for data protection

By enhancing data protection we are protecting the fundamental rights and freedoms of persons that are related to that data. As General Data Protection Regulation came into force only one year ago, improvements are made in order to address issues that companies and europeans citizens are facing into the day-to-day practice of data processing.

The EEA Supervisory Authorities have reported that they need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities in order to standardise and provide the best solutions to secure our data.

The first 12 months and looking forward

Looking back on the first 12 months of the EDPB’s work, Andrea Jelinek, Chair of the EDPB, comments: ”It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace.”  

European Data Protection Board (EDPS) had adopted the framework of the 2019-2020 work programme and is willing to develop operational cooperation with its non-European counterparts and a convergence of data protection principles worldwide.

How TechGDPR is involved

During the first year of the GDPR, TechGDPR has been deeply involved in many discussions, in particular around data protection and privacy. Our team is for example involved in the privacy working group of the German Blockchain Association, has taken the lead on privacy matters within the newly set-up International Association of Trusted Blockchain Application (INATBA) and is part of the DIN consortium working on the DIN SPEC on Privacy by Blockchain Design.

The post One year of GDPR: GDPR enforcement and awareness appeared first on TechGDPR.