Schrems II recommendations
After Schrems II and along with it the end of the EU-US Privacy Shield (July 2020) it became for many international companies very difficult to remain compliant under the GDPR while transferring personal data outside the European Economic Area (EEA). It was clear that the standard contractual clauses (SCC’S) in itself may be used, but the extra safeguards and measures to be taken and the reviewing of the third country legal and surveillance environment created uncertainty. The German DPA Baden-Württemberg was the first DPA to acknowledge this, and therefore gave some recommendations on how to approach this situation. The recommendations (November 10, 2020) of the EDPB, yet to be commented, are now very helpful for the complex task of assessing third countries and identifying appropriate supplementary measures where needed. The recommendations provide us with a series of steps to follow of which the way most companies already (should) operate. Steps include mapping all transfers first, verifying the transfer tool your transfer relies on, assessing the law of practice of the third country, and so on. The recommendations are suggesting various ideas for extra measures that could be taken.
The new SCC’s (draft) describe additional measurements as well. The processors and controllers have much more possibilities to select the module(s) applicable to their situation, which makes it possible to tailor their obligations under the SCC’s. In addition, the new clauses provide in more appropriate safeguards to afford a level of protection essentially equivalent to that guaranteed within the EU.
Furthermore, the EDPB have outlined the interesting phenomenon of the “ Warrant Canary” whereby the data importer commits to regularly publish (e.g. at least every 24 hours) a cryptographically signed message informing the data exporter that as of a certain date and time it has received no order to disclose personal data or the like. The absence of an update of this notification will indicate to the exporter that the importer may have received an order.
The EDPB recommendations and the new SCC’s are a very welcome and useful addition for the practice in privacy land. For data importers in third counties being compliant under the GDPR seems to be no longer hardly impossible.
Article provided by: Bob Cordemeyer and Wouter Huisman (Cordemeyer & Slager Advocaten, The Netherlands)
Dr. Tobias Höllwarth (Managing Director INPLP)