International data transfers in the post-Schrems II reality

Dentons’ Privacy Community met on 3 February to discuss how to tackle data transfers from the EU and UK to third countries following the CJEU’s decision in the Schrems II case, the European Data Protection Board’s subsequent guidance, and the European Commission’s draft replacement Standard Contractual Clauses (SCCs). Here are the key takeaways:   

• The general picture: When exporting data to third countries based on the SCCs, or Binding Corporate Rules, data exporters must conduct an adequacy assessment (based on their data flows) and, to address any gaps, put in place supplementary measures to bolster the SCCs.

• The market approach to compliance is generally driven by a desire to comply with the ruling, although how this will be achieved depends on what type of organisation you are. For example, cloud service providers who import data to third countries are under pressure to reassure customers as regards handling requests from state agencies to disclose personal information, and some have proactively prepared statements about their supplementary measures.

• Most businesses are still in the planning phase of their effort to comply, or are in the process of mapping their data flows. This is generally due to an absence of definitive regulatory guidance. Organisations with comprehensive and up-to-date data maps (in their article 30 records) will find this process easiest!

• We are expecting a final decision on the EDPB’s supplementary measures guidelines in April. The market is keen to see a settled regulatory approach, and is generally hesitant to commit to implementing measures until this is confirmed. Once the guidelines have been finalised, we are also expecting national regulators to articulate what they think compliance with Schrems II looks like in practice – in particular, how to assess and address risk of use of the data by state agencies. In the meantime, it is worth keeping an eye on the German state regulators (all 16 of them), who have been proactive in trying to work through the issues raised by the ruling.

• As market practice evolves, organisations should prioritise an approach built on accountability (documenting transfer impact assessments) and diligent data mapping. The regulators might not expect perfection at this stage, not least given the complexity of conducting local law assessments in practice (one of the elements raised in the Schrems II judgment and the EDPB guidance) (… the European Commission takes years to reach its own adequacy decisions!).  

• For transfers to the US, organisations can build an understanding of US surveillance law into their choice of supplementary measures. Recognising the kinds of organisations likely to receive a warrant under the Foreign Intelligence Surveillance Act s.702 in practice, coupled with an understanding of the jurisdiction of these warrants, allows organisations to mitigate the risks of those transfers: removing encryption keys from the jurisdiction of FISA 702 is an example of this. Individuals can be better protected where their information is held within the US, rather than where it is held by a US organisation elsewhere.

• The new modular SCCs are a welcome development that plug a number of gaps in the existing clauses, but in their draft form pose a number of challenges. In particular, provision for processor-to-processor transfers, as well as reverse transfers, are welcome developments. However, the practicalities of implementing the new clauses within the one-year grace period will prove challenging for organizations with complex data flows, particularly as they grapple with Schrems II compliance in parallel.