Data Transfer Risk Assessment

Data Transfer Risk Assessment

Until July 2020, thousands of businesses across European nations and the United States of America regularly transferred data amongst themselves. The Privacy Shield Agreement governed those data transfers.

However, the framework for data transfers was invalidated by the European Court of Justice (CJEU). That case has come to be known as Schrems II. In those proceedings, the court was compelled to examine standard contractual clauses (SCCs), which are mechanisms for data transfers between the EU and the United States.

Since then, organizations on both sides of the Atlantic have been left in a sort of legal limbo in regards to the transfer of personal data internationally. The implications are dire as the Schrems II case could entail consequences for businesses that go far beyond the penalties already outlined by the EU's General Data Protection Regulation (GDPR).

With that in mind, let's take a hard look at Schrems II and why it matters. We'll also go over why data transfer risk assessments are now necessary, provide some suggestions as to SCCs modifications, and what companies (especially in the U.S.) may be required to do to bring themselves into compliance with the CJEU's ruling.


Data Transfers and Schrems II

It's crucial for American businesses to understand that Privacy Shield is no longer in effect.

Until July 2020, over 5,000 U.S. based organizations took part in Privacy Shield. Thousands of EU organizations also depended upon Privacy Shield when transferring personal information to their American counterparts.

Virtually overnight, however, the criteria for the transfer of data in a lawful manner lost all certainty as the CJEU's ruling constituted the Irish Data Protection Commissioner's (DPC) directive that Facebook Ireland Ltd. cease data transfers from the EU to the U.S. as reported in the Wall Street Journal headline below:

The Wall Street Journal article headline: Ireland to Order Facebook to Stop Sending Use Data to the US

For those who don't know, Schrems II is the sequel to a case that came about when Max Schrems filed a complaint against Facebook with the Irish data protection authorities (DPAs). Max filed his complaint, arguing that Facebook had allowed the United States government access to his personal information, which was against the EU's data protection laws.

In Schrems II, a challenge was made to data transfers carried out based on the EU Standard Contractual Clauses (SCC). This choice was made since SCCs had become the alternative mechanism Facebook chose to depend on to ensure its EU to U.S. data flows were legitimate.

Ultimately, the CJEU's ruling did not invalidate SCCs for transfers to data processors. However, organizations must evaluate whether these SCCs provide enough protection considering the fact that public authorities and the legal systems in third countries may gain access to any transferred information. That's where data transfer risk assessments may need to come into play.

For companies like Facebook which have enterprises based on selling advertising space that in turn is based on user data, the CJEU's decision could be a significant setback to business activities. Indeed, that fact seems to have been lost on many organizations busy preparing to comply with the GDPR and other data privacy regulations.

Messing up and failing to bring your company in line with the GDPR can result in steep monetary penalties. However, if you ignore the Schrems II ruling, when it comes to the transfer of private information, regulators could completely prevent your business from exporting any data you've gathered within the EU.

Be Ready for Changes to Occur Suddenly in Data Transfer Laws

Be Ready for Changes to Occur Suddenly in Data Transfer Laws

Unless there are significant changes to surveillance laws in the United States, Schrems II clarified that sooner or later, a decision will be made to restrict continuous data flows to the United States. Tech companies like Facebook (and any others that take advantage of user data to make a profit) must therefore start working on a contingency plan that takes into account possible restrictions.

Consider the following:

  • It's now up to the data protection authorities in countries that receive information to maintain EU law, just as the Irish DPC is expected to
  • Since there is no comprehensive, all inclusive fix right now, any interim solutions companies come up with are likely to be inefficient and won't cover all bases
  • Some workarounds to the Schrems II decision could ultimately be invalid

Data Transfer Risk Assessments and Compliance

Data Transfer Risk Assessments and Compliance

For the moment, companies like Facebook Ireland Ltd. are relying on SCCs or Binding Corporate Rules (BCRs) to transfer personal, private information outside the geographic borders of EU member states. Following Schrems II, these organizations must now evaluate whether laws in destination countries ensure sufficient protection for the transferred data.

If these organizations discover that there isn't the same level of protection as guaranteed by the laws of the EU, they must implement additional measures that will, for all intents and purposes, provide that level of protection.

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.

As noted above, Schrems II focused heavily on concerns over access rights to data by American government surveillance practices for national security purposes and any associated rights and remedies for individuals.

Now, in essence, companies must conduct data transfer risk assessments if they wish to transfer information from a nation within the European Economic Area (EEA) to a destination within an outside country.

In that risk assessment, companies need to evaluate whether the data protection regulations in each country are adequate as well as whether BCRs or SCCs (or any other mechanisms) remain sufficient.

Binding corporate rules apply to the transfer of data within one legal entity or group of entities. However, they don't apply to the transfer of data between entities. BCRs don't necessarily protect companies against the interference of government agencies within the destination country and therefore companies might have to put additional data safeguards in place depending on the country involved.

On the other hand, SCCs are done per contract. Any time an agreement is entered into by a company to transfer data to another organization, it has to fill out an SCC as well as the adjoining annex. The annex to the SCC goes over the information these organizations will send to each other.

