5 minute read
Between a rock and a hard place
BetWeen a RoCK anD a haRD plaCe: inteRnational Data tRanSFeRS
Do you transfer data outside the eu?
Under Chapter V of the EU’s General Data Protection Regulation (GDPR) we are required to identify a legal basis for transfer of personal data outside the EU. This includes the storage of personal data on servers that are housed outside the EU’s jurisdiction A ‘legal basis’ may include an adequacy decision, the Standard Contractual Clauses (or Model Clauses), Binding Corporate Rules, and derogations such as the explicit consent of data subjects for non-regular transfers.
What has changed recently in relation to eu-uS data transfers?
In July of this year, the European Court of Justice invalidated Decision 2016/1250 on the adequacy of protection provided by the EU-US Data Protection Shield, without a grace period. (You may know this decision as the “Schrems II” judgment.) In simple terms, the consequence of this judgement is that data transfers between the EU and the US that rely on the Privacy Shield to provide adequate protection, no longer enjoy a legal basis for transfer if solely reliant on the Privacy Shield. The Schrems II judgment not only invalidates the Privacy Shield, it also casts doubt on the possibility of validly entering into contractual arrangements using the Standard Contractual Clauses (SCC) with data recipients in countries that may engage in surveillance practices that are incompatible with the guarantees required under GDPR standards for the protection of personal data.
Will anything change when the uK fully leaves the eu at the end of 2020?
It is unlikely that the United Kingdom will be granted an adequacy decision in the very near future, which leaves us in a similar position when considering EU-UK data transfers. Can we rely on entering into the Standard Contractual Clauses now, post-Schrems II, to cover the EU-UK data transfers? Possibly not.
What to do next?
Currently, for transfers to the United States we cannot rely on the Privacy Shield and, likely, the Standard Contractual Clauses. however, there is commentary to suggest that if you had already entered into the Standard Contractual Clauses to leave as-is, for now, but try not to enter into these agreements going forward as a stop-gap to the invalidation of the Privacy Shield.
For next steps we look to the Data Protection Commission (DPC) for guidance. Currently, there is none. however according to a quote in a recent press release, “While noting the Court’s reference to the fact that a supervisory authority could not suspend data transfers while an adequacy decision - such as Privacy Shield – was in force, the DPC acknowledges the central role that it, together with its fellow supervisory authorities across the EU, must play in this area. In that regard, we look forward to developing a common position with our European colleagues to give meaningful and practical effect to today’s judgment.”
have you ‘‘ done your risk analysis? ‘‘
In the absence of guidance from the DPC, we can look to the European Data Protection Board for guidance. Again, there is no guidance, however according to their FAQ documents, “the...Decision imposes an obligation on a data exporter and the recipient of the data (the “data importer”) to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned… Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.”
Some practical next steps for SMes
1.
2.
3.
4. Assess your vendors and data transfers to determine whether or not any data is being transferred by your organisation outside of the protection of the GDPR (outside the EU).
Once you have determined the location of the third countries (include the United Kingdom in your assessment), you can then determine whether or not any of the countries enjoys an adequacy decision.
Look at the relationship and agreement you have in place with each of your vendors to which you export data and determine the legal basis for that transfer. Are you doing the transfer on the basis of an identified adequacy decision, binding corporate rules, the Standard Contractual Clauses, explicit consent, etc? Document your findings.
Assess the legal regime of the country to which you export in order to determine whether or not there is an adequate level of protection afforded to data subjects’ personal data in the country to which you export this personal data. (For the United States particularly, you will find detailed guidance on how to perform this assessment on the ‘None of Your Business’ (NOYB) website.)
5. Once you have performed your assessment and drawn and documented your conclusions on adequacy of protection, you should determine whether or not you will continue exporting data that does not enjoy protections. Are you in a position to change vendors easily? Is this a quick win option for you? Or are you looking at complicated organisational repercussions that require a longer term plan? Will you raise a risk and accept this risk? Document all your decisions.
Looking forward, Reuters recently reported that there may be a revised mechanism available by Christmas that will allow companies to transfer data around the world. In light of this, we would not advise on making rash decisions regarding vendors and transfers that are an integral part of your operations. In the interim, investigate, document, and decide whether to act or wait. Where necessary, open discussions with vendors in readiness for a revised mechanism or other necessary negotiations… And keep ‘data sovereignty’ on your radar as an upcoming interesting topic.
philipa Jane FaRley
ProPrivacy
ProPrivacy is run by Philipa Jane Farley, an expert consultant trained in technology and fundamental rights law, who holds an AI (comp sci) programming degree.
ProPrivacy makes it easy to manage your business’s risk level and ensure you don’t get tangled up in bureaucratic red tape. ProPrivacy is backed by more than twenty years’ experience in the realms of data and cyber security governance, risk and compliance management.
For a free, no-obligations chat, email info@proprivacy.ie or contact Philipa on 0838274889.
