In July 2020, in the Schrems II decision, the European Court of Justice (ECJ) considered the data transfer arrangements that had been implemented to allow personal data to be transferred out of the EU in compliance with the GDPR.
In this judgment, in addition to invalidating Privacy Shield, the ECJ questioned whether the commonly used the Standard Contractual Clauses could provide appropriate safeguards for data transfers as required by the GDPR art 46.
You can read more about Schrems II decision and its implications for Australian data importers here.
Last week, we received the first guidance from a European Privacy Regulator on how SCCs could be used in the future. This post will outline this guidance, and details the considerations for Australian companies processing EU personal data.
The combined effect of the GDPR’s third-country transfer requirements and the Schrems II decision is that any entity seeking to transfer data out of the EU must:
- have sufficient guarantees by the third-country Data Controller and Data Processor;
- ensure that data subjects have enforceable rights and effective remedies within the third-country; and
- consider the powers that authorities have in the third-country to access personal data.
The last point is directed to laws that allow governments to:
- compel production of information to authorities;
- compel tech companies to assist government agencies in gaining access to personal data (such as the federal ‘Access and Assistance‘ legislation); and
- undertake covert surveillance (including the US’s FISA 702 and Executive Order 12333)
The ECJ did not say that the SCCs were invalid, but stressed that it was not enough to simply implement the SCCs between a data exporters and importers. The exporter needs to make an assessment of the broader legal and operational environment into which the personal data will flow. Note also that in many circumstances, the exporter will also be the Data Controller – who has the primary responsibility to ensure compliance with the GDPR.
So with this in mind, the Baden-Württemberg’s Data Protection Commissioner has released a checklist to assist in this assessment.
Step 1 – take an inventory of the personal data of EU data subjects you hold and where that data is. Keep in mind that ‘processing’ is broadly defined under the GDPR. This means that we are not just concerned about where the data is stored but also from where it will (or can) be accessed.
Assess whether there has been an adequacy decision for the countries to which you are moving the data. Note that neither Australia nor the US is subject to an adequacy decision.
Step 2 – Ensure that you scrupulously meet your transparency requirements – clearly, and in plain language inform your end users where their personal data might be going. You also need to tell them about the technical and organisational measures you or your partners are putting in place to protect their data.
Step 3 – If you have a US presence or US contractors, stop relying on Privacy Shield (if you haven’t already). Remove any references to Privacy Shield in terms and conditions and data processing agreements. Request that your US partners do the same, and, until you are confident that appropriate safeguards are implemented, suspend any data processing activities they undertake for you.
Step 4 – Assess the legal situation of the country or countries where the data will be accessible. This includes the general protections available or level of interference with the privacy rights of individuals , and the accessibility of remedies to those interferences. This includes government powers (including any extra-territorial powers like the US Cloud Act), legislation, and case law.
Importantly, given the breadth of powers under the national security legislation in the US or Australia, it is unlikely that the SCCs will be able to be relied upon without additional guarantees.
Step 5 – Consider what additional guarantees might be able to be implemented. These might include technical measures such as encryption where keys are not held in the third-countries; or organisational measures such as notification requirements in the SCCs and obligations to resist disclosure to the maximum extent permissible by the local law.
If additional guarantees are insufficient to provide appropriate safeguards, it may be necessary to consider an alternative basis for the transfer, such as Binding Corporate Rules or Article 49 Derogations for specific situations.
