Date
June 3, 2021
 
Written by
Gary LaFever

DPAs and NOYB Asking Questions on Schrems II Supplementary Measures - How Do You Answer? (Infographic)

A German task force, composed of the Bavarian and other data protection supervisory authorities, has initiated Schrems II enforcement investigations by sending questionnaires to data controllers. Here is an unofficial translation of the Bavarian DPA press release announcing the investigation and a copy of the questionnaire targeting Intra-Group Data Traffic.

The German investigation highlights that standard contractual clauses are lawful for data transfers subject to FISA Section 702 only if supplemented with adequate additional safeguards.

Question 9 of the German questionnaire specifically asks what supplementary measures have been implemented?

In addition to the recent German investigation, NOYB – European Center for Digital Rights, the non-profit privacy organisation founded by Max Schrems, previously sent a questionnaire to numerous companies (as shown in the image below), in which they asked:

If you send personal data to the US, which technical measures are you taking so that my personal data is not exposed to interception by the US government in transit?

Thirty-three companies received this NOYB questionnaire as part of its “Opening Pandora’s Box investigation”, but very few were able to respond satisfactorily.

Despite any hopes to the contrary, neither the final EDPB Schrems II guidelines nor the updated European Commission SCCs will alter the Schrems II requirement that effective supplemental measures are required to use SCCs for international data transfers.

The Bavarian press release of the German investigation clearly states that:

“The Court has made its expectation that the authorities ‘suspend or prohibit’ unauthorised transfers explicitly clear.”

"In many cases, the ECJ ruling requires a fundamental change in long-practiced business models and processes.”

Investigations like those involving the German and NOYB questionnaires highlight the risk of potential disruption to data supply chains, creating danger of material financial and reputational loss. If downstream partners do not have adequate safeguards, upstream data providers will discontinue data flow rather than risk damage to their businesses.[1] Data is a precious resource for company performance and innovation, and without data flowing freely, critical opportunities for growth and revenue is lost.

Would your organisation be able to answer questions from German (and other) supervisory authorities or non-governmental organisations like NOYB regarding the Supplemental Measures that you have in place to comply with Schrems II?

 

If your company was told to halt processing or data transfers, what would be the immediate impact on your business?

89% of the respondents who participated in the “Briefing the C-Suite & Board of Directors on Schrems II Risk Exposure” webinar characterised the results of terminated processing as “catastrophic” or “serious” to their operations. All companies are urged to consider the potential impacts on their businesses in the face of possible enforcement action.

It is critically important that organisations understand that they must implement new “Supplementary Measures” to support SCCs – both new and old – to comply with Schrems II requirements.

 

Merely updating SCCs without implementing new “Supplementary Measures” is not enough.

 

What Supplementary Measures Are Required?

In its Schrems II ruling, the Court of Justice of the European Union uses the terms “supplementary measures”, “supplemental measures”, and “additional safeguards” to describe the new approach to data protection that is now required. The European Data Protection Board (EDPB) in its Schrems II Recommendations 01/2020 recognises three types of “Supplementary Measures”:[2]

  • Contractual Supplementary Measures
  • Organisational Supplementary Measures
  • Technical Supplementary Measures

However, the EDPB highlights that only one of these three supplementary measures is suitable for protection against foreign governments: Technical Supplementary Measures.

“In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) reminds us that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes.”[3]

“Contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country (where this unjustifiably interferes with the data importer’s obligations to ensure essential equivalence). Indeed there will be situations where only technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes.”[4]

This means that data transfers are unlawful without new technical supplementary measures, including processing using US cloud and SaaS providers, even if their equipment is located in the EU.

What Technical Supplementary Measures Does the EDPB Recommend?

The EDPB identifies five valid Technical Supplementary Measures:

  • Encryption of data at rest
  • GDPR Pseudonymisation
  • Encryption of data in transit
  • Protected Recipient
  • Split Processing

Of the five Technical Supplementary Measures noted by the EDPB, only GDPR Pseudonymisation transforms illegal cloud processing and remote access into lawful processing by Pseudonymising the data before leaving the EU.[5]

The following infographic includes information helpful in replying to DPA and NOYB questions regarding Schrems II Supplementary Measures using Anonos Data Embassy software that satisfies GDPR state-of-the-art requirements for Pseudonymisation.

Download this Infographic in PDF atSchremsII.com/Infographic-DPA-Questions

Anonos Data Embassy Quick Start software enables companies to reach a sufficient level of compliance within 48 hours of first contacting us. By beginning to implement Anonos software and supplementary technical measures, you can reassure your partners and customers that your organisation has taken the necessary first steps. This can prevent potential severe losses from data supply chain interruptions.

>>If you have any questions, contact me via LinkedIn.

If you have not yet registered for the Final EDPB Schrems II Guidance Webinar, visit www.SchremsII.com/Webinar5. Over 2,000 have already registered.

[1] Business continuity risks arising from the inability to process data are more significant than the monetary risk from penalties or non-monetary risks from damaged reputation from privacy or security breaches. In the Schrems II ruling, the Court of Justice of the European Union notes five times the preference for injunctive relief for failing to comply with international data transfer requirements (see paragraphs 121, 135, 146, 154, and 203(3) of the ruling). See the National Law Review article discussing a 12-hour notice to terminate processing sent by the Portuguese data protection authority to a Portuguese agency relying on SCCs. See also PwC article highlighting that 52% of Fortune 500 companies now include privacy risk disclosures in their annual reports due to auditing considerations regarding an entity’s ability to continue as a going concern.

[2] See Paragraph 47 on page 15 at https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

[3] Id. Second paragraph of the Executive Summary on page 2.

[4] Id. Paragraph 47 on page 15.

[5] See German Association of Data Protection and Data Security (GDD) and Anonos Ten Truths of GDPR Pseudonymisation at SchremsII.com/TenTruths

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS