Following the European Court of Justice’s annulment of the Privacy Shield with the USA, there are growing concerns over what will happen to data transfers outside the EU. Companies are now expected to make their own risk assessments of the recipient country”s privacy protection. This means that data transfers to countries outside the EU will be very costly - even potentially impossible - for many companies. The Swedish government now needs to take initiatives at EU level to find a political and legal solution.
The Schrems II judgment by the European Court of Justice states that the US regulatory framework does not provide individuals with adequate protection of personal data against electronic surveillance, nor does it provide the individual with the rights as regulated in the GDPR. However, the Court also ruled that the standard contractual clauses - the SCCs - remains a legal basis for transferring data to countries outside the EU. The new aspect of that part of the ruling is that companies will be expected to make their own risk assessment of how well the recipient country protects personal data. This means that SCC investigations will become even more demanding and costly. It poses a question of which individual companies would have the resources and capacity to conduct investigations into other countries” monitoring and privacy protection? For any ordinary SME, this will probably prove impossible. Therefore, it seems reasonable to expect the risk assessment of different countries to be done by the European Commission with the help of the European Data Protection Board, EDPB, not by individual companies.
The important and widespread use of American suppliers of IT services means it is inevitable that all sectors will be affected by the requirements placed on data flows of personal data between the EU and the USA. A draft of the updated SCCs is expected to be presented shortly. Hopefully – although this is probably unlikely it will both simplify and clarify how to properly transfer personal data to third countries. It is clear that all sectors should protect their data transmissions in all available ways, not least through IT solutions, in order to live up to the Court”s requirements for the protection of personal data. Therefore, the EDPB and the Swedish Data Inspectorate need to publish, as soon as possible, clear guidelines and clear examples of what is expected of companies.
Yet it is not only the law that can hinder data flows. The European Commission has, for quite some time, acted to secure free data flows. However, in her State of the Union, the President of the European Commission Ursula von der Leyden recently pointed out that it was time to get away from dependence on, among other things, American suppliers. One can only imagine the consequences this would have for the myriad IT services that consumers, authorities and companies currently use.
The right to transfer data to the UK is also not guaranteed. Within the EU, electronic monitoring is regulated nationally. Although Hungary and France conduct extensive surveillance, that surveillance is considered reasonable. However, now that the UK has left the EU, it is not clear that the European Commission will be prepared to accept its level of data protection. In any case, there will be no adequacy decision in place in the near future. Then the current transmission mechanisms remain, such as the SCCs.
For this reason, companies need information on this policy as quickly as possible. They also need help from the data protection authorities and the EDPB on how to manage their international data flows. It seems reasonable that the risk assessment of different countries should not be done by individual companies, but rather by the European Commission with the help of the EDPB. However, what is most important is that a long-term political and legal solution for data flows is put in place; for that, political initiatives will be required. The Swedish government should be the driving force in this process.
EUDataDataflöden