A 6-step process for aligning global data flows- Schrems II

EDPS (European Data Protection Supervisor) investigations in the recent months have highlighted how dependence of organisations to use cloud services for processing of personal data has led to increasing risks to privacy of data.

Organisations around the world are coming together to establish sovereign cloud services for European Union (EU) companies, as a result of the Schrems II ruling which has invalidated the ‘Privacy Shield’ as a legitimate data transfer mechanism between USA (Unites States of America) and the EU.

EU and US trade market was facilitated as per Safe Harbour transfer rules in the early 2000s, however it was invalidated in 2013 as a complaint was filed with the Irish DPC (Data Protection Commission). The complainant alleged that a social networking site had allowed USA (United States of America) authorities to access the data of EU (European Union) citizens thereby violating the Data Protection Directive at the time (the predecessor of General Data Protection Regulation (GDPR). Post detailed investigation, the CJEU (Court of Justice of European Union), in 2015, invalidated the Safe Harbor agreement between US and EU.

In 2016, after further discussions and negotiations, the EU and US agreed upon the usage of a new mechanism for cross Atlantic transfer of data called the ‘Privacy Shield’. On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a verdict (Schrems II) that ruled the EU-US Privacy Shield invalidated due to concerns around surveillance by the US state and law enforcement agencies. On Privacy Shield many organisations relied to transfer data between the US and the EU.

Before the Schrems II verdict, the basis for data transfer outside the EU was based on three factors namely adequacy decision, appropriate safeguards, and derogations. Under appropriate safeguards companies relied upon measures such as standard contractual clauses (SCC), binding corporate rules (BCR), Ad hoc contractual clauses, International agreements, approved codes of conduct and certification mechanisms.

In November 2020, the European Commission released the revised Standard Contractual Clauses (SCCs) which can be used as one of the ways to facilitate transfer of personal data between data controllers and data processors, joint controllers in EU and third countries.

The Schrems II verdict has led to uncertainty within organisations with regards to transfers across regions, as the EU-US Privacy Shield is invalid. Data transfers between EU and UK have also been impacted due to Brexit. Moreover countries like India are unable to apply for an adequacy decision due to the delay in the release of the Personal Data Protection Bill (Draft PDPB). Therefore, navigating such a rapidly evolving ‘regulatory landscape’ has become a challenge for most data exporters and importers.

To help organisations align with the requirements of Schrems II, the European Data Protection Board (EDPB) handed organisations across the globe a new map to guide global data flows4.

This 6-step approach lists down how the new requirements are to be followed by organisations:

Step 1 -

Know your transfers: The organisation should assess the existing transfers and conduct a mapping of all transfers of personal data to third countries. Organisations must also verify that the data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Step 2 – Verify the transfer tools: Gain an understanding of the transfer tool being relied upon for the transfers as per GDPR, whether it be the adequacy decision, appropriate safeguards (i.e. Standard contractual clauses (SCC); Binding corporate rules (BCR); Ad hoc contractual clauses and International agreements; Approved codes of conduct and certification mechanisms) or derogations.

Step 3 – Assess the transfer tool: For all transfers taking place, organisations should conduct an assessment to identify if any law or practice in the third country which may impinge on the effectiveness of the safeguards of the transfer tools the organisation is relying on.

Step 4 – Identify and adopt supplementary measures necessary to bring the level of protection of the transferred data as per EU standard: In cases where the assessment undertaken in step 3 reveals the third country legislation impinges on the effectiveness of transfer tools the organisation was initially relying on for transfers, supplementary measures need to be identified and adopted to ensure the required level of protection of the data transferred up to the EU standard of essential equivalence.

Step 5 - Take formal procedural steps for identification and adoption of supplementary measures to be identified by organization.

Step 6 – Re-evaluate at appropriate intervals: Organisations should monitor and re-evaluate the basis of transfers and level of protection afforded to the personal data transferred to third countries and developments in the third countries that may affect the initial assessment and basis of transfer.

Schrems II guidelines have changed the way organisations were practicing transfers of personal data across countries in past. The EDPB guidance provides a structure for the organisations to bridge the compliance gap for cross-border data transfers. It is the organisation’s (data exporter’s) responsibility to evaluate whether a third country (recipient country) has appropriate levels of safeguards as per current EDPB guidelines, before transferring personal data.

The CJEU rulings have established time and again that the U.S. and other countries (for instance, India), not under the adequacy decisions of EC, need to implement national data privacy regulations. The SCCs with added scrutiny are not the single solution to the secure cross border data transfer. The sooner the countries across the world roll out privacy regulations and laws providing their citizens the right to privacy through lawful basis of processing, the sooner the CJEU rulings for invalidation of cross border data transfer mechanisms will subside.

This article was originally published in CNBCTV18.