It’s been a busy few years of mapping data flows, assessing third-country laws and practices, repapering contractual clauses, and implementing technical and organisational measures as private and public organisations undertook to meet a 2022 hard deadline for ensuring that transfers of personal data of individuals in the European Union (EU) complied with the 2016/679 General Data Protection Regulation (GDPR) and European Court of Justice Case C-311/18 (the Schrems II ruling) and to address the impacts of a March 2024 compliance deadline for transfers of UK personal data.
This article provides a refresher on controller obligations for both private and public organisations when it comes to handling individuals’ personal data.
Quick Hits
- Schrems II, a framework traditionally focused on companies and organisations that are subject to the GDPR, is now being applied to supervisory authorities challenging institutions and bodies subject to other data protection laws, such as Regulation (EU) 2018/1725—the EU’s data protection standard for EU institutions, bodies, offices, and agencies.
- Failure to comply with data protection laws can attract corrective measures, including orders to cease transfers of personal data and significant financial penalties. Noncompliance with the EU GDPR and UK GDPR can attract regulatory fines of up to 4 percent of an organisation’s global annual turnover.
- Entities affected by international personal data transfer laws will likely want to complete a data mapping exercise to identify all exports of personal data outside the European Economic Area (EEA), identify the most appropriate transfer mechanism for a transfer, and implement appropriate contractual, technical, and organisational measures to safeguard personal data.
Schrems II Recap
Most people are now familiar with the Schrems II requirements to “know your transfers” and to protect personal data when such information is subject to processing (including remote access to personal data located within the EEA from a country outside the EEA) in a country that does not provide a level of data protection essentially equivalent to that offered within the European Union. These requirements have introduced additional administrative burdens to organisations around the globe. Organisations are now obligated to assess, on a case-by-case basis, all transfers of personal data to third countries (i.e., countries outside the EEA and that do not benefit from a European Commission adequacy decision), by way of undertaking a Transfer Impact Assessment (TIA) to identify if supplementary measures, such as technical measures, are necessary to protect personal data and if these measures would be effective in providing an essentially equivalent level of protection, principally against the unlawful disclosure of personal data to governmental authorities.
EU-U.S. Data Privacy Framework 2023
In 2023, there was welcome news with the European Commission’s adoption of an adequacy decision for the EU-U.S. Data Privacy Framework and the Information Commissioner’s Office (ICO, the UK’s data protection regulator) adoption of the UK Extension to the EU-U.S. Data Privacy Framework (DPF). With this came renewed hope that transfers of personal data to the United States would take place more easily, as the DPF restored a legal basis for transfers of EU and UK personal data to organisations in the United States certified to the DPF, without the need to implement further safeguards.
The DPF is limited in its application and is most effective when the processing is, in fact, covered by it. DPF-certified organisations that opt to rely on U.S. affiliates and sub-processors not certified to the DPF—or organisations in countries that do not benefit from a European Commission adequacy decision— must carry out assessments for these onward transfers to satisfy the legal requirements of the GDPR and Schrems II.
In any event, the European Commission’s adequacy decision was based on an assessment of changes to U.S. domestic legal practices (although there was no reform of surveillance laws) brought about by way of Executive Order (EO) 14086. These changes are considered by the European Commission to offer protections to personal data that are “essentially equivalent” to those under EU law and therefore remove the need for additional measures to safeguard personal data. Changes applicable to all data transfers to the United States include additional safeguards, oversight of personal data collection by U.S. signals intelligence agencies’ (SIGINT) activities, and a redress mechanism for non-U.S. individuals. EO 14086 may also facilitate a more straightforward TIA with regard to transfers of personal data to the United States, even if the DPF itself is not the appropriate transfer mechanism for a particular transfer.
Regulatory Scrutiny 2024
While the application of Schrems II has traditionally been focused on companies and organisations that are subject to the GDPR, we are now seeing its application with regard to supervisory authorities challenging institutions and bodies subject to other data protection laws (e.g., Regulation (EU) 2018/1725, the European Union’s data protection laws for EU institutions, bodies, offices, and agencies)). For example, the European Data Protection Supervisor has investigated the European Commission and found it to have breached data protection law requirements when transferring personal data to a cloud-based services provider.
The emphasis remains on “know your transfers,” and where there are transfers of personal data, ensuring that there are appropriate technical and organisational measures in place to provide protection essentially equivalent to that offered within the European Union. Organisations subject to Regulation (EU) 2018/1725) must comply with strict requirements, many of which align with the GDPR and the ruling in Schrems II, but further requirements are placed here on controllers. These requirements include ensuring that third-party processing is strictly necessary for a public-interest task and limiting personal data based on a specific purpose in the public interest.
Failure to comply with data protection laws can attract corrective measures, including orders to cease transfers of personal data and significant financial penalties. Noncompliance with the EU GDPR and UK GDPR can attract regulatory fines of up to 4 percent of an organisation’s global annual turnover.
Practical Steps for Personal Data Transfer Compliance
- “Know your transfers.” Organisations may want to complete a data mapping exercise to identify all exports of personal data outside the EEA (e.g., types of personal data, whose personal data, purpose of processing, any special categories of personal data or data that might result in a higher risk to an individual, where the processing takes place (including onward transfers), parties involved in the processing, and the current measures in place to safeguard personal data).
- Transfer mechanisms. Organisations may want to identify the most appropriate transfer mechanism for the transfer. Data mapping will help identify if any part of the proposed transfer is covered by an adequacy decision (e.g., the DPF) and if there is a need to identify and put another valid transfer mechanism in place. Some organisations may find it necessary to put in place contractual clauses such as the EU Standard Contractual Clauses and the UK Addendum (SCCs). Organisations that choose to rely on an adequacy decision are not required to undertake any further assessment but may want to ensure that the adequacy status remains in place.
- TIA. Following Schrems II, an organisation relying on SCCs as a transfer mechanism must undertake a case-by-case assessment of the transfer and the laws and practices of the country where the personal data will be processed. Assessments will, among other things, identify whether there is a need to put in place measures to safeguard personal data—in particular, against the risk of unlawful access by a governmental authority. If any part of a transfer is not covered by an adequacy decision, an organisation will want to conduct an assessment to ensure that an appropriate transfer mechanism is in place (e.g., processor-to-processor SCCs between the processor and its sub-processors) and that measures are identified to safeguard personal data.
- Appropriate safeguards. Consider identifying and implementing appropriate contractual, technical, and organisational measures to safeguard personal data and ensure the measures will be effective regarding the transfer and the laws and practices of the relevant country.