One of the most complex problems in the current data landscape is sharing data between organizations and government bodies and exporting data to foreign countries. The GDPR imposes restrictions on sharing personal data with countries outside of the European Economic Area, which are unlikely to enforce globally accepted norms and best data privacy and security practices.
However, the European Commission has assessed very few countries to ascertain these standards. Consequently, in most cases, the onus is on the party exporting the data to find and utilize an appropriate compliance mechanism to ensure no breach of the GDPR.
The Standard Contractual Clauses or SCC become relevant in this context. These contract clauses elicit commitments to protect data from both importer and exporter and have the approval of the European Commission. The data community now faces concerns over the impact of the recent ruling on the Schrems II case, carried out by the Court of Justice of the European Union or CJEU, on the SCC.
The main question for concerned parties remains whether they can still facilitate overseas data exports using SCC without falling foul of possible new strictures placed on the mechanism in light of the Schrems II ruling. Let us take a closer look.
The Ruling and the Role of DPAs
Understanding the current situation requires the concession that DPAs or Data Protection Authorities of the European Union is nowhere near a consensus regarding privacy standards and the role of the SCC, especially in the wake of Schrems II. the CJEU ruling on Schrems II upheld that SCCs can be considered an acceptable means of sharing data overseas, contingent on the implementation of “adequate safeguards.”
Due to the divergence of opinion for individual DPAs, the phrase “adequate safeguards”, instead of becoming a uniform policy for the entire EU, now seems to be open to interpretation. However, certain aspects of the ruling have led to the establishment of concrete points regarding the future of SCCs and the impact Schrems II might have on them.
1. Confirmation of Legal Validity
The DPAs have been relatively unanimous in confirming that the SCCs remain a valid and legal mechanism of exchanging data. Apart from the acknowledgments from DPAs of several European countries regarding its validity, the European Data Protection Board or EDPB has also observed that the CJEU ruling allows the use of SCCs for data transfer going forward. This confirmation effectively negates any fear organization might have regarding the possibility of SCCs getting invalidated after Schrems II.
2. Questions Regarding Transactions with the United States
There are many open questions when it comes to using SCCs to facilitate data transactions between the EU and the United States. The DPAs stand conflicted on this matter, with some finding the practice risky and some deeming its legality questionable. Some DPAs have advocated vetting each data transfer for validity on a per-case basis. However, these DPAs have stopped short of proclaiming SCC transfers to the United States as illegal. As matters evolve, this might become a potential roadblock for data transactions to the United States.
3. Dissent Regarding Legality
The most concerning fallout of Schrems II has been dissent from certain DPAs about the outright legality of SCCs. These DPAs believe that data transfer to the United States using SCCs lies outside the gamut of legitimacy. They have suggested that organizations keep their data inside the EU or send it to another country, if needed, with a per-case determination of adequate safeguards.
While there is some good news, the future of SCCs remains under a cloud of uncertainty.
Keeping the current state of things in mind, organizations might need to review their data export policies going forward to ensure continued compliance with the GDPR as the SCC landscape changes. It is essential to take a balanced look at data transfer requirements, how much they impact the businesses, and the possible compliance risks.
Businesses would need to analyze data-flows to outside countries properly, take a look at the transfer mechanisms in use, determine the importance of the transaction for the business, and investigate the impact of having to go without such transfers. For crucial transactions, otgnizations must look for alternatives and workarounds like derogations or BCRs.
Additionally, stakeholders and management need proper briefing regarding the situation and its implications going forward. Businesses sending data to third-party providers would have to communicate with them regarding contingency plans and possible sensible measures taking precedent into account.
In the near future, organizations will likely lobby regulatory bodies to keep legal and compliant mechanisms in place to ensure data transactions to overseas countries. Businesses would also expect different DPAs to deliberate and arrive at a consensus regarding SCCs and even simplify their structure. The implications of Schrems II look likely to unfold further over time.