The Schrems II judgment of the Court of Justice of the European Union (CJEU) is now well known, in particular its role in reversing cross-border data transfers for many companies, including large organizations like Microsoft and Apple. The additional requirements for data protection have companies in trouble, and it has become clear to what extent companies were no longer complying with the basic requirements of the GDPR. Following follow-up guidance from the European Data Protection Supervisor (EDPS), the European Data Protection Board (EDPB) and the European Commission, the way forward has become clearer. However, several things have changed that organizations will need to consider when thinking about how to comply, and greater urgency is needed for decision makers to be aware of what is at stake if organizations fail in their efforts to comply. .
What does the guide say?
Of the guidance documents mentioned above, the EDPB’s was the most comprehensive in its advice on how to proceed with cross-border data transfers, including global and cloud business transfers. The EDPB established a series of legal and illegal use cases that show how organizations can move towards compliance (and the things to avoid that will help in this process). Its legal use cases include:
- Data storage for backup and other purposes that do not require access to clear data must have strong encryption applied for data in transit or at rest.
- The data exporter can apply GDPR compliant pseudonymisation to the data, who can then transfer the pseudonymised data to a third country for analysis (data in use, for example for analysis and research).
- Data that simply transits through another jurisdiction must have state-of-the-art encryption applied.
Personal data may be transferred to a recipient who is protected by specific privacy laws in that country, such as for medical treatment (eg HIPAA).
- Split or multi-part processing is allowed if the data is split and then processed in several different jurisdictions, as long as controls are in place to prevent different jurisdictions from combining the “split” data to allow re-identification.
In addition, the EDPB highlighted two cases of illicit use, one of which is extremely important to take into account. That is, the transfer of data that must be processed in the clear is now illegal. The EDPB has clearly stated that data for processing must be protected by measures such as use case 2 (pseudonymisation) or use case 5 (“split” multi-party processing). This means that you must use these kinds of technical approaches to bring your clear text data into one of the legal use cases. In most cases, the pseudonymisation will be more efficient and effective, and is tailored to the use case for which most companies want to use the data.
Why does this matter so much?
Following the EDPB guidelines and meeting the Schrems II requirements could be critical for many organizations. Many people know that the Schrems II case overturned the Privacy Shield, the successor to the safe harbor agreement between the EU and the US. While this may seem like just another court ruling showing America’s “shortcomings” in privacy. EU personal data protection, several factors in the Schrems II case matter much more than you think.
First, the Schrems II case took a new step in terms of compliance and enforcement, and fundamentally changed the burden of proof for organizations. Rather than taking a sanctions-based approach, the court decided to focus on injunctions and the disruption of data flows as a relief measure. This means that organizations can no longer simply budget fines and go through a regulatory arbitration and budgeting process; instead, organizations must consider the total stops of their data flows. Non-compliance could be devastating for companies in the post-COVID recovery.
Additionally, Schrems II also argued that political and contractual approaches to protecting data must now be supported by technical measures. Words alone are no longer enough, and they are not perceived as appropriate by the courts or regulators in our new world of Big Data. Technical approaches prevent misuse of data and protections must be applied at all steps along the data flow chain – in transit, in use, and in storage. Encryption for in-storage and in-transit protection has long been established as a credible approach, but with rapidly expanding data sets, new approaches are now needed to perform encryption. Additionally, since analytics processes, machine learning, and artificial intelligence require large amounts of data to be processed and analyzed, protections such as pseudonymisation of data in use are now necessary. Organizations that haven’t understood these changes and haven’t moved to comply may struggle with increased compliance action, data flow disruptions, and a loss of competitive advantage at a time when economic growth is already difficult.
An additional factor at play is that the concepts of collective action are increasingly common in the EU. A key example of this is with respect to the European Center for Digital Rights, also known as “nada de tu trabajo” (noyb). The dual dangers of class actions and injunctions mean that enforcement actions are even more likely, and organizations must take steps to move away from preparedness and toward actual action and compliance.
How can companies comply with the new cross-border transfer laws?
There are two main trends likely to emerge in the coming year that can tell organizations how they should take action to comply. First, the Schrems II decision, followed by the EDPB guidelines and the European Commission’s standard contractual clauses (CEC), are the first signs of a wave of changes in data protection approaches. There will be a big shift from policy-based approaches to requiring the use of technical controls to protect data in transit, storage and use. Second, enforcement mechanisms will shift towards approaches that stop data flows or trigger mandates, rather than fines. Fines can be deferred and paid later as data flows continue: court orders stop data and prevent companies from continuing to abuse data subject protections. In addition, stopping data flows prevents the business from operating, which means that having adequate compliance measures and protections for data has become absolutely critical. These changes mean that the sooner you meet the Schrems II requirements, the further ahead you’ll be in the game.
Enforcement mechanisms can shift towards approaches that stop #dataflows or impose injunctions, rather than fines, stopping data in its tracks, stopping businesses from running. #SchremsII #respectdata
To move forward, your organization must have made reasonable and good faith efforts to comply with the provisions of Schrems II and the EDPB guidelines. Technical measures such as strong encryption and pseudonymisation can be applied and solutions are readily available. Organizations must take steps to implement these technologies in their daily business, at all levels. Time is of the essence, and with rapid implementation, organizations can even see competitive advantage in the foreground.