Legal processes: UK data protection reform, privacy in the digital age

The UK Government published its response to the privacy in the digital age discussion ahead of data protection reform. During the consultation period, it engaged with a range of stakeholders, including over 40 roundtables with academia, tech and industry bodies, and consumer rights groups, providing a wide range of views. The proposals in this response are arranged across 5 chapters:

• Reducing barriers to responsible innovation, (increasing confidence in personal data processing through the use of the legitimate interest and enabling greater personal data access and personal data sharing for research and other purposes).
• Reducing burdens on businesses and delivering better outcomes for people, (reforms to reduce disproportionate impacts of subject access requests on organisations, and ways to limit unnecessary cookie banners by altering rules in the Privacy and Electronic Communications Regulations).
• Boosting trade and reducing barriers to data flows, (creating an autonomous UK international transfers regime, which supports international trade and eliminates unnecessary obstacles to cross-border personal data flows). 
• Delivering better public services, (increasing the transparency of government processing activities by ensuring that clear information is provided on the use of algorithms; and, simplifying the legal framework in relation to the police’s collection, use and retention of biometric data).
• Reform of the Information Commissioner’s Office, (implementing a new, modern governance framework, with an independent board, and requiring the ICO to account for the impacts of its activities on growth, innovation, and competition). 

The summaries of responses can be read here.

Meanwhile, Privacy International issues its submission on the UN report on the right to privacy in the digital age. “National laws are often inadequate and do not regulate, limit or prohibit surveillance powers of government agencies as well as data exploitative practices of companies”, states PI. Even when laws are in place, they are seldom enforced. PI notes how it is often only following legal challenges in national or regional courts that governments are forced to act. This is not a sustainable position: journalists, and human rights defenders often do not have the capacity, (or legal standing), to challenge governments or companies’ actions, and they may face threats if they do so, (including the same unlawful surveillance that they are challenging), and in many jurisdictions there are no independent avenues of effective redress. PI’s key advocacy points include:

• mass surveillance, 
• government hacking, 
• mobile phone data extraction,
• data retention,
• public-private partnerships and their implications for the right to privacy,
• digital ID systems and the use of biometrics for identification and authentication,
• use of encryption and anonymity technologies,
• tracking online users, and more.

Official guidance: data exporters, geolocation data

Danish privacy regulator Datatilsynet issued a statement on the concept of a data exporter (in Danish). In the light of the ECJ’s “Schrems II” judgment, Datatilsynet received an increasing number of questions regarding the transfer of personal data to third countries. The term “data exporter” is not defined in the GDPR. The concept, on the other hand, is defined in the EU Commission’s Standard Contractual Clauses, which is one of the most widely used transfer bases in Chapter V of the GDPR. The short guidance text is aimed at data controller organisations that use European data processors, but where one or more of its sub-data processors are located outside the EU/EEA. 

The regulator indicated that it will hold both data controllers and processors liable for obligations under Art. 44 of the GDPR. And the obligation of the data controller in practice is to ensure – and be able to demonstrate to the Danish data protection agency – that the data processor has established the necessary transfer basis with subcontractors overseas, and that this transfer basis is effective in light of all the circumstances of the transfer, including the implementation of additional measures if necessary. 

The EDPB adopted guidelines on certification as a tool for transfers. Art. 46 of the GDPR introduces approved certification mechanisms as a new tool to transfer personal data to third countries in the absence of an adequacy agreement. The guidelines focus on the purpose, scope, and the different actors involved; implementing guidance on accreditation requirements for certification bodies; specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers; and the binding and enforceable commitments to be implemented. The guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification, and will be subject to public consultation until the end of September. 

The French regulator CNIL has launched a study on geolocation data collected by mobile applications. As part of its technology watch, it observed whether it was easy to obtain people’s geolocation data. It thus identified a platform linking sellers and buyers of data and making it possible to obtain free samples from data brokers. It then requested, under the same conditions as any potential customer, to be provided with a sample of data corresponding to France. 

The affected dataset is a file containing timestamped geolocation data with location points associated with nearly 5,000,000 smartphone advertising identifiers (Android and iOS) over a period of approximately one week in 2021. The transmitted data is presented as anonymised by the data seller. After a quick analysis, the CNIL considers that at least part of this data is authentic. It will check whether, on the basis of this set of data, it is able to re-identify the persons and, if so, it will inform them individually. In addition to the data contained in the file sent by the data seller, publicly accessible data will be processed, such as open diaries of public figures, data on participation in parliamentary sessions, population density maps of France, and data from venues for public sporting events.

