Monday, April 19, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Schrems II May Change Everything

What Companies Should Be Doing to Prepare

by Paul Breitbarth
October 5, 2020
in Data Privacy, Featured
invalidated shield icon

The recent Schrems II decision by the Court of Justice of the European Union found that the EU-U.S. Privacy Shield is invalid. TrustArc’s Paul Breitbarth offers guidance for companies on how to maintain compliance going forward.

Thousands of businesses regularly transfer personal data between EU countries and the U.S. The Privacy Shield agreement governed those transfers, but in July, the European Court of Justice (CJEU) invalidated the agreement in what is colloquially known as the Schrems II case. Schrems II also forced the court to examine standard contractual clauses (SCCs), mechanisms for transferring personal data between the U.S. and the EU. Organizations are now left with more questions than answers when it comes to the international transfer of personal data.

What is Schrems II and why does it matter?

In the context of commercial data privacy concerns, that Privacy Shield is no longer valid is important. However, invalidation was collateral damage from the two legal cases that bear privacy advocate Maximilian Schrems’ name. The Schrems cases were about data transfers, specifically from EU member states to the U.S., by a large technology organization.

The latest ruling represents the Irish Data Protection Commissioner’s (DPC) mandate that the organization cease data transfers from the EU to the U.S. For technology companies with business models of selling advertising space based on customer data, the ruling is a potential blow to their operations.

That’s a fact that seems to have escaped many businesses as they prepared to comply with data privacy regulations, namely GDPR. The monetary penalty that befalls a company may not be the worst consequence of noncompliance. In fact, as the Schrems II ruling shows, regulators may even halt businesses from exporting data from Europe altogether.

Be Prepared for Sudden Changes to Data Transfer Laws

Schrems II clarified that eventually there will be a decision that restricts continuous data flows to the U.S. unless there are changes to surveillance laws in the country. Technology companies (and others that leverage customer data as part of their business model) should by now be working on a backup plan for potential restrictions.

The bad news is threefold:

  • As part of the Schrems II decision, it’s up to data protection authorities in given countries to maintain law, as the Irish DPC is expected to do.
  • The data transfer workarounds companies attempt to implement are going to be clunkier than they want: There is no one-size-fits-all solution at the moment.
  • Some of these workarounds may even be invalid themselves.

Understand Mechanisms for Compliance

The best approach companies can take is to understand the data transfer mechanisms that may be in play and how to use them. Without an agreement such as Privacy Shield in place, there is no adequacy agreement that validates data transfers between companies in the EU and those in the U.S. Instead, organizations must turn to options, including SCCs and/or binding corporate rules (BCRs).

It’s important to remember that while the focus of Schrems II analysis has been on data transfers between the EU and U.S., companies must also address data transfers from the EU to the rest of the world. Ninety-two countries have international data transfer requirements, many of which differ from one another. Furthermore, there are 168 countries that are not members of the EU. Some of these countries have strong privacy laws and limited surveillance laws, and some have adequacy decisions, but most do not.

In effect, companies that wish to transfer data from an EU member state to another country must assess the regulations and adequacy decisions of each country and whether SCCs or BCRs (other mechanisms) are still sufficient.

Binding corporate rules govern an entity or group of entities. They apply to data transfers within one entity or group of entities. BCRs do not apply to data transfers between two different entities, however. These contracts wouldn’t necessarily protect against government interference and companies may still have to implement additional safeguards depending on the country in question.

Standard contractual clauses are on a per-contract basis. Every time an organization enters into an agreement to transfer data to another organization, it must fill out an SCC and the adjoining annex. An SCC annex discusses the data the organizations will send to one another. The problem typical with SCCs is that many organizations do not read the entire contract or fill out the annexes. If these annexes aren’t filled out, neither company is compliant.

Furthermore, following the Schrems II case, an additional annex will need to be prepared, spelling out extra safeguards of an operational, technical and legal nature that will help to protect transferred data against the risk of government interference. What these safeguards could be also depends on the volume and nature of the data. Specific regulator guidance on this point is expected in the coming weeks and months.

Take a Proactive Approach to Changing Privacy Regulations

Ideally, the European Data Protection Board (EDPB) would assess the most relevant economies for international data transfers and recommend what safeguards could be put in place for those transfers. As long as such assessments have not been published, the privacy industry must take it upon itself to devise mechanisms for valid data transfers so that some standardization exists. Without EDPB-recommended safeguards or an industry standard in place, it will be nearly impossible for companies without the adequate resources to make assessments of every country’s data privacy laws.

In the meantime, organizations can help themselves prepare for the eventual decision by:

  • Reviewing their international data flows and starting the case-by-case assessment on what additional measures might be needed to protect the data against government interference.
  • Reviewing their data-processing agreements and ensuring that, where relevant, SCCs are attached, filled out and signed.
  • Reviewing the revised draft SCCs once they become available (likely early October) and taking part in the stakeholder consultation. Once the European Commission finalizes and approves these new SCCs, organizations must work with the updated clauses as is.
  • Review the European Data Protection Board’s data controller/processor guidelines. These guidelines are still open for feedback until October 19.
  • Find technology that can automate privacy law assessments. No matter what the European court decides, organizations must be responsible for understanding their data privacy risks and how those risks pertain to different international laws.

Tags: data governancePrivacy Shield
Previous Post

How Successful Leaders Resemble Goldilocks

Next Post

Gartner Identifies the Legal & Compliance Technologies to Focus on Post COVID-19

Paul Breitbarth

Paul Breitbarth is a privacy lawyer from the Netherlands. In 2016, he joined the Canadian privacy software and research company Nymity, which became part of TrustArc in November 2019. He currently serves as Director, EU Policy and Strategy and is based at TrustArc’s office in The Hague, the Netherlands. As part of the Privacy Intelligence team, Paul contributes to the company’s content development and thought leadership, via papers, webinars, podcasts and public speaking opportunities on a variety of topics, including accountability, the demonstration of compliance and dealing with multiple data protection laws with one single privacy program. Paul also maintains regulator contacts across the EU and beyond. Paul is Senior Visiting Fellow and member of the Advisory Board at Maastricht University’s European Centre on Privacy and Cybersecurity. Before joining Nymity, Paul served as senior international officer at the Dutch Data Protection Authority. He was an active member of various Article 29 Working Party subgroups, co-authoring opinions on the data protection reform, surveillance, the Privacy Shield and others. In 2015, he organized the International Privacy Conference in Amsterdam. Paul holds a Master of Laws from Maastricht University in the Netherlands.

Related Posts

Business professionals stand in silhouette in a conference room.

How Far Will You Go?

April 16, 2021
allustration of a man looking at a moon through a telescope

Periodic Reporting for Public Companies in 2021: What Lies Ahead

April 14, 2021
A view of the Veriff mobile app

Estonian Identity Verification Service Veriff Raises $69M in Series B Led by IVP and Accel

April 13, 2021
President Joe Biden.

The Biden Administration Is Ramping Up Numerous Cross-Border Enforcements. Compliance Teams Should Take Note.

April 13, 2021
Next Post
Gartner Identifies the Legal & Compliance Technologies to Focus on Post COVID-19

Gartner Identifies the Legal & Compliance Technologies to Focus on Post COVID-19

2Behavox and CCI webinar: Power of Ai in F
OneTrust offers download to demonstrate privacy management leadership
Top 10 Risk and Compliance Trends

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2021 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe

© 2021 Corporate Compliance Insights