Data transfer urge certainty

Confusion over international data transfers following the Schrems II ruling is threatening to hamper trade, innovation, and competitiveness. In fact, the administrative work with data transfers can be described as absurd and many have labelled it a growing barrier to trade. This situation, in which data transfers and the use of US service providers are being called into requestion must come to an end if companies are to recover from the pandemic, and if Europe is serious about investing in technological capacity and competitiveness.

Since 2018, the General data protection regulation, GDPR, has regulated data processing and the data subject’s rights. The GDPR governs how data can be processed in the EU’s jurisdiction, and how data must be protected when it is processed in a third country. The entity that transfers data should ensure that the laws of the recipient country provide the same level of personal data protection as afforded by GDPR. In addition, security measures shall be taken on the basis of a risk assessment for each transfer.

If a third country does not provide the data protection level required by the GDPR, the data processor must either enact additional protection measures or stop the data transfer altogether. To simplify the process, there are so-called transfer mechanisms that can be used by companies. Two highly relevant mechanisms are adequacy decisions and standard contractual clauses, or SCCs.

When the European Commission has assessed the adequacy of the level of protection in a third country, an adequacy decision may be taken by the Commission, if the third country’s laws and surveillance system are acceptable. Data transfers may then take place without any authorization.

Today, there are adequacy decision with Andorra, Argentina, Bailiwick of Guernsey, the Faroe Islands, the Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, Uruguay, and, in some cases, Canada.

The draft adequacy decision with United Kingdom is hopefully very soon finalized. Both the LIBE-committee and the EDPB have raised challenges but according to a new legal report there are comprehensive safeguards enshrined in the UK legal framework. These safeguards are consistent with the Schrems II requirements, including for government access.

The problem with adequacy decisions is that they can be withdrawn or declared invalid at short notice. Therefore, many companies prefer to rely on standard contractual clauses instead, even though this is much more of an administrative burden. For third countries without an adequacy decision companies are left to interpret the legal framework themselves.

Last summer, the Court of Justice of the European Union ruled in the Schrems II case that the United States did not ensure a data protection level comparable to the EU’s GDPR and therefore invalidated the adequacy decision with the US, called Privacy Shield, as a transfer mechanism.

The Schrems II ruling has far-reaching consequences, not only for data transfers to the US, but also to all third countries. This is because it specifies the requirements for companies using SCCs to assess whether the country they are transferring data to provides adequate protection and if not, then supplementary measures need to be put in place to ensure such a level of protection.

After Schrems II, in November last year, the European Data Protection Board, the EDPB, published two draft recommendations affecting the use of SCCs. The first one called for measures that supplement transfer tools to ensure compliance with EU-level protection of personal data. The second called for the European Essential Guarantees for surveillance measures. Data controllers and processors shall assess whether countries to which they wish to transfer personal data meet European requirements.

These recommendations were hotly debated in the ensuing consultation with businesses and other stakeholders. The recommendations reject the risk-based approach of the GDPR and the Schrems II ruling. They disproportionately treat all personal data as the of interest to law enforcement authorities. It’s indeed very burdensome and uncertain to require each European company to assess personal data and surveillance legislation in third countries. The conclusions will be dissimilar.

In addition, special technical measures, (like encryption or pseudonymisation), are required in all situations – this is very costly and disproportionate.

Therefore, many of us are looking forward to the adjusted documents. The EDPB recommendations are not legally binding, but they are extremely important. They reflect the negotiated point of view of all data protection authorities in the EU. The final recommendations were expected in May, but the EDPB will not make any decision until the 15th of June. 

With the interpretation of Schrems II by the EDPB and some Member States, a crisis has arisen for data transfers to the US. Let’s hope that the EDPB relaxes its far-reaching requirements and relies more on businesses’ risk assessments and the GDPR’s risk-based approach.

What else can we hope for? The European Commission sees the need to have the new set of SCCs approved for the “interim period” before a new Privacy Shield can be put in place. Last week, Vice President Vera Jourova said that the European Commission is now working intensively together with the EDPB on the final process.

The negotiations with US are advancing. A new Privacy Shield must come into place since trade cooperation depends on dataflows. But to reach a new adequacy decision, data protection and the protection of fundamental rights must be guaranteed. A solution must be compliant with the Schrems II ruling to reach a predictable legal environment. This will take time. There are no quick fixes.

Data transfers are at the core of international trade and technological exchanges. Uncertainty over data transfers jeopardies competitiveness and technological development and hampers trade. Businesses need all help they can get!

This situation, in which data transfers and the use of US service providers are being called into requestion in more and more EU countries must come to an end if companies are to recover from the pandemic, and if Europe is serious about investing in technological capacity and competitiveness.

Therefore, we believe the EU-commission should intensify its work with adequacy decisions and in the meantime conduct risk assessments on data protection standards and surveillance regulations for all trading countries. This would be far more productive for Europe than leaving businesses with administrative time-consuming and costly burdens under the pressure of extremely high sanctions if they fail.