In our latest webinar, we looked at the EU data transfer fallout from Schrems II. Any company transferring data outside the EU needs to identify any risks arising from international transfers to ensure it can comply with EU levels for protecting personal data. That was one of the key conclusions from BH Consulting’s webinar about lawful data processing after the ‘Schrems II’ court decision.
The event featured a panel of data protection and cyber security speakers who gave an overview of the latest developments and recommended practical steps to deal with last year’s CJEU decision which invalidated the EU-US ‘Privacy Shield data sharing mechanism.
First up, BH Consulting founder and CEO Brian Honan gave some context to explain why this issue has emerged. As more and more of us spend our working and personal lives online, communicating and exchanging information, it’s important to strike a balance between the privacy rights of individuals and the ability of law enforcement to investigate crime.
The changed EU data transfer landscape
The EU General Data Protection Regulation (GDPR) came about because of the need to protect personal information and to stop its abuse. In today’s connected world, that can include warrantless searches of data that many non-EU countries’ laws allow. This was the backdrop to the CJEU’s decision last year to invalidate the US-EU data sharing mechanism known as ‘Privacy Shield’.
The issue of data transfers affects data controllers and processors, as Tom Knierim, data protection consultant with BH Consulting explained. The GDPR governs how data can be transferred legally outside of the European Economic Area, and the regulation includes an entire section about transferring data lawfully. The main objective for the EU is to only allow international transfers if the country you are transferring to can guarantee the same level of protection as an EU country does, he said.
This doesn’t just affect transfers of data to the United States (the reason for the CJEU decision) but to all countries with similar laws that can’t guarantee a safe level of protection for personal data. The UK no longer falls under GDPR’s wing because of Brexit. As we wait for an adequacy decision to determine if the UK is a suitable ‘third country’ for transfers, there is a six-month grace period to allow organisations time to consider alternative arrangements for their data transfers. “Preparation should be well under way,” Tom said.
European Data Protection Board recommended measures
Next, Anne Marie Moore, data protection consultant with BH Consulting, looked at guidelines from the European Data Protection Board which came out late last year. The advice sets out a series of measures that companies can use to apply the principle of accountability to data transfers in practice.
The first step is to know the transfers. Then, businesses should identify the transfer tool they rely on (such as standard contractual clauses, binding corporate rules and so on). Next they need to establish if that tool is effective in the destination of the data. If not, there may be supplementary measures that can fill the gaps. These can be technical measures such as encryption, pseudonymisation or split processing to protect data from identifying someone. Other approaches include contracts or internal company policies.
Tracy Elliott, data protection consultant with BH Consulting, explained how standard contractual clauses (SCCs) predate the GDPR but an update is expected around the end of February following a consultation process. “Standard contractual clauses by themselves are not enough, and they are difficult for a business with no in-house legal counsel,” Tracy said.
Transfer Impact Assessments and their role in understanding risk
To better understand the risk, companies can carry out a transfer impact assessment, Tracy said. This is the equivalent of a data protection impact assessment under GDPR, and it involves mapping the data of a business to identify what countries it is sending data to, and what vendors in those countries. Any companies in the EU are automatically covered by GDPR, so removing them from the list should narrow down the group to a smaller number of “risky vendors” that might not be using methods that comply with GDPR. Sometimes this process can simplify matters for a company; for example, if it is not using the data it gets from Google Analytics about its website, the easiest decision might just be to turn it off, Tracy said.
Above all, the advice for any company transferring data outside the EU is to identify and grade the risks. “The mere fact of doing a transfer risk impact assessment means you can demonstrate to the regulator that you made a business decision, as opposed to ignoring the problem,” Tracy said.
The key takeaways from the webinar were:
- Data mapping: understand and update your data flows
- Assess your international transfer mechanisms
- Consider how to do the assessment of third countries
- Consider which supplementary measures are required on a case by case basis
- Initiate contractual amendments
- Document your assessments
- Create/update policies and procedures
- Keep up to date on further developments.
You can catch the hour-long webinar on the BH Consulting YouTube channel. Our data protection team also published a series looking at the fallout from the ‘Schrems II’ decision, and you can read parts one, two and three on our blog.