Each week OneTrust hosts industry experts to discuss the latest privacy, security, data governance, and compliance updates, trends, and developments in the world via LinkedIn Live. In this session, Kabir Barday, CEO of OneTrust, was joined by Alexis Kateifides, Privacy Counsel at OneTrust, and Eduardo Ustaran, Partner at Hogan Lovells, to discuss the latest Schrems II impact, including recommendations from the EDPB on data transfers and the European Commission on Standard Contractual Clauses (SCCs). 

Watch the discussion now: Schrems II: EDPB and SCC Updates

Schrems II Impact: The Latest Data Transfer and SCC Developments

The privacy landscape continues to change, shaped significantly by landmark rulings such as the Schrems II decision. Following this, we continue to see significant updates to guidelines on the handling of international data transfers, notably the recommendations released by the EDPB. The EDPB published its ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’ and also issued its ‘Recommendations 02/2020 on the European Essential Guarantees for surveillance measures’. Only one day later, the European Commission released a draft of its revised SCCs.

With both the EDPB’s data transfer recommendations and the European Commission’s SCC revisions in draft stages, what changes can we expect to see before they are finalized?

Alexis highlights that there are not often huge overhauls, “usually its clarifications, sometimes some interesting new definitions, new sentences or rephrasing to be aware of, as the devil is always in the detail with these things.” The Schrems II impact is a considerable focus around the world, and the results of the consultations will be keenly awaited.

EDPB’s Recommendations for Supplementary Measures

When asked about what supplementary measures do you think organizations should be implementing, above and beyond what they were doing before, to get data transferred to them from the EU, Eduardo highlights how helpful the data protection authorities have been in sharing their views as regulators and providing a range of options. “They are giving us a very large menu of options that we can use in practice to take things forward,” said Eduardo.

Kabir notes that these measures fall into three different categories:

  • Technical Measures: Leveraging technology to reduce the risk of unjustified access, these could include anonymizations, pseudonymization, and encryption, etc. 
  • Contractual Measures: An agreement between the importer and the exporter to outline certain steps to again minimize the risk of unjustified access to the data. 
  • Organizational Measures: Internal actions, such as data disclosure policies, or transparency reports. 

Eduardo adds, “What all three categories of measures have in common is the aim to reduce the potential level of access in the absence of controls in the local jurisdiction.”

SCCs should be considered to provide a baseline of protection; additional measures should then be added on top of this baseline depending on an organization’s assessment of what is necessary. “This puts a lot more overhead on the data controller to make sure that where the data is going and where they are sending that data is appropriate and has the right measures. The controller needs to know every time there are data transfers, “What is the impact in that country on the sensitivity of the data?’… They need to do a unique, specific assessment on every one of those flows to know what types of measures are adequate,” explained Kabir.

Eduardo also shares that this increased workload is the direction that data protection is going, “The GDPR is all about accountability, it’s all about taking responsibility for what you are doing.”

How to Continue Using Standard Contractual Clauses

The Schrems II impact was felt not only by those who used Privacy Shield, but also organizations who relied on SCCs. The ruling did not invalidate SCCs as a transfer mechanism but did require them to be considered on a case-by-case basis. Following this the European Commission has released a draft revision of their guidance around SCCs.

When considering the changes to the European Commission’s SCC recommendations, Alexis notes that you can see the Schrems II impact, “there are direct citations in the SCCs back to, not just the CJEU decision, but also pre-referencing EDPB guidance as well.”

Eduardo explains that SCCs should be looked at as a tool, removing the need for companies to draft their own contracts to legitimize their data transfers. The European Commission shoulders the burden of this contract drafting with a pre-approved contract, taking you 80% of the way there and leaving room to add additional safeguards. 

“I think the draft agreement is very good, and the modular approach makes it very clear, the fact that it follows the principles that you see in the GDPR makes it easy to understand,” said Eduardo.   

Watch the discussion now: Schrems II: EDPB and SCC Updates

Over the remainder of the consultation periods there will of course be changes that need to be closely watched, but these important recommendations and updates will be sure to be notable results of the Schrems II impact.

Watch the discussion now: Schrems II: EDPB and SCC Updates and follow OneTrust on LinkedIn to receive notifications for upcoming LinkedIn Live events or for more information and resources to help you understand the Schrems II decision further visit the OneTrust Schrems II Solutions page.

Further reading on the Schrems II Impact:

Next steps on Schrems II Impact: