GDPR governs data privacy in the EU, and organizations on both sides of the Atlantic are grappling with its intricacies.
However, understanding the ins and outs of GDPR, particularly its provisions around international data transfers, can take time and effort. To further complicate matters, the Schrems II decision invalidated the EU-US Privacy Shield Framework and prompted an ongoing reassessment of some of these transfer mechanisms.
In this article, we will delve into the GDPR’s data transfer mechanisms and discuss the implications of the Schrems II decision.
What Are Data Transfer Requirements Under GDPR?
GDPR puts several critical security requirements in place to meet the demands of its overall mission of protecting consumer privacy. In a modern, digital, and international world, however, it’s challenging to manage those protections when companies exist under multiple jurisdictions.
To protect against potential threats to data privacy, GDPR includes well-defined requirements that apply to the transfer of private data from the EU to other jurisdictions that may not meet minimum GDPR standards.
The general principles behind principles of data transference are as follows:
This is the most common way to transfer data outside the EU. The European Commission can determine that a particular non-EU country has adequate data protection. This means the country’s domestic laws or international commitments ensure a level of protection equivalent to that in the EU.
If there’s no adequacy decision for a particular country, data can still be transferred if the data controller or processor has provided appropriate safeguards. These can take several forms, including:
- Binding corporate rules adopted by multinational groups of companies (and approved by GDPR auditors and authorities) for transfers of personal data within the group.
- Standard data protection clauses running in accordance with GDPR examination procedures.
- A binding commitment between controllers and processors in both jurisdictions, following a code of conduct pursuant to GDPR Article 40.
These safeguards should be provided via contractual clauses between controllers and processors and data recipients or as part of administrative arrangements between public organizations.
Derogations provide certain specific situations under which organizations can transfer data outside the EEA, even if the recipient country still needs to implement regulations that meet the standards or GDPR.
These specific derogations include:
- Explicit Consent: The data subject (the individual whose data is being processed) has explicitly consented to the proposed transfer. This requirement includes the caveat that the data subject has been fully informed about the absence of adequacy.
- Performance of a Contract: The transfer a requirement to execute a contractual relationship between the data subject and the data controller or to implement pre-contractual measures.
- Contractual Necessity: The transfer is necessary for the performance or conclusion of a contract between an individual and a controller or another person.
- Legal Claims: The transfer is necessary to establish, exercise, or defend legal claims
- Vital Interests: If the data subject cannot provide consent, the transfer is still necessary to protect the interests of the data subject.
- Public Interest: The transfer is in the interest of public safety, security, or well-being.
- Public Register: The transfer relates to data from a register which, according to EU or member state law, is intended to provide information to the public and is open for consultation by the public in general or any person demonstrating a legitimate interest
- Legitimate Interests: As a last resort, when the transfer could not be based on any of the other derogations, a transfer to a third country may take place if it is limited in scope and contains a compelling reason for the controller to execute it.
Please note that reliance on a derogation should be the exception rather than the norm. They are meant to be used in exceptional cases where other lawful transfer mechanisms (like adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules) are not feasible.
Remember to always consult with a legal professional or a relevant authority for the most current and accurate advice since this area of law is complex and subject to change.
Privacy Shield and the Schrems II Decision
While we’ve discussed several options for transferring data outside of EU jurisdiction, it’s common practice to follow regulations when moving information in and out of Europe. That means companies and other organizations should meet these minimum requirements when storing or processing information.
And the governing bodies behind GDPR are serious about this requirement. Consider the Schrems II decision (often simply called “Schrems II”).
What Was the Privacy Shield Framework?
The Privacy Shield Framework was a program developed by the Department of Commerce, the European Commission, and other relevant stakeholders. Its purpose was to establish a framework for organizations moving data between these jurisdictions and included several baseline requirements for how security and privacy controls would be regulated in line with stringent EU regulations.
US companies complying with Privacy Shield were usually those intending to do some business in Europe and required that they self-report regulatory compliance regarding data storage, privacy, transfer, and processing.
In July 2020, however, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, saying it did not adequately protect EU citizens’ data. This decision came about due to concerns over US surveillance practices and EU citizens’ lack of judicial redress.
After this, the Privacy Shield could no longer be used as a lawful mechanism for transferring data from the EU to the US.
What Is the Schrems II Decision?
The case against Privacy Shield was named after Maximilian Schrems, an Austrian privacy advocate, and it’s the second significant CJEU judgment involving him. To kick off the case, Schrems filed a complaint with the Irish Data Protection Commissioner regarding Facebook’s transfer of his data from the EU to servers located in the United States.
In this decision, the court made two key rulings:
- Invalidation of the Privacy Shield Framework: The court invalidated the Privacy Shield Framework. The court held that the Privacy Shield did not sufficiently protect EU citizens’ data because of the potential for US government surveillance (as made public by whistleblowers like Edward Snowden).
- Validity of Standard Contractual Clauses (SCCs): On a more positive note for many businesses, the court upheld the validity of Standard Contractual Clauses as a mechanism for transferring personal data outside the EEA. However, the court emphasized that companies must verify whether the law in the recipient country ensures adequate protection of the data transferred under SCCs, in line with EU data protection requirements.
Suppose the data exporter or importer cannot ensure such protection. In that case, they must suspend the data transfer or potentially face action from their local data protection authority. This aspect of the ruling has created uncertainty and potential risk for organizations relying on SCCs, particularly for data transfers to countries like the US, where government surveillance may occur.
The invalidation of the Privacy Shield has significant implications for thousands of businesses that rely on it for data transfers. It means that US businesses operating in the EU (or serving EU citizens) must meet minimum GDPR requirements when handling and moving private data.
Manage Privacy Controls and Data Transfer Flow with Continuum GRC
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.