Investigations and enforcement actions: SAs’ dispute resolution, right to access, vehicle repair and maintenance history, traffic and location data

The EDPB adopted a dispute resolution decision on the basis of Art. 65 of the GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the French SA as a lead supervisory authority, (LSA), regarding Accor SA, a company specialised in the hospitality sector headquartered in France, and the subsequent objections expressed by one of the concerned supervisory authorities (CSAs). 

The LSA issued the draft decision following a complaint-based inquiry into Accor SA, concerning a failure to take into account the right to object to the receipt of marketing messages by mail and/or difficulties encountered in exercising the right of access. The LSA shared its draft decision with the CSAs in accordance with Art. 60(3) of the GDPR. One CSA issued objections pursuant to Art. 60(4) GDPR concerning, among other things, the size of the fine. The SAs were unable to reach a consensus on one of the objections, which was then referred by the LSA to the EDPB for determination pursuant to Art. 65(1)(a) GDPR, thereby initiating the dispute resolution procedure. The EDPB has now adopted its binding decision. The decision addresses the merits of the part of the objection found to be “relevant and reasoned”.

The Swedish privacy protection authority IMY published a report that highlights the complaints that the authority received last year. The most common type of complaint concerns the rights of individuals, such as the right to access their personal data – every third complaint.  The report gives a number of recommendations to businesses, such as that they must know what rights individuals have when handling personal data and that they also have routines in place to meet these rights. For example, it is important to have routines in place to be able to handle the request. Other recommendations in the report include the requirement for businesses to be available. Individuals should be able to easily get in touch to exercise their rights. It is also important for businesses to clearly inform everyone whose personal data they process which personal data is being used and why.

Based on the complaints, it is also clear that businesses that use direct marketing need to develop their routines for interrupting mailings if a person hears from them and does not want more direct marketing or advertising sent to them.

Finland’s data protection ombudsman decided on whether vehicle repair and maintenance history data is personal data under Art. 4(1) of the GDPR. The person who bought the used car informed the regulator that he had requested information from Oy BMW Suomi Ab on the maintenance and repair history for the entire life cycle of the vehicle. The new owner asked the company for information, as he said the car had been serviced by an authorized BMW dealer. However, Oy BMW Suomi Ab did not provide any information. 

The regulator considered that vehicle maintenance history data is in principle personal data within the meaning of the GDPR concerning the owner of the vehicle during the period of ownership. Service history information may directly or indirectly describe the owner of the vehicle or its activities. Nevertheless, some of the service history information may be non-personal. The regulator does not have jurisdiction over situations involving requests for non-personal data. Finally, according to the GDPR, a person has the right to access personal data concerning him or her. As the maintenance history and repair data are not the personal data of the new owner of the purchased vehicle, the new owner does not have the right to access it. 

The regulator also considered that the data protection rules do not, in principle, prevent the transfer of vehicle maintenance history and repair information to the person who purchased the used vehicle. This could be possible, for example, in the context of a legitimate interest. Although the service provider does not have an obligation under the GDPR  to provide information on the vehicle’s service history, it does not in principle constitute an obstacle to the disclosure.

The Portuguese data protection authority CNPD ordered electronic communications providers to delete traffic and location data of all communications, for the purposes of investigation, detection, and prosecution of serious crimes, finding it unconstitutional, Data Guidance reports. CNPD noted that retaining location and traffic data of all subscribers, without exception, is disproportionate in view of the objective pursued. As such, the CNPD added that it is now unlawful for telecom operators to maintain such autonomous data processing and retain a wide range of personal data. 

Notably, the CNPD ordered electronic communications providers to delete, within a period of 72 hours from the notification of the CNPD’s decision, the personal data kept under Law No. 32/2008, (Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks), and noted that relevant entities should send a certificate of destruction of such data to the CNPD within 72 hours of its deletion. 

