Schrems II[1] enforcement is getting off the ground in Germany, highlighting the serious and urgent need for companies to begin steps towards compliance. A discussion between German Data Protection Authorities (DPAs) at their joint Datenschutzkonferenz (DSK) meeting highlighted the next steps of a Schrems II Task Force: DPAs, led by Hamburg and Berlin, will begin initiating enforcement measures.
Most notably, the Hamburg DPA will conduct random checks on companies to determine whether or not they are in compliance with Schrems II requirements. This highlights the high priority of Schrems II concerns for Boards and C-Suite Executives, as investigations and enforcement actions in other jurisdictions are likely to follow soon.
Another indicator of increased pressure in other jurisdictions comes from NOYB – European Center for Digital Rights, the non-profit privacy organisation founded by Max Schrems. In a questionnaire sent to numerous companies in 2020 (as shown in the image above), NOYB asked:
If you send personal data to the US, which technical measures are you taking so that my personal data is not exposed to interception by the US government in transit? [emphasis added]
Thirty-three companies received this questionnaire as part of NOYB’s “Opening Pandora’s Box investigation”, but very few were able to respond satisfactorily. It is clear that enforcement actions and compliance pressures are coming from both regulators and privacy organisations, highlighting the urgency of Schrems II compliance.
In a recent webinar on “Briefing the C-Suite & Board of Directors on Schrems II Risk Exposure”, 83% of respondents responded “No” to the following question:
Would your company be able to answer a similar question from NOYB regarding the technical measures you have in place to comply with Schrems II?
This response indicates a high level of unpreparedness for Schrems II compliance. However, other than invalidating the Privacy Shield treaty for EU-US transatlantic data flows, the Schrems II ruling does not represent “new law”, but rather clarifies requirements under the EU General Data Protection Regulation (GDPR) passed in 2016. Under the GDPR, the fundamental rights of individual data subjects must be protected. The Schrems II ruling clarifies GDPR requirements for protecting EU personal data by leveraging technical measures when data is in use. Until now, most organisations have focused on protecting data when it is at rest or in transit, but that approach is no longer sufficient. Organisations that are found not to be in compliance with Schrems II may therefore not be in compliance with the GDPR generally.
The court in Schrems II ruled that the appropriate relief for noncompliance is injunctive termination of processing,[2] rather than the assessment of penalties – highlighting the potential for immediate material disruption to business operations. This shifts the burden of proof onto data controllers in order to regain the right to process their data. Since there is no grace period, compliance became mandatory immediately on 16 July 2020, the date of the Schrems II court ruling. Now, over six months later, organisations must evaluate whether the technical controls they have in place will be sufficient to overcome claims of non-compliance. Given that the European Data Protection Board (EDPB) has already released preliminary recommendations on how to comply with Schrems II, not taking action is a high-risk strategy.
Action Plan
In Germany, the recent Data Protection Report from law firm Norton Rose Fulbright recommends that “companies with headquarters in Germany or with affiliates operating from Germany should be aware that they might receive a questionnaire from their regulator [and] should prepare for how they might respond”. More specifically, they note that German DPAs engaging in random questionnaires or compliance checks will expect companies to already be taking steps towards complying with EDPB recommendations for Schrems !!.
For those outside of Germany, companies should also take steps to comply with EDPB recommendation before DPAs in other jurisdictions begin to take stronger enforcement measures or privacy organisations initiate new investigations. Finalisation of EDPB guidelines and new Standard Contractual Clauses (SCCs) are projected to occur near the end of March 2021, leaving companies with few options if they are investigated and found to be non-compliant. Briefing Boards and C-Suite Executives and reviewing and procuring relevant technology may take several months at a minimum; even companies that have already started the work necessary to comply with Schrems II may be found to have responded too slowly.
Taking steps to implement technical measures to protect data is critical, and companies with lower risk tolerances should take steps immediately. Companies electing not to take action now should document their decision-making process for evaluating the risk of noncompliance as well as the consequences of terminated data flows and interruptions to business operations.
Schrems II webinar participants were also asked about this potential outcome, namely:
If your company was told to halt processing and/or data transfers, what would be the immediate impact to your business?
89% of respondents in the “Briefing the C-Suite & Board of Directors on Schrems II Risk Exposure,” characterised the results of terminated processing as “catastrophic” or “serious” to their operations. All companies are urged to consider the potential impacts on their own businesses in the face of potential enforcement action.
It is critically important that, throughout this process, companies understand that they must implement new technically-enforced “Supplementary Measures” to support Standard Contractual Clauses (SCCs) to comply with Schrems II requirements. Merely updating SCCs without implementing new technically enforced “Supplementary Measures” is not enough. Without appropriate technical measures to protect data when in use - not just when at rest and during transit - compliance will not be achieved. As enforcement actions draw increasingly near, companies should not wait to find out what happens in Germany before taking action themselves.
To learn more, visit SchremsII.com/KnowledgeHub
[1] Schrems II refers to the ruling by the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, commonly referred to publicly as “Schrems II.” Use of "Schrems II" in no way indicates any relationship or affiliation with, or endorsement by, Max Schrems or by the Non-Governmental Organisation, None of Your Business (NOYB), or any parties directly or indirectly associated with Max Schrems or NOYB.
[2] See paragraphs 121, 135, 146, 154, and 203(3) of the ruling by the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems at http://curia.europa.eu/ju ris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9745404
Join the Schrems II Linkedin Group with over 4,600 of your colleagues: https://www.linkedin.com/groups/12470752/
This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS
