In July we wrote an article reporting on the recent Schrems II judgement. By way of a reminder, this was the successful legal challenge issued by Mr. Schrems against the US Privacy Shield framework for the transfer of personal data between the EU and the US. The European Court of Justice (ECJ) agreed with Mr. Schrems and determined that the US Privacy Shield framework did not offer an adequate level of protection for data transfers between the US and EU.
This has created significant issues and challenges for any company which deals with the transfer of personal data from the EU (including the UK) to the US.
Businesses, lawyers and academics have been grappling with the practical challenge of how EU-US data flows can continue in the absence of the Privacy Shield framework. To date, we have not received any definitive guidance from the ECJ or the European Data Protection Board (EDPB) as to how the situation can be resolved. However, as any professional involved in this area will attest, it is not acceptable to simply ignore the decision.
Companies should be taking steps to assess the risks of Schrems II to their business and be taking steps to address those risks. Particularly as the general consensus is that definitive guidance from the EDPB may not arrive any time soon; it could be months; it could be years!
Any business which controls or processes personal data, and transfers such personal data to the US, should be taking steps now to identify the risks raised by Schrems II.
It should also be noted that the term ‘transfer of personal data’ as defined within the GDPR, is very broad in scope. If a third party can ‘access’ personal data held on a server, then such access will be deemed to fall within the definition of a ‘transfer’ for the purposes of GDPR. This is a critical point.
Many companies use cloud providers as a means to store their own personal data (in respect of which they are data controller) AND to also to store their customer’s personal data (in respect of which they are data processor). Many companies are of the view that if such cloud providers have data centres based in the EU, then such personal data is not being ‘transferred’ outside the EU and as a result they are compliant with GDPR requirements.
This may not necessarily be correct. If a cloud provider is a US registered company, and that US company can access (if it wishes) the personal data stored in its EU data centres, then arguably such ability to access the personal data will amount to a transfer of personal data for the purposes of GDPR. Critically, this means that such cloud providers STILL fall within the Schrems II decision, irrespective of personal data being stored on servers based in the EU. Accordingly, it may be necessary to take further steps to ensure such cloud providers can offer adequate safeguards to protect the personal data held within their EU data centres.
It is the data controller’s responsibility to take steps to protect their personal data, and to ensure their data processors are compliant with the GDPR. However, that does not mean data processors can ignore the issue.
A data controller will be seeking to verify that their data processors are compliant with the GDPR and this will mean taking steps to ensure that (a) no personal data is transferred to the US; and (b) if personal data is transferred to the US, that it is done so in a manner which addresses the issues raised by Schrems II.
Failure to do so may result in a data controller being in breach of the GDPR and facing fines and other penalties enforced by their relevant Supervisory Authority. If a data processor has been culpable in causing a data controller to breach the GDPR, the data controller will look to pass some, or all of the liability incurred from fines down to the relevant data processor.
Accordingly, it is important that every entity within the data processing chain is alive to and meets the requirements of the GDPR, including the requirements following Schrems II.
As yet, we have not received any firm guidance from the EDPB as to what best to do. The judgment provided by the ECJ stated that any EU-US transfers of personal data must be done so either on the basis of the Standard Contractual Clauses (SCCs) or the Binding Corporate Rules (BCRs) but crucially it was confirmed that these contracts would only be sufficient if they were supplemented by ‘additional safeguards’. Unfortunately little guidance was offered as to what such ‘additional safeguards’ would be.
As the dust has settled, various proposals as to what the additional safeguards might be have come to the fore. These include the following:
Specifically in relation to pseudonymisation of personal data, it is worth commenting that the definition of pseudonymisation of personal data has been updated. Pseudonymisation now requires that (i) personal data cannot be linked to a specific data subject without using other ‘additional information’; (ii) the ‘additional information’ is kept separate from the personal data being transferred; and (iii) technical and organizational measures must ensure that personal data cannot be attributed to identifiable persons without access to separate and securely stored ‘additional information’.
We recommend making checks (and if necessary, seeking evidence) from your data processors that such additional safeguards are in place, and if they are not, making requests of your data processors to put such safeguards in place, if possible.
The above safeguards are also excellent methods of complying with the GDPR requirements of “Privacy by design and default”. They will enhance your data security mechanisms overall within your business, and embed a further cultural shift towards the protection of personal data which is the ultimate aim of the GDPR.
Ignore this issue at your peril; fines for non-compliance can be up to 4% of turnover AND/OR a Supervisory Authority can require that personal data that is at risk is no longer processed.
We will continue to monitor the position and report to clients the latest developments in this area as and when they materialise. In the meantime, if you need any assistance implementing the guidance detailed in this bulletin, please contact Rebecca Kelly at Rebecca.firstname.lastname@example.org.