Data security: ransom victim shaming and extortion, Tik Tok on Oracle

Cybercrime criminals are upping their game and diversifying the ways they extort individuals and corporations warns US cybersecurity guru Brian Krebs. Ransomware groups like ALPHV/BlackCat in the past would dump your stolen data on the Dark Web, but are switching to publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form. The group recently boasted that it had hacked a luxury spa and resort in the western US. stealing the personal information of 1,500 resort employees and more than 2,500 residents. It published an internet page, with at the top two “Check Yourself” buttons, one for employees, and another for guests. With companies in general still slow to respond to security breaches if at all, this sort of incident may be the only way some discover their PI has been compromised. 

Tik Tok says Oracle will store all the data from US users, in a bid to allay fears about its safety in the hands of a platform owned by the Chinese company ByteDance, The Guardian reports. BuzzFeed News cites recordings from 80 TikTok internal meetings it obtained, and claims that US employees of TikTok repeatedly consulted with their colleagues in China to understand how US user data flowed because they did not have the “permission or knowledge of how to access the data on their own” is reported by TechCrunch. US officials have for years expressed concern that TikTok might let China’s government have access to the data the firm collects from Americans and users from other nations. The matter escalated in 2020 when the Trump administration said it would bar the Chinese-owned mobile apps WeChat and TikTok from US app stores. 

The post Weekly digest 13 – 19 June 2022: privacy in the digital age, geolocation, access rights, ransom victim-shaming appeared first on TechGDPR.

Legal processes and redress: EU data governance, traffic and location data, consumer rights, hospitals

The EU Data Governance Act, approved by the Parliament on April 6, promises to boost data sharing in the EU so that companies and start-ups will have access to more data they can use to develop new products and services. The new draft rules also aim to build trust in data sharing, making it safer and easier as well as ensuring it is in line with data protection legislation. This will be achieved through a range of tools, from technical solutions such as anonymisation and pooling of data to legally binding agreements by the reusers. The rules will enable:

• data collected in some public sector areas to be better used;
• the creation of common European data spaces for important areas: health, environment, energy, agriculture, mobility, finance, manufacturing, public administration, and skills;
• new rules for data marketplaces – usually online platforms where users can buy or sell data – will help new intermediaries be recognized as trustworthy data organizers;
• new rules for companies, individuals, and public organizations that wish to share data for the benefit of society (data altruism).

The Data Governance Act must be formally adopted by the EU countries in the Council before it becomes law. Also to further encourage data sharing, the Commission proposed in February a Data Act that the Parliament is working on.

The European Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime. In the related longstanding case in Ireland, a man was sentenced to life imprisonment for murder and appealed, saying the court of the first instance had wrongly admitted traffic and location data of telephone calls as evidence. “The privacy and electronic communications directive does not merely create a framework for access to such data through safeguards to prevent abuse, but enshrines, in particular, the principle of the prohibition of the storage of traffic and location data”, the highest EU court stated. However, it held that EU law does not preclude legislative measures for the purposes of combating serious crime and preventing serious threats to public security for: 

• targeted retention of traffic and location data which is limited, according to the categories of persons concerned or using a geographical criterion; 
• general and indiscriminate retention of IP addresses assigned to the source of an internet connection; 
• general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and 
• the expedited retention, (quick freeze), of traffic and location data in the possession of those service providers. Read the full decision by the ECJ here.

The Irish government has approved a draft bill – the General Scheme of Representative Actions for the Protection of the Collective Interests of Consumers. The aim is to permit qualified and designated entities to represent consumers in a representative action, (civil claim), where a trader has infringed consumer rights under one or more of the legislative provisions listed, including the major data protection legislation at EU and national levels – the GDPR, ePrivacy Directive, and the Irish Data Protection Act 2018. You can examine the full draft bill here.

Utah followed California, Virginia, and Colorado in adopting a comprehensive consumer data privacy law, JD Supra News reports.  Utah’s Governor signed the Consumer Privacy Act, which will take effect on December 31, 2023. The consumers include individuals who are Utah residents and are acting in an individual or household context, and not an employment or commercial context. Under the Act, data controllers, (certain entities that conduct business or target consumers in Utah on a big scale), have obligations to, among other things: 

• disclose in a privacy notice various processing activities;
• provide consumers with clear notice and an opportunity to opt out of the processing of sensitive data, including biometric and geolocation data;
• provide consumers with a right to opt out of targeted advertising or the sale of personal data;
• comply with requests from consumers to exercise their other rights to access, obtain a copy of, or delete personal data, and confirm whether a controller processes personal data; and
• maintain reasonable administrative, technical, and physical data security practices. 

