25 Mar Personal data transfers: between uncertainties and new requirements

The effects of the Schrems II judgment

In July 2020, the Court of Justice of the European Union (“CJEU”) invalidated the European Commission’s adequacy decision on the Privacy Shield relating to the transfer of data to the United States (Case C-311/18) with immediate effect; but it does not end there. In fact, the CJEU went beyond the invalidation of the Privacy Shield, putting into question the validity of transfers that make use of standard contractual clauses (“SCCs”), binding corporate rules (“BCRs”), or other safeguards provided by Art. 46 GDPR. As to the transfer to third countries without an adequacy decision, the CJEU called for the use of such other instruments only together with the use of supplementary measures, which guarantee an adequate level of protection – at least equivalent to that of the Union – of the rights and freedoms of individuals whose data are transferred outside the European Economic Area.

This is therefore a very different scenario from that of 2015, when the Schrems I judgment (Case C-362/14) was dealt with by the ‘simple’ replacement of the Safe Harbor data transfer mechanism with the Privacy Shield.

While waiting for the adoption of the new SCCs (see the draft implementing act), the European Data Protection Board (“EDPB”) in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data has provided some examples of the above-mentioned supplementary measures that can be applied.

What to do

Following the EDPB’s guidance, you should:

1. 1. 1. Identify transfers of personal data abroad, starting with the record of processing activities. Interviews should be carried out with the functions involved;
      2. Identify a new legal basis for the transfer of data outside of the EEA in accordance with Articles 46-49 GDPR in place of Privacy Shield;
      3. Carry out a TIA (Transfer Impact Assessment) to assess the level of adequacy of the third country of destination and verify the need to adopt additional legal, organisational and technical measures (and which ones). Alternatively, verify the existence of possible derogations to the prohibition of transfer under art. 49 GDPR;
      4. Amend privacy documentation in use (DPAs, record of processing activities, clauses in service contracts, audit checklists, notices);
      5. Monitor legislation and the activities of the Control Authorities in order to promptly adapt to regulatory developments in this area.

What ICTLC has done to assist its clients

1. 1. 1. Transfer Impact Assessment (TIA): We Developed a methodology for carrying out TIAs, which includes, for example:

– Processes for identifying transfers of personal data outside the EEA;

– Processes for identifying and analysing any local regulations in the country of the data importer that apply to suppliers, to assess possible “interference” and risks to the rights and freedoms of data subjects; and

– Processes for assessing, identifying and testing the adequacy and feasibility of the application of supplementary measures.

1. 1. 2. Representations/Warranties: We prepared a document to be submitted to all suppliers involved in extra-EEA transfers in order to obtain the necessary representations and warranties, as well as to establish their respective obligations.
      3. Workflow: Monitoring of the application of Representations/Warranties, with specific focus on the continued adequacy of supplementary measures over time.

Paolo Balboni and Luca Bolognini

Founding Partners – ICT Legal Consulting (ICTLC)