The issue that arises with many SCCs is that companies don't actually read the entire contract. Moreover, the annexes are rarely filled out. If the latter doesn't happen, both organizations are non-compliant.

Besides the above, after the Schrems II ruling, companies now have to prepare and fill out yet another annex. This annex must specify exactly which extra safeguards of a technical, legal and operational nature the company will put in place to protect data against potential government interference.

Additionally, these safeguards might also depend on the nature and volume of the information. However, specific regulator guidance on this issue hasn't been provided yet.

Take an Aggressive Approach to Changing Privacy Regulations

In a perfect world, the European Data Protection Board (EDPB) would evaluate the economies most relevant to international data transfers and then suggest which safeguards are most advisable to ensure safe transfers.

Since those recommendations haven't been published, it's up to the privacy industry to come up with mechanisms for safe, legitimate data transfers to ensure some kind of standardization. The reason for that is the fact that it will be practically impossible for organizations without sufficient resources to make data transfer risk assessments of the data laws within every country to which data might be sent.

Until such standardization exists, companies may be able to help prepare themselves for any final decision by doing the following:

  • Examine their international flows of data and begin a case-by-case evaluation of what further measures may be needed to safeguard the information from government interference.
  • Examine their agreements regarding data-processing and make sure that, where relevant, SCCs and their annexes are fully filled out and signed.
  • Examine the amended draft SCCs and participate in the stakeholder consultation. When the European Commission nails down the final form of the new SCCs and approves them, companies will need to work with any updated clauses "as is."
  • Examine the EDPB's processor/data controller guidelines.
  • Look for ways to automate privacy law assessments. Companies must hold themselves accountable for understanding any data privacy risks they face and how those dangers relate to the various international laws.

Specific U.S. Guidance

Specific U.S. Guidance

Baden-W├╝rttemberg's data protection authority published guidance on the international transfer of personal information.

The guidance is the first thorough attempt by a European privacy supervisor to indicate how the Schrems II decision may be enforced. A checklist for Schrems II compliance is included, as well as suggestions for changing the SCCs to allow companies to document their intention to fully comply with the law.

There are two main sections within the guidance for organizations with operations that are cross-border. These sections shed light on what the DPA considers "additional measures," which companies can take to support transfers of personal information from the EU to the United States:

  • Privacy Shield: According to the DPA, the "Privacy Shield no longer represents a valid legal basis" for transfers from the EU to the U.S. Moreover, "transfers that occur in spite of this are illegal and can result in fines or claims for damages."
  • SCCs: As stated by the DPA, based on SCCs, transfers of data to the U.S. are "conceivable, but will only rarely meet the ECJ's requirements for an effective level of protection." Therefore, data transfers to the U.S. must be subject to "additional guarantees," which will "effectively prevent access by US intelligence services."

Examples of additional guarantees that might be considered adequate are offered by the DPA.

They include:

  • The anonymization or pseudonymization of data, where the data exporter alone has the ability to re-identify the data, and
  • Encryption wherein "only the data exporter has the key and which cannot be broken by U.S. intelligence services

The Guidance Checklist

The Guidance Checklist

The guidance includes the first Schrems II checklist for organizations released by an EU supervisory authority. A brief overview of the checklist, which the DPA expects organizations to follow "immediately" is provided below.

  • Keep records and an inventory of all data transfers to third countries
  • Contact and inform service providers in third countries of all "consequences" associated with Schrems II
  • Research relevant laws in all third countries
  • Ascertain whether data protection laws in third countries have been found sufficient by the Commission
  • Make a determination as to whether SCCs may still be used without additional measures if it is discovered that third country data protection laws are not sufficient
  • Make a determination as to whether SCCs that have additional guarantees may be used to transfer personal data to a third country

    • According to the DPA, this determination ought to focus specifically on "whether you can relatively avoid access by others" to the transferred data. This could possibly be accomplished through:

      • An "agreement that data will be hosted within the jurisdiction of the GDPR or that no transfers to the US will occur," and
      • Encryption

      In addition, companies should alter the SCCs "to document and demonstrate your intent to act in accordance with the law."

According to the Guidance, the GDPR's Article 49 exemptions are a "conceivable" foundation for data transfers if SCCs aren't available. However, they will still be interpreted "restrictively."

Nevertheless, the DPA stipulates that the GDPR's Article 49 exemptions "can in particular be considered for data transfers within a corporate group" or "within one-to-one contractual relationships" if the "restrictive character of [Article. 49] does not stand in the way of the transfer."

The guidance suggests that the DPA will enforce its recommendations by identifying providers, which have "transfer problems." The DPA will then discuss with local organizations why they are using those providers. If that local company is unable to persuade the DPA that the provider is "irreplaceable in the short- and medium-term by a provider without transfer problems," then the DPA will forbid any more data transfers to that provider.

Therefore, larger providers might want to think about materials that would help customers show aspects of services that are irreplaceable, or that provide evidence of a "lack of transfer problems."

The bottom line is that following the Schrems II ruling, if your company wishes to transfer data from a business in the European Economic Area, you must now conduct a data transfer risk assessment. It would be wise to pay close attention to the Guidance provided by the German DPA on this issue and act according to the checklist provided.

William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.