However, the law does not create a private right of action and grants exclusive enforcement authority to the Attorney General. 

The Czech Supreme Administrative Court upheld a fine by the national data protection authority imposed on a hospital for insufficient security in the processing of personal data, (Art. 32 of the GDPR). In the landmark decision, the court stated that the hospital in question is a joint-stock company, not a public entity, although it is financed mainly from public health insurance funds and provides its healthcare services in the public interest.

Thus, it can not enjoy the exemption which derives from Art. 83 (7) of the GDPR: “each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State”. In particular, the court rejected the application of the national data protection legislation, which do not allow the imposition of a sanction on a public entity. The full text of the judgment, (in Czech), can be found here.

Official guidance: data processing agreements, digital products security, AI knowledge base

The Danish data protection authority Datatilsynet responded to some questions regarding data transfer provisions in processing agreements, Data Guidance reports. In the given case, a company, (KOMBIT), supplies IT systems to Danish municipalities and uses a subcontractor/processor, (Netcompany), which in turn uses Amazon Web Services, (AWS). According to KOMBIT, the information is generally processed within the EU/EEA, but it also appears from the data processing agreement between Netcompany and AWS that this can be deviated from if it is necessary to comply with the legislation or a binding decision from a public authority in a third country. The question is:

• whether there is an intentional or unintentional transfer to third countries and,  
• whether the municipalities must comply with the requirements for transfers to third countries, and
• whether this gives rise to a question of adequate security of processing.

In the eyes of the Danish regulator, this will be an intentional third-country transfer. Therefore, municipalities must ensure that the rules on transfers to third countries are complied with when or if AWS makes such transfers in accordance with the instructions set out in the data processing agreement.

The EU Commission is holding an open public consultation on the establishment of new horizontal rules for digital products and associated services placed on the internal market, in the view of a new European Cyber Resilience Act, (CRA), Bird&Bird Insights reports. The consultation and call for evidence will be open for stakeholders’ feedback until May 25. The future CRA aims to create:

• baseline cybersecurity requirements for manufacturers and vendors of a wide range of digital products and ancillary services, the absence of which would prevent the tangible product from performing its functions, (wireless and wired, embedded and non-embedded software), and would cover their whole life cycle;
• obligations on economic operators; and 
• provisions on conformity assessment, the notification of conformity assessment bodies, and market surveillance.

The CRA would add to the existing cybersecurity framework, the NIS Directive, the EU Cybersecurity Act, etc. The consultation questionnaire and its outcome can be found here. 

The French regulator CNIL presented a knowledge base, (in French), referring to the Artificial Intelligence concept. The CNIL explains, through various tools and publications, the challenges in terms of data protection and the way in which it acts to support the deployment of solutions that respect the rights of individuals. The project includes:

• a short glossary of AI;
• accessible resources for everyone, (books, films, factsheets, articles);
• guidance for data protection specialists on the application of the GDPR in AI systems, (impact assessment questionnaires, rules on assigning responsibilities, documenting requirements, etc.) 

Investigations and enforcement actions: unsecured visa applications, failed data deletion, unauthorised disclosure, accidental alterations of customer data

The Dutch data protection authority, (AP), has fined the Foreign affairs ministry 565,000 euros for potentially breaching the privacy of people making visa applications over a number of years, DutchNews.nl reports. The AP identified the ministry as a data controller and stated that its visa information system is not secure enough, and there is a risk of unauthorised access and changes to files. Sensitive information, such as fingerprints, name, address, the purpose of the trip, nationality, and photo could have been accessed because of inadequate physical and digital security. Also, people applying for visas were not given proper information about the way their data is shared with third parties. In addition, the AP imposed an extra fine, subject to periodic penalty payments, for fixing the security provision, (50,000 euros every two weeks), and the information obligation, (10,000 euros per week).

The Irish supervisory authority fined Bank of Ireland Group 463,000 euros for violating Art. 32-34 of the GDPR. This inquiry was opened after 22 personal data breach notifications in 2018-2019. The notifications related to the corruption of information in the Group’s data feed to the Central Credit Register, a centralised system that collects and securely stores information about loans. The incidents included unauthorised disclosures and accidental alterations of customer personal data. The decision considered as a preliminary issue whether the incidents met the definition of a “personal data breach” under the GDPR, and found that 19 of the incidents reported did meet the definition. Additionally:

• the group failed to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to data subjects’ rights and freedoms; and
• the group failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in the centralised register. 

