The Schrems II ruling by the Court of Justice of the European Union (CJEU) is now well-known, in particular its role in upending cross-border data transfers for many companies, including big organizations such as Microsoft and Apple. Additional requirements for data protection has companies scrambling, and a light has been shone on the extent to which companies were already non-compliant with basic GDPR requirements. After follow-up guidance from the European Data Protection Supervisor (EDPS), the European Data Protection Board (EDPB), and the European Commission, the way forward has become clearer. However, a number of things have changed that organizations will need to keep in mind when thinking about how to comply, and greater urgency is needed to bring decision makers up to speed on what is at stake if organizations fail in their efforts to comply.
What does the guidance say?
Out of the above named guidance documents, that from the EDPB was the most comprehensive in their advice for how to proceed with cross-border data transfers, including cloud and global-business transfers. The EDPB set out a number of lawful and unlawful use cases that show how organizations can move towards compliance (and things to avoid that will help in this process). Their lawful use cases include:
Data storage for backup and other purposes that do not require access to data in the clear should have strong encryption applied for data in transit or at rest.
GDPR-compliant Pseudonymization can be applied to data by the data exporter, who can then transfer the Pseudonymized data to a third country for analysis (data in use, such as for analytics and research).
Data that merely transits another jurisdiction should have state-of-the-art encryption applied.
Personal data may be transferred to a recipient that is protected by specific privacy laws in that country, such as for medical treatment (e.g. HIPAA).
Split or multi-party processing is permitted if data is split and then processed in multiple different jurisdictions, provided that controls are in place to prevent the different jurisdictions from combining the “split” data to enable reidentification.
In addition, the EDPB highlighted two unlawful use cases, one of which is critically important to note. Namely, transferring data that needs to be processed in the clear is now unlawful. The EDPB has clearly stated that data for processing should be protected by measures such as in use case 2 (Pseudonymization) or use case 5 (“split” multi-party processing). This means that you need to use these kinds of technical approaches to bring your clear text data into one of the lawful use-cases. In most cases, Pseudonymization will be more efficient and effective, and fits the use-case that most businesses want to use data for.
Why does this matter so much?
Following EDPB guidelines and getting into compliance with Schrems II requirements could be make or break for many organizations. Many people know that the Schrems II case struck down the Privacy Shield, the successor to the Safe Harbour agreement between the EU and the US. While this may appear like just another court finding that displays US “inadequacies” in the protection of EU personal data, several factors in the Schrems II case matter much more than you think.
First, the Schrems II case took a new step in terms of compliance and enforcement, and fundamentally shifted the burden of proof for organizations. Instead of taking a penalties-based approach, the court decided to focus on injunctions and the stopping of data flows as the relief of choice. This means that organizations can no longer simply factor fines into their budget and perform a process of regulatory arbitrage and budgeting; instead, organizations must account for complete halts to their data flows. Failures to comply could be devastating to business in the post-COVID recovery.
In addition, Schrems II also held that policy and contractual approaches to protecting data must now be supported with technical measures. Words alone are simply no longer enough, and are not perceived as adequate by courts or regulators in our new Big Data world. Technical approaches prevent the misuse of data, and protections must be applied at all steps along the data flow chain: in transit, in use, and in storage. Encryption for protection in storage and in transit has been long-established as a credible approach, but with rapidly expanding datasets, new approaches to conducting encryption are now needed. In addition, with analytics processes, machine learning and AI requiring large amounts of data to be processed and analyzed, protections such as Pseudonymization for data in use are now necessary. Organizations that have not understood these shifts, and have not moved to comply, may struggle with increased enforcement action, data flow halts, and a loss of a competitive edge in a time where economic growth is already difficult.
An additional factor at play is that concepts of collective action are becoming more common across the EU. One key example of this is with regard to the European Center for Digital Rights, also known as “none of your business” (noyb). The double dangers of class actions and injunctions mean that enforcement actions are even more likely, and organizations need to take steps to move away from preparedness, and towards real action and compliance.
How can companies comply with new cross-border transfer laws?
There are two major trends that are likely to emerge in the next year that can indicate to organizations how they should take steps to comply. First, the Schrems II decision, followed up by the EDPB guidelines and European Commission Standard Contractual Clauses (SCCs), are the first signs of a wave of change in data protection approaches. There will be a big shift from policy-only approaches to requiring the use of technical controls to protect data in transit, storage, and in use. Second, enforcement mechanisms will shift towards approaches that stop data flows or put injunctions in place, rather than fines. Fines can be deferred and paid later while data flows continue: injunctions stop data in its tracks and prevent business from continuing to abuse data subject protections. In addition, halting data flows stop business from functioning, meaning that having compliance measures and appropriate protections for data has become absolutely critical. These shifts mean that the earlier you comply with Schrems II requirements, the more ahead of the game you will be.
To move forward, your organization must have put in place reasonable and good faith efforts to comply with the provisions of Schrems II, and the EDPB guidelines. Applying technical measures such as strong encryption and pseudonymization can be done and solutions are immediately available. Organizations need to take steps to implement these technologies in their everyday business, at every level. Time is of the essence, and with quick implementation organizations can potentially even see a competitive advantage come to the fore.