To transfer, or not to transfer, that is the question

In Europe, data protection has been a fundamental human right for a long time, primarily through the right to privacy. Over the years, we have seen many improvements in technology that have enabled us to engage and interact with people across the world. However, the question is, how do organisations safeguard everyone’s personal dataInformation which relates to an identified or identifiable natural person. and ensure their right to privacy?

Background

In Europe, two distinct high-profile cases have challenged, shaped, and moulded the legal framework that governs how personal data from an EU based organisation is transferred to a US based organisation. These cases are known as Schrems I and Schrems II.

Schrems I saw the invalidation of the former EU-US Safe Harbour framework and Schrems II saw the invalidation of the EU-US Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework.. It may well be that there will be a ‘Schrems III’ which could invalidate, should it ever be created, a Privacy Shield 2.0.

Schrems II highlighted that regardless of how personal data is transferred and shared with the USA, US surveillance laws (FISA 702 and Executive Order 12.333) enable the US Government to access the personal data of European residents in the USA in contravention to the EU’s Charter of Fundamental Rights. Schrems II has also introduced uncertainty around the legal basis for data transfers to other ‘third countries’ (i.e. those outside of the EU) all over the world that have not received an adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has... (a rubber stamp from the EU Commission that data protection laws are of an adequate and comparable standard to those in the EU).

This outcome begs the question: on what basis should organisations in the EU now share and transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. personal data with organisations in the USA, or other third countriesCountries that are not part of the European Economic Area (EEA). not deemed adequate?

Data transfers promote business growth and development. The GDPR states you can use a variety of tools, these being:

• Adequacy
• Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs)
• Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO (BCRs)
• Derogations available under GDPR Article 49

Adequacy and the derogations have not been challenged by Schrems II as such, however, questions have been raised regarding the ability of BCRs and SCCs to ensure an adequate level of protection for personal data.

So, what can be done if you are a European organisation needing to transfer personal data to the USA or a third countryA country that is not part of the European Economic Area (EEA). not deemed adequate (which may include the UK after Brexit) using SCCs or BCRs? At the time of writing, the answer from the European Data Protection Board (EDPB) is to carry out a ‘risk assessment’.

What does a risk assessment consist of?

The answer, put simply, is we just do not yet know due to a lack of guidance. However, one possible way of assessing the risk is to conduct a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) to determine whether the laws in the country where the data importer is based – prior to any transfer and taking into account the circumstances of the transfer – afford an adequate level of protection and then adding the findings to your risk register.

Although the responsibility is now on data exporters and data importers to carry out an assessment, the EDPB confirmed that SCCs remain a possible basis for data transfers outside the EU/EEA, but emphasised that transfers to the US using SCCs would only be justified if additional measures were taken to ensure a level of data protection equivalent to that offered within the European Union.

Additional measures

As of yet, there is no clear guidance on what these measures are. We have compiled a list of additional measures that you could consider implementing in order to protect personal data transfers outside the EEA:

1. Can the data be anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR.? Anonymising the data that is transferred to the US, or any other country that has not received an adequacy decision, means it is no longer personal data and therefore takes it outside the scope of the GDPR.
2. Can the data be pseudonymised? Pseudonymising personal data can reduce the risks to data subjects. Ensure the information that is transferred to (or accessible by) organisations outside the EEA, and that have not received an adequacy decision, contain only non-identifying markers and that these organisations are unable to gain access to the identifiers.
3. Can additional layers of protection be included, such as encryption? Encrypt the information prior to the transfer.

First official guidance

Although the guidance from the UK Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) remains unclear, the German supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. has been the first to provide guidance on data transfers following the Schrems II ruling. It is possible that the UK may take a similar stance.

The Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg (LfDI BW) reiterated that the Privacy Shield is invalidated and it no longer constitutes a valid legal basis for data transfers. The LfDI BW also stated that organisations still relying on the Privacy Shield can now be prosecuted, which could result in fines and claims for damages.

Regarding SCCs, the LfDI BW’s stance is that they are valid unless the destination country’s authorities are authorised by law to processA series of actions or steps taken in order to achieve a particular end. personal data in a manner which violates EU data subjects’ rights, e.g. access to personal data by intelligence agencies. In such cases, supplementary measures to provide adequate protection are needed; these measures should be determined by the data exporter. If additional measures are in place but an appropriate level of protection cannot be guaranteed, the transfer of personal data has to be suspended or stopped.

For transfers to the US based on SCCs, this means additional measures are required. The LfDI BW deems it necessary to prevent US intelligence agencies from accessing transferred personal data. They identified the following types of additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the...:

• Encryption where only the data exporter has the key and which cannot be decrypted by US agencies; and
• Anonymisation or pseudonymisation where only the data exporter can link the data to a natural person.

Conclusion

By taking the above actions into consideration, this evidences and highlights what you and your organisation should be preparing to do in light of the Schrems II judgement. We can only wait for future guidance from the EDPB or a case decision regarding what will be deemed a suitable risk assessment and appropriate supplemental measures.

The Chairwomen of the EDPB has confirmed that they are working on producing guidance on this matter, and the Commissioner of the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. has stated that a revised set of SCCs should be with us by the end of the year. It therefore seems that we may not be waiting too long for some direction. We will be sure to provide an update as soon as the effects of these developments become clear.