Meanwhile, the Danish data protection agency Datatilsynet assessed that Danske Bank has not been able to document that they have deleted personal information in accordance with the data protection rules, and therefore set the bank a fine of approx. 1,3 mln euros. In 2020 the regulator initiated a case after the bank itself had stated that they had identified a problem with the deletion of unneeded personal data. It has emerged that in more than 400 systems there were no rules laid down for deletion and storage of personal data, and that no manual deletion of personal data had been carried out. These systems process the personal data of millions of people. At the same time, the regulator emphasized Danske Bank’s active participation in the disclosure of the case and its continuous attempts to align its practices with legal requirements and minimize the risks for data subjects.

Data security: UK cybersecurity survey, US law enforcement outreach

The UK Department for Digital, Culture, Media & Sport published the latest cyber security breaches survey. It is an annual survey detailing the cost and impact of cyber breaches and attacks on businesses, charities, and educational institutions. Here are some key findings:

• Cyberattacks are becoming more frequent with organizations, (businesses and charities), reporting more breaches over the last 12 months.
• Almost one in three businesses and a quarter of charities suffering attacks said they now experience breaches or attacks at least once a week.
• Data shows two in five businesses use a managed IT provider but only 13 percent review the security risks posed by their immediate suppliers.

Four out of five senior managers in UK businesses now see cyber security as a ‘very high’ or ‘fairly high’ priority, a significant rise since 2021. Read the full survey here.

A Guardian article reveals that very little data is secret from US law enforcement that has multiple ways to obtain personal data, either openly, or covertly. It was reported last week that hackers obtained the information of some Apple and Meta users by forging an emergency legal request, (explained in the previous digest), one of several mechanisms by which law enforcement agencies can demand that tech companies hand over data such as location and subscriber information. US law enforcement requests include gag orders, meaning the company cannot notify users that their information has been requested for six months or more. There are a few types of legal requests and other legal ways that have recently sparked concern among activists and experts:

• geofence warrants,
• keyword search warrants,
• administrative subpoenas,
• cell-tower dumps, 
• inter-agency data sharing at the local, state, and federal levels, or from companies like Palantir, 
• location and purchase history data from data brokers,
• surveillance tech companies like Clearview AI and Voyager, etc.

Big Tech: Google complaint in Germany, China surveillance, Clearview expansion, Mailchimp data breach, banned apps on Google Play

Google in Germany is facing a legal complaint in which the North Rhine Westphalia consumer’s office says Google’s cookie banners violate data protection rules, Reuters reports. The office maintains refusing cookies requires more steps than consenting to them on Google’s search engine websites. The company says it is soon changing its consent banner and cookie policy Europe-wide to comply with regulations.

Using publicly available documents Reuters has identified an explosion in software using AI in China to crunch big surveillance data and rising demand from police and civil authorities around the country for the equipment. Vast quantities of data used to require human input to organize. The new software is built around the “one person, one file” concept, facilitating the tracking of individuals. Since 2016’s first patent application at least 28 firms have entered the market for file archiving and image clustering algorithms for facial recognition, extracting data from social media, and details on relatives, social circles, vehicle records, marriage status, and shopping habits.

Google has banned dozens of apps from its Google Play store after finding embedded software that secretly harvested user’s data, including location and personal identifiers, IAPP News reports. The code, developed for Android and used in millions of devices worldwide, was developed by Measurement Systems, which reportedly has links to a Virginia defense contractor.

Major email marketer Mailchimp has reported a data breach after hackers exploited a weakness in an internal customer support and account administration tool, TechCrunch says. A social engineering attack led to 300 client accounts being hacked, with 102 losing audience data, with customers from cryptocurrency and finance sectors being targeted. Mailchimp says it detected the breach quickly and has taken steps to ensure it won’t happen again.

Controversial facial recognition startup Clearview AI is looking to expand beyond providing services to police forces, AP News reports. In March it reportedly offered its services for free to the Ukrainian military to help identify casualties and prisoners with images scraped from the Russian social media website VKontakte, and it is now going to offer a new “consent-based” product using algorithms, and not its 20 bln image library, to banks and other private businesses for identity verification purposes.

