On September 24, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) released a new paper (the “Paper”) on the Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision.
The Paper follows the recent decision of the Court of Justice of the European Union (the “CJEU”) to strike down the EU-U.S. Privacy Shield framework (the Schrems II case (case C-311/18)) due to the level of access government authorities in the U.S. have to personal data and the fact that there is no remedy available to EU individuals to ensure protection of their personal data after transfer to the U.S. In the same judgment, the CJEU determined that although the Standard Contractual Clauses (“SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, organizations relying on SCCs for data transfers should assess the laws of the recipient country on a case-by-case basis, in order to verify the effectiveness of SCCs in ensuring compliance with EU data protection requirements. If the SCCs are deemed to provide insufficient protection, organizations are required to implement additional safeguards to ensure adequate protection of personal data. Organizations are awaiting guidance from the European Data Protection Board (“EDPB”) in the wake of the landmark ruling, as to what the appropriate additional safeguards should be and how they should be implemented.
In this context, CIPL has conducted a survey of its members’ data transfer practices. The Paper provides a summary of the survey’s findings, as well as CIPL’s observations on the following:
- The GDPR mechanisms that organizations are relying on or considering for their international transfers post-Schrems II, such as SCCs, Binding Corporate Rules and the derogations under Article 49 of the GDPR.
- The main factors organizations have identified and that should be considered as part of a risk assessment, such the nature, sensitivity and volume of data transferred or the likelihood of government access to it.
- The additional measures organizations are using or considering using to protect transferred data. These may include legal measures, such as the implementation of additional contractual provisions with recipients of personal data along with commitments to challenge government requests for access, or organizational measures, such as relying on a comprehensive Privacy Information Management System or certifications. They may also include technical measures, such as anonymization, pseudonymization or encryption, if relevant.
- The accountability frameworks and the processes organizations are using to respond to data access requests made by governments, including the policies and procedures organizations are putting in place to review and respond to such requests.
The Paper does not reflect the current standard market practice of all organizations, but it is intended to provide an overview of possible practices and measures that could be included in a toolbox, allowing organizations to select those most appropriate for them when addressing the judgment’s requirements in the context of their specific situation and their data transfers.
The Paper also provides key recommendations to the EDPB and the European Commission, for consideration when drafting guidance on supplemental measures for transferring data outside of the EU, as well as during the process of updating the SCCs to reflect the GDPR’s provisions and the requirements set out in the CJEU’s judgment.
If you would like to discuss any of the comments in the Paper or require additional information, please contact Bojana Bellamy at bbellamy@huntonAK.com, Markus Heyder at mheyder@huntonAK.com or Nathalie Laneret at nlaneret@huntonAK.com.