The Schrems-II decision from the Court of Justice of the European Union is by now almost a year ago. A permanent solution – a replacement for the annulled Privacy Shield – is not yet in sight. New standard contractual clauses (SCCs) do seem to be on the horizon, but will not be as foolproof as they were in the past, given that for many destinations supplementary safeguards may need to be agreed upon. In the meantime, the data protection authorities in Europe have received quite a number of complaints (the exact number has not been released) regarding international data transfers. The first cases have now come to a conclusion. What are some of the lessons learned so far?
The main decisions on post Schrems-II international data transfers to date have been issued by the data protection authorities in Bavaria (Germany), France and Portugal. In Bavaria, the case evolved around a company using a U.S. email newsletter platform. The German company had put in place SCCs with the newsletter platform, but had not done any assessment of the risks involved in the data transfer, nor agreed upon supplementary measures. The Bavarian DPA, considering the newsletter platform should be seen as an electronic communication service provider, subject to FISA Section 702, therefore suspended the data transfer.
In France, both the CNIL and the Conseil d’État, the supreme administrative court, voiced concerns about the use of Microsoft Azure for the new government Health Data Hub. The HDH is a platform that would allow for the collection and exchange of health data of French citizens, to be used for research purposes. Especially given the sensitive nature of the data involved, the use of a U.S. based hosting provider, subject to both surveillance laws and the U.S. CLOUD Act, was considered inappropriate. The French government agreed to ensure a new European hosting platform would be in place in the 12-18 months after an agreement was reached with the CNIL.
The final major case to date relates to the Portuguese census. The national bureau of statistics (INE) was investigated for non-compliance with data protection requirements. The DPA found that the INE had omitted to complete a data protection impact assessment, even though that is deemed mandatory for a census, given the large-scale collection of sensitive data. Furthermore, INE used a platform hosted in the United States, and had not considered any supplementary safeguards to ensure the census data would enjoy an essentially equivalent level of data protection to that in the EU. For these reasons, the Portuguese DPA has suspended any international transfer of personal data to the United States or other third countries without an adequate level of protection.
It is clear these three cross-border transfer cases are not the only ones being dealt with by the data protection authorities in the EU. In any case, there are still 101 complaints filed by noyb, the NGO set up by Max Schrems, and other cases have been mentioned by authorities during public conversations as well. To what extent enforcement will change in the near future cannot be predicted. However, based on the concluded investigations so far, it is clear the main focus is still on EU-U.S. data transfers. Furthermore, the assessments of the DPAs seem to be based on three checks:
- What kind of personal data is transferred to a third country, with a focus on special categories of personal data;
- If a data transfer risk assessment has been completed; and
- If, when using a contractual safeguard like SCCs, supplementary measures have been considered and put in place.
Organisations that wish to ensure their data flows are in order should in any case continue to complete and document their data transfer risk assessment and, where possible, put in place supplementary measures like those recommended by the European Data Protection Board. Our earlier blog gives more detail on how to complete a data transfer risk assessment and what supplementary measures could be considered.
The three cases mentioned above were also discussed in a recent TrustArc webinar on the broader state of play regarding international data transfers. In the webinar, also developments regarding adequacy decisions and new contractual clauses were discussed, among other things. The recording of the webinar is available via this link.