While the coronavirus pandemic is the world’s primary source of chaos, some American companies have had a serious added headache to deal with in the form of the Schrems II decision. The unexpected ruling from the EU’s highest court effectively invalidated the legal status of all international data transfers to and from the country, effective immediately. The world has been waiting for the European Commission to shine some light on the way forward, and the first step has finally arrived in the form of detailed guidance from the European Data Protection Board (EDPB).
The biggest development is the mapping out of specific added safeguards that comport with the Schrems II terms. However, the key takeaway is that companies based in countries that do not have national privacy laws considered to be on par with the EU (including the US) must still expect a very rigorous assessment and adequacy decision from a Data Protection Authority (DPA) and cannot anticipate passing it based solely on implementation of these new EDPB guidelines.
EDPB clarifies handling international data transfers, but does not provide a “magic bullet” solution
The EDPB’s new roadmap is meant to clarify exactly when foreign data protections are considered “adequate” for the purpose of meeting post-Schrems II standards, and to enumerate some approved safeguards that may apply in countries that do not meet the standard. The recommendations on supplementary measures are structured to speak directly to the data exporters and compliance personnel (primarily at American companies) that will be implementing them.
The EDPB breaks this all down into a six-step process. The first step is to map transfers to countries that are not presently considered “adequate” data partners by the EU; identifying all of the applicable personal data that is exchanged internationally and sorting out how they are presently governed (for example, with standard contractual clauses (SCCs) or other types of GDPR Article 49 derogation). This includes not just transfers passing from the EU to American companies, but also any outflow of EU citizen information that might then head to a third country after passing through the US. The adequacy of all countries that ultimately handle the data must be considered.
The second step is to identify a transfer mechanism for each, which is the “easier said than done” part that the world has been stuck on since the Schrems II decision came down. The only assistance that the EDPB provides here is to suggest usable encryption safeguards that could apply to data that is passing through an inadequate country en route to its eventual processing in an adequate one. The guidance also notes here that future Court of Justice rulings might invalidate today’s legally binding agreements, something that has put the use of SCCs in flux.
The third step tackles what is essentially the issue of potential government surveillance along the route of international data transfers (the central theme of the Schrems II case), calling for an assessment of “the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on.” This step reinforces the idea that countries handling the data must have a robust national data privacy law on par with the terms of the GDPR, calling for direct assessment of the relevant laws and any special protections granted to foreign data. It makes clear that subjective assessment of the likelihood of the government bothering to access the data in any particular isolated transfer case is not relevant and will not help an organization’s case.
The fourth step enumerates most of the supplementary measures that members in countries of “inadequate” status are no doubt most interested in. These supplementary measures apply within the context of countries found in the third step to have the legal ability or established practice of interfering with international data transfers. There are a number of examples, the most detailed of which is a six-point standard for encryption protocols that can be used when passing data through an inadequate country to another destination. Some other options include pseudonymization methods and potential multi-party processing scenarios. This step also covers a number of contractual guarantees and technical protections that will need to be paired with some of these methods to achieve a status of “essentially equivalent” protection.
Step five tackles specifics for proper documentation of the chosen methods for international data transfers and supplementary safeguards, and step six establishes requirements for periodically reviewing the adequacy of these arrangements in light of the Schrems II terms.
The continuing process of untangling Schrems II
The new set of EDPB guidelines is far from an “out of the box” solution to the Schrems II problem. Data privacy and legal analysts are pointing out that it will take some further weeks (or possibly months) of in-depth analysis to nail down some components of it. The burden placed on organizations to protect international data transfers is also substantially greater than it was before the Schrems II ruling, to the point that some may find proposed safeguards too onerous to actually implement. The one sure solution to international data transfers that it leaves us with is the one that was already in place; ensuring that protected personal information is only shared with entities in the dozen or so countries that the EU has whitelisted as “adequate.”
The new EDPB guidelines for international data transfers are currently in a consultation period before being formalized at the end of November. The general expectation is that no significant changes will be made by then given how detailed the initial guidelines are.