Skip to Content

Schrems II – an overview on how to proceed

Capgemini
December 18, 2020

Recently, the European Data Protection Board (EDPB) published two recommendations explaining how organizations should act on the CJEU’s Schrems II ruling. In short, this ruling invalidated the EU-US Privacy Shield and clarified multiple requirements that must be met before processing personal data outside the European Economic Area (EEA) (also referred to as cross-border data transfers).

In this blog, we have summarized the view of the EDPB and provided you with an easy-to-use handout that you can use in discussions within your organization.

Requirements for cross border data transfers

With Schrems II, the court introduced – among others – the following high-level requirements for data controllers when considering cross-border data transfers:

  • Controllers must know where personal data is processed and what (legal) mechanisms are relied on to ensure adequate protection of personal data.
  • Controllers must have a good understanding of the (legal) risks in third countries, by assessing the level of protection offered by the laws and regulations of that country and knowing whether this undermines the level of protection offered by the mechanisms on which they rely.
  • Where laws and regulations in third countries do have a negative impact on the protection of the personal data and fundamental rights of the data subject, the controller should either implement additional controls, limiting these risks to an acceptable level or suspend, end, or refrain from transferring the data to third countries.

Finally, organizations must be able to demonstrate compliance with these requirements to supervisory authorities or data subjects. This requires organizations to ensure they document all decisions, assessment results, and other relevant information that justifies their decisions.

EDPB recommendations

In “Recommendations on the European Essential Guarantees for surveillance measures,” the EDPB sets out four elements they consider to be essential guarantees that must be present in the third country when assessing the interference with rights to privacy and data protection, in the light of entailed surveillance measures.[2]

In “Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,” the EDPB introduces a six-step approach that may assist organizations in taking appropriate actions to maintain compliance with data protection regulations. In addition, the EDPB provides multiple use cases and examples demonstrating the EDPB’s interpretation. As these steps are the foundation for an organization’s approach, we highlighted them below.[3]

The six-step approach

The six-step approach defined by the EDPB enables organizations to tackle the challenges they were confronted with after the Schrems II ruling. The EDPB defines the following steps:

Step 1: Map your transfers

You need a good view of the scope. As such, you should start by identifying the geographic locations of the processing activities. This enables you to draft a list of third countries and the categories of data processed. There are a few challenges you should be aware of during this step:

  1. Do not forget onward data transfers. This is especially relevant for suppliers that have multiple subsidiaries in third countries, or vendors using sub-processors in third countries.
  2. Be aware that information in your data record or data processing agreements may not be up to date anymore.

NB: Going through data processing agreements? Make sure you also collect the information in step 2. Prevent double work.

Step 2: Identify data transfer mechanisms

You should identify the mechanisms you rely on for each of your data transfers. The most common mechanisms are:

  • Adequacy Decision
  • Standard Contract Clauses (“SCC”)
  • Binding Corporate Rules (“BCR”).

Regarding the derogations in art. 49 GDPR, the EDPB notes that these have an exceptional nature, and must therefore be used restrictively.

At this moment, Adequacy Decisions are generally considered to be the most reliable. As such, the EDPB notes, for data transfers to countries for which an adequacy decision has been adopted, no further action is needed.

NB: If you choose to collect the geographic locations under step 1 primarily from data processing agreements, we suggest directly collecting information on the mechanisms as well.

Step 3: Carry out the TIA

This step requires you to carry out a transfer impact analysis (TIA) to verify the effectiveness of the means used to protect the personal data in the third country. For example, by checking whether the provisions in an SCC protect data subjects not only on paper but also in practice. The level of protection provided must be practically equivalent to the protections guaranteed in the European Economic Area (EEA).

In practice, this means you must assess whether the law, or practice in the third country may impinge on the effectiveness of the mechanism you rely on under art. 46 GDPR. To carry out such an assessment, the following information can be useful:

  • General information on processing: categories of data, purposes, data flows, file type, etc.
  • Mechanism organizations rely on for the respective data transfer.
  • Recommendations on the European Essential Guarantees for surveillance measures.
  • Information on the legal system in the third country.
  • Applicable rules and regulations.
  • Information made available by international organizations and NGOs, such as the UN.
  • Information shared by stakeholders, such as receiving party in the third country.
  • Investigations published by supervisory authorities.

Carrying out a TIA may require the involvement of many internal and external stakeholders, including Legal, IT, the CISO, and the recipient within the third country.

Step 4: Implement supplementary measures

The outcome of the assessment may demonstrate that the level of protection for individuals in the third country is lower than in the EEA. If so, you need to implement additional measures to increase the level of protection or suspend, end, or prevent transfer of the data. EDPB distinguishes three types of measures: (i) contractual, (ii) technical, or (iii) organizational nature.

Step 5: Procedural steps if you have identified effective supplementary measures

This step details the procedural steps you should follow if you have identified effective supplementary measures. So far, the information is primarily limited to SCCs. The EDPB exemplifies in this step that stakeholders should ensure that implementation of these supplementary measures does not contradict, directly or indirectly, and undermine the level of protection offered.

Step 6: Procedural steps if you have identified effective supplementary measures

In the final step, the EDPB addresses the importance of implementing controls that ensure ongoing compliance. In practice, it is important to keep a sharp eye out and continuously monitor the effectiveness of the mechanisms. If laws and regulations in a third country change, you need to (i) be made aware of this, (ii) reassess whether the supplementary measures are still effective, and (iii) be able to respond to the matter appropriately.

Conclusion

With the publication of these two recommendations, the EDPB provides us with a first view on how to interpret the consequences of Schrems II. The recommendations clearly increase the burden for data controllers with respect to documentation. Also, carrying out TIAs and defining effective measures is very challenging and requires a good understanding of all the laws and regulations in scope. Also, the recommendation show that many discussions are still ongoing, including the adoption of new SCCs.

What’s your organization’s strategy? Have you already agreed upon an approach internally? Use the guide below when discussing this internally or when developing your approach.

Naturally, we are also happy to assist you in developing a strategy together and finding a custom solution for your organization.

Find out more about Capgemini’s Data Protection and GDPR services by visiting: https://www.capgemini.com/dk-en/service/digital-services/gdpr-readiness/data-protection-gdpr/

[1] Third countries are countries outside the EEA.

[2] Website EDPB, Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, <https://edpb.europa.eu/our-work-tools/our-documents/recommendations/edpb-recommendations-022020-european-essential_en>

[3] Website EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, <https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en>

Author

Joost Christians

Joost is a Senior Consultant in Data Protection and Cybersecurity. He operates on the intersection of Legal and Cybersecurity. He advises clients on how to comply with legal requirements such as the GDPR and Trade and Export legislation. His knowledge and experience in Privacy, Data Protection and Cybersecurity making him an excellent partner in developing and implementing strategies on how to comply with these complex regulatory requirements