International Transfers of Personal Data After Schrems II: Practical Compliance Steps
Quick Hits
Schrems II Recap
Most people are now familiar with the Schrems II requirements to “know your transfers” and to protect personal data when such information is subject to processing (including remote access to personal data located within the EEA from a country outside the EEA) in a country that does not provide a level of data protection essentially equivalent to that offered within the European Union. These requirements have introduced additional administrative burdens to organisations around the globe. Organisations are now obligated to assess, on a case-by-case basis, all transfers of personal data to third countries (i.e., countries outside the EEA and that do not benefit from a European Commission adequacy decision), by way of undertaking a Transfer Impact Assessment (TIA) to identify if supplementary measures, such as technical measures, are necessary to protect personal data and if these measures would be effective in providing an essentially equivalent level of protection, principally against the unlawful disclosure of personal data to governmental authorities.
EU-U.S. Data Privacy Framework 2023
In 2023, there was welcome news with the European Commission’s adoption of an adequacy decision for the EU-U.S. Data Privacy Framework and the Information Commissioner’s Office (ICO, the UK’s data protection regulator) adoption of the UK Extension to the EU-U.S. Data Privacy Framework (DPF). With this came renewed hope that transfers of personal data to the United States would take place more easily, as the DPF restored a legal basis for transfers of EU and UK personal data to organisations in the United States certified to the DPF, without the need to implement further safeguards.
The DPF is limited in its application and is most effective when the processing is, in fact, covered by it. DPF-certified organisations that opt to rely on U.S. affiliates and sub-