The following “5 Stages of Additional Safeguards Under Schrems II” were derived from the top questions and comments submitted by over 4,000 participants in recent Schrems II webinars including General Counsels, Chief Privacy Officers and Data Protection Officers from leading global data-driven companies.
STAGE ONE - AWARENESS
Companies learned on 16 July 2020 that they could no longer rely on the Privacy Shield for the lawful international transfer of EU personal data. This final, non-appealable ruling by the CJEU covers processing by US and other non-EU/EEA Cloud, SaaS and outsourcing providers - regardless of where the servers are located.
STAGE TWO - ACCEPTANCE
Under Schrems II Standard Contractual Clauses (SCCs) can be used but only if augmented by “Additional Measures” that provide more than contractual promises to protect against breaches of fundamental rights, including surveillance by foreign governments. Data Protection by Design and by Default imposes obligations on data controllers under the GDPR to balance the fundamental personal rights to data protection and the societal benefits from data processing. This means if desired processing results can be achieved using de-identified, non-identifiable data, it is the responsibility of the data controllers (not of the processor or the vendor) to do so. If portions of desired processing cannot be achieved using de-identified, non-identifiable data, those portions must be processed within the EU, unless another exception enables lawful data transfer in compliance with Schrems II.
STAGE THREE - UNDERSTANDING
These potential Additional Safeguards have been identified to date:
- Encryption - protects data when in transit and at rest but not when in actual use.
- Anonymisation - The GDPR standard for Anonymisation is very difficult and often impossible to achieve in today’s big data world without deleting important value from the data ecosystem for all time, significantly diminishing the value and potential innovation available from the data.
- Pseudonymisation - The requirements necessary to satisfy the GDPR definition of Pseudonymisation are different from the pre-GDPR "casual" understanding of the term – you must now satisfy significantly heightened requirements. Only a very small subset of what might previously have been considered “pseudonymised” data will satisfy the new definitional standards under Article 4(5). The new GDPR definition now requires that:
- The processing of personal data must be accomplished in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information;
- Such additional information must be kept separately; and
- Technical and organisational measures must ensure that the personal data cannot be attributed to identifiable persons without requiring access to the separately and securely stored “additional information.”
STAGE FOUR - EVALUATING
Companies need to consider what combination of SCCs, Additional Safeguards, localised processing and Data Protection by Design and by Default will enable them to properly balance the fundamental personal rights to data protection and the societal benefits from data processing. The Data Embassy Principles are a combination of Additional Safeguards, localised processing and Data Protection by Design and by Default currently under consideration by the EDPB.
STAGE FIVE - DEFENSIBLE BUSINESS POSITION
The Schrems II decision, as reinforced by the FAQS published by the EDPB, does not provide for any grace period for compliance. In addition, the ruling emphasises that unlawful data transfers and processing must be stopped, rather than penalised. The resulting lack of access to necessary data can have a material adverse effect on a company.
It is critically important to commence Stage Four Evaluation so that your company has a defensible position when a regulator “knocks on your door” to show that you have begun an evaluation of the proper combination of SCCs, Additional Safeguards, localised processing, and Data Protection by Design and by Default to avoid unnecessary disruption of data flows and ensure continuity of business operations.
As noted by Anna Buchta, head of EDPS Policy & Consultation in one of our webinars:
“From the point of view of the regulators, we at EDPS and others have said many times already, given the fundamental constitutional importance of this ruling, there has to be a before and after Schrems II. There will have to be consequences and that, unfortunately, may mean that certain transfers will not be able to continue with the available legal instruments without Additional Safeguards to ensure equivalent protection as under the GDPR, and that it might, unfortunately, impact certain jurisdictions and certain types of transfers, in particular.”
View Schrems II FAQs