The post Weekly digest April 4 – 10, 2022: EU data governance, digital products security, US law enforcement outreach & privacy appeared first on TechGDPR.

In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. 

The European Commission produced a list of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations used the scheme, among which Amazon, Facebook, and Google. 

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in 88% of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.

As if this were not enough, the court left no grace period for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.

Step-by-step guide to international data transfers after the CJEU ruling

Step 1 – Audit existing transfers 

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).

Step 2 – Choose appropriate safeguards

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers whether they are subject to national laws that:

• require indiscriminate surveillance / data collection from them by government bodies;
• prohibit deletion of the transferred data at the end of your relationship with them;
• limit the rights of concerned individuals (data subjects), such as the right to be informed, right to access, rectify and erasure, upon the request.

The restrictions above will be difficult to overcome by the available EU privacy safeguards, which was confirmed by the CJEU judgement. This is exactly the case with the transfers to the United States: under 702 FISA (50 USC § 1881a), all “electronic communication service providers”, which are providers of remote computing services, electronic communication services, or telecommunications carriers must share the data that they store about foreigners with the U.S. national enforcement agencies. As a result, it is considered that the SCC cannot be used for transfers of data to these types of providers at all. 

For other types of partners and services providers, the SCC and BCR remain a possible option, though additional examination will be necessary.

To make matters worse is that foreign companies can be prohibited from informing you about such requirements due to their statutory provisions. The option, in this case, is to look into media-coverage of such scenarios, as well as to check their national enforcement and judicial practice on data protection.
Best practice, however, is to regard those companies who claim they cannot disclose that information to be under that statutory obligation and interpret that answer as those likely to be subject to such national requirements.

Step 3 – Consider derogations or restructure the transfers

Art. 49 of the GDPR provides derogations from the rule described above. For case-by-case transfers, you can ask for explicit consent from the data subject. However, such an option seems unrealistic for transferring the whole database as it may prove impractical to ensure collecting consent from all concerned users. 

You can also transfer personal data to third countries if it is necessary to perform the contract with your users or other data subjects. Unfortunately, it is only available to the transfers that are strictly necessary, i.e. where the execution of the contract takes place on U.S. territory (or another third country). That said, the mere convenience to transfer the data to the U.S. cannot be regarded as the “necessity”, neither can the cost of the offered solution be a determining factor alone.

Finally, as a temporary measure, the company can argue that it has legitimate interests in international transfers. This option can serve as a temporary relief for those companies that need time for re-architecting their processing activities following the CJEU judgement. The transfer based on the legitimate interests should not be repetitive. It must concern only a limited number of data subjects, and must not be overridden by the interests or rights and freedoms of the data subject. Two conditions come when relying on  this derogation: the need to inform your supervisory authority and data subjects about the transfers. Thus, legitimate interests might be used as a temporary measure while searching for a more reliable transfer mechanism.

There are many situations where none of the above options can be used by the EU company. For example, it is fairly difficult to come up with a solution for transferring personal data to cloud hosting providers in the U.S. or EU subsidiaries of those companies. In such cases, a strong decision is needed: that of restructuring your data processing and stop transfers of personal data outside of the EU. In such a case, only local EU service providers will be used, particularly those not under legal or contractual obligation to transfer data back to the US -or merely allow access to other entities.

Conclusion: what to do after the Schrems-II ruling

Until new guidance from the EU regulators is issued, in particular the EDPB and the EU Commission, the situation with international transfers remains rather vague, to say the least. In accordance with its announcement in the assessment of the last 2 years of the GDPR, the European Commission is also working on new transfer mechanisms. The new safeguards should allow transferring personal data outside of the EAA more easily. This is a much awaited work considering the fact that current SCCs date back prior to the GDPR, thus not being fully in line with the GDPR provisions

In the meantime, the companies are left with few options:

1. To amend their processing infrastructure and limit transfers of personal data outside of the EU; or
2. To take a risk and try to come up with protective measures to complement these unstable mechanisms, in an attempt to consolidate the current mechanisms. However, until the European Data Protection Board drafts guidance on such measures, choosing them ought to be carefully examined by data protection professionals.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

If your business relies on international transfers of personal data, the TechGDPR team provides practical and actionable assessments for organisations to find a solution for each case. Feel free to reach out if you need further help.

The post International Transfers of Personal Data after the Schrems II ruling appeared first on TechGDPR.