Earlier this month, TrustArc held its third Privacy Risk Summit with over 40 thought-provoking speakers and more than 20 sessions covering numerous privacy topics. The first regulatory session of the summit, “International Data Flows post Schrems-II: What to Expect and What to Forget,” focused on the consequences of the Schrems-II decision from the EU Court of Justice. Session panelist included Peter Blenkinsop (Partner, Faegre Drinker Biddle & Reath), Ignacio Gomez Navarro (Legal Officer, European Data Protection Board), Travis LeBlanc (Board Member, Privacy and Civil Liberties Oversight Board) and moderator Paul Breitbarth (Director, EU Policy & Strategy, TrustArc). The following is a recap of the session highlights.
Peter Blenkinsop discussed what companies should assess if they want to continue to transfer personal data from the European Union to the United States. He explained that companies at all times should meet the requirements of chapter V of the EU General Data Protection Regulation. The main point of concern right now is how to provide appropriate safeguards under article 46: companies will need to select a transfer tool, whether these are standard contractual clauses, binding corporate rules, certifications and codes of conducts or more ad hoc solutions. Since the Schrems-II judgment, they will also need to make a case-by-case assessment to find out if the laws and practices of the third country actually make it possible to execute the agreed appropriate safeguards. To do so, companies will need to map their data flows, both the initial transfers and any subsequent onward transfers. Furthermore, these assessments should especially take due consideration of any national security legislation in the third country, following the four European Essential Guarantees. Peter also made clear that this is a largely untested area of law – many national security agencies are not interested in accessing data from everyone, but it is unclear to what extent the reality of data access may be taken into account in the assessments.
Ignacio Gomez Navarro subsequently explained the recommendations the Board is preparing on the supplementary measures that can be taken to ensure data originating from the EU is well protected. Any supplementary measures will always need to be specific for each third country, both in terms of their legislation and the practice of government access. Measures can be of an organisational nature, but also contractual or technical, depending on the type of data being transferred. The recommendations provided so far are all examples of what can and cannot be done. The responsibility to implement the supplementary measures lies clearly with the data controller. Ignacio also explained there is no agreed definition of what constitutes a data transfer – the legislator has chosen not to include one in the GDPR, despite calls to do so. It is a complex issue, also because of continuous technological developments. In the end, what matters is if the protections required by the GDPR are met. It could be that GDPR applies directly, because goods and services are offered to people in the EU, or that indeed personal data is transferred, but in all situations, the data recipient will need to ensure compliance with the GDPR standards.
The final introduction was given by Travis Leblanc. He gave his perspectives on the negotiations for a possible successor to the Privacy Shield, for which the negotiations are ongoing. The European surveillance concerns have been around for a while, and the U.S. has made serious efforts to take these away, including by increasing transparency on existing surveillance programs during the joint reviews of the Privacy Shield mechanism. Since the Schrems-II decision, the U.S. has been eager to get the conversation going on a new transatlantic data transfer mechanism, given the importance for both economies. It seems however, that there still is a long way to go. Earlier in the week, EU Commissioner Reynders stated he expects a decision to take years. It seems the EU is expecting a lot more in terms of privacy legislation from the U.S., even though it remains unclear if new State level legislation can even be taken into account. Travis also explained that a new U.S. adequacy decision may not be top of mind for Europe at the moment, given many other international data protection discussions are taking place: UK adequacy, the Irish enforcement cases against Facebook and others, and more.
Watch the session “International Data Flows Post Schrems-II: What to Expect and What to Forget” in its entirety here.