Schrems II: Fictional Legalistic Approaches Are Not Enough
Under the Schrems II ruling by the Court of Justice of the European Union (CJEU), data controllers and processors can no longer rely on the invalidated Privacy Shield Transatlantic data transfer treaty. In addition, in order to rely on Standard Contractual Clauses (SCCs) they must adopt Supplementary Measures / Additional Safeguards to ensure adequate protection under GDPR Article 5 when data is transferred to a third country. Failure to comply with Schrems II exposes controllers and processors to the risk of immediate cessation of data processing under GDPR Articles 58(2)(f) and (j). The importance of ongoing access to and use of data to the core operations of many companies highlights the tremendous risk associated with “fictional legalistic approaches” to try to avoid Schrems II obligations.
The draft implementing decision from the European Commission on SCCs for transferring personal data to non-EU countries highlights the significant risk of attempting to legally “redefine” yourself out of the GDPR since fictional legalistic approaches often result in nonsensical real-life results. The issue is that Article 1.1 of the draft decision from the European Commission on SCCs seeks to redefine a “transfer” of personal data as taking place only when “the exporter is subject to the GDPR and when the importer is not subject to the GDPR.” (See noyb's comments on the proposed Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/6791), “noyb Comment Letter”).
This artificial attempt at redefining “transfer” would produce the odd result that “transfers” would not occur if “both the data exporter and the data importer are subject to the GDPR, and the latter is based outside of the EU.” This would mean that “no adequate safeguards” (and therefore no SCCs) would be required under Chapter V of the GDPR since no “transfer” takes place. (See noyb Comment Letter).
This approach undermines the purpose of the GDPR for protecting fundamental privacy rights and is contrary to the express ruling of the CJEU in Schrems II. Article 44 of the GDPR explicitly states that all provisions in Chapter 5 (on data transfers) “shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.” The proposed redefinition of “transfer” by the European Commission would result in the nonsensical result that most data transfers outside of the EU would not need to be covered by SCCs (as required by the GDPR), nor Supplemental Measures / Additional Safeguards, as explicitly required by the CJEU in Schrems II. This would fundamentally undermine the level of protection afforded to EU data subjects.
In addition, this approach would create a strange situation in which transfers, where both parties are covered by the GDPR, would result in fewer protections than those where one party is not subject to the GDPR. As in Schrems II, a transfer to a non-EEA country, in which data is processed for the purpose of “the offering of goods or services... [to] data subjects in the Union” would be a transfer wherein both parties are covered by the GDPR. However, it would not require SCCs or Supplemental Measures / Additional Safeguards using the redefinition of “transfer” as proposed by the European Commission. This would require a “fictional” determination that the risks of surveillance from non-EEA jurisdictions (as in Schrems II) are in fact something that does not need additional protections. The CJEU clearly considered that these types of transfers would put EU data subjects at risk of harm, which was made clear by the invalidation of the Privacy Shield and the requirement for Supplementary Measures / Additional Safeguards. Attempting to redefine “transfer” to the point where a very large group of exporter-importer relationships would not be subject to SCCs or Supplementary Measures / Additional Safeguards is contrary to the purposes of the GDPR, and the Schrems II ruling by the CJEU.
It is highly improbable that the CJEU would support such a proposed redefinition of “transfer.”The noyb Comment Letter puts the world on notice on page 3 that noyb (and likely EU Supervisory Authorities and other NGOs) will be watching this process:
In any event, noyb will closely monitor the developments regarding this point and take appropriate legal steps should the Commission adopt such an approach and controllers actually rely on this approach.
Adopting a “fictional legalistic approach” to Schrems II compliance would leave organisations open to the risk of immediate cessation of data processing, regulatory sanctions and NGO lawsuits. Organisations would be ill-advised to follow this high-risk approach without fully briefing their Board of Directors on the potential significant adverse impact on stockholders’ interests from interruptions to data use and business operations.
Ensuring ongoing use of data by establishing a defensible position by implementing Supplemental Measures / Additional Safeguards to comply with Schrems II requirements is a much more practical approach. Companies can “future-proof” their business operations by complying with both the letter and the spirit of the GDPR to achieve desired business results while respecting and enforcing the fundamental rights of data subjects.
Learn About Schrems II Compliant Supplementary Measures / Additional Safeguards
After holding several panels on Schrems II issues with the European Data Protection Supervisor (EDPS), None of Your Business (NOYB), Future of Privacy Forum (FPF), Promontory, Cooley, and Fieldfisher, we received over a thousand follow-up questions, and hundreds of inquiries requesting briefings. We created a no-cost Briefing Portal in response to overwhelming requests from General Counsels and senior-level privacy professionals for additional information.
This Briefing Portal streamlines the process for interested professionals and provides a no-cost, self-paced educational platform. Access expert content, analysis, and discussion of the key concepts behind Schrems II, and learn how to support your clients or organisation to take action.
Register at SchremsII.com/Briefing to learn about Schrems II Compliant Supplementary Measures / Additional Safeguards and other matters pertaining to lawful international data transfers after Schrems II using SCCs and BCRs.
You may be interested in joining the Schrems II Linkedin Group focused on critical discussions and analyses related to using technically-enforced Supplementary Measures and SCCs, which you will not find elsewhere.
This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS