Do Boards of Directors and stockholders need to be made aware of Schrems II? What about financial auditors and vertical industry regulators? Due to potential material adverse impacts of Schrems II non-compliance, consult with legal counsel regarding your obligation to disclose facts to internal and external stakeholders to avoid potential liability.
The CJEU ruling in Schrems II emphasizes the requirement that unlawful data transfers and processing must be stopped
, rather than fined. The resulting lack of access to necessary data processing could have a material adverse effect on organisations. As a result, you should consult with legal counsel as well as the head of departments involved in the process of international transfer regarding your obligation to brief internal and external stakeholders on this risk, until you can put in place measures to prevent non-compliance and subsequent halting of data transfers. A high-level overview of some of the perspectives of different stakeholders follows:
- Boards of Directors – There is a global trend toward directors being held personally liable for wrongdoing resulting from legislative changes and increased enforcement activity. This means it may be critical to brief your Board of Directors regarding their own individual liability risk, not just risks to the organisation. A Financier Worldwide article1 notes that this risk is exacerbated by the burdens imposed on companies under the GDPR, which would include Schrems II obligations. See also the discussion below regarding the obligation of financial auditors to disclose non-compliance to Boards of Directors.
- Stockholders – Material adverse financial results could arise if companies are unable to process data as desired to achieve business objectives due to failure to comply with Schrems II requirements. In addition, inaccurate, misleading or incomplete information about a company’s efforts to comply with Schrems II in publicly-filed documents could be relied upon by investors in making investment decisions to their detriment. This could give rise to potential claims by stockholders or regulatory consequences for misleading investment documents.
- Financial Auditors – External auditors retained by companies to conduct financial audits have the obligation to ensure that issued reports accurately represent the financial viability of the companies. If auditing firms do not properly represent the Schrems II preparedness of clients in audit, they could potentially be liable for failing to adequately audit financial statements.2 These auditors include the “Big 4” – Deloitte, KPMG, E&Y and PwC as well as the many other accounting firms who also perform audits and issue annual reports on companies.
The International Ethics Standards Board for Accountants (IESBA) Non-compliance with Laws and Regulations (NOCLAR)3 rules are international ethics standards for auditors and professional accountants. They prescribe requirements for actions that must be taken by auditors when they become aware of non-compliance with laws and regulations, including noncompliance with data protection obligations. As an example, chartered accountants in the Netherlands are obligated to: (i) assess whether it is necessary to report suspected or established non-compliance with data protection obligations to a competent authority to prevent or limit loss/damage to an audit client or others; and (ii) discuss non-compliance with an audit client’s board.4
- Vertical industry Regulators – Vertical industry regulators (e.g. banking, insurance, telecommunications) may require companies under their jurisdiction to represent and warrant that they are not at risk of liability under the GDPR (including Schrems II) given the magnitude of potential financial exposure. For example, central banks (e.g. the European Central Bank (ECB) – which administers monetary policy of the Eurozone area, and the Bank of England (BoE) – the central bank of the United Kingdom) can require banks under their jurisdiction to certify that they are in compliance with the GDPR (including Schrems II requirements) due to the potential material adverse impact on the banks if they were to be found to be non-compliant.
**The Schrems II Webinar - Lawful Data Transfer - with NOYB, EDPS and industry experts was held on 8 October 2020. Over 2,300 registered and submitted over 900 questions. These 900+ questions were distilled down to the top 25 Frequently Asked Questions (FAQs). These FAQs are being posted to the LinkedIn Schrems II group for comments by the community. If you are not already a member of the Schrems II LinkedIn group, we encourage you to join to learn and participate in the discussion. A summary, transcript and replay of the webinar can be viewed at SchremsII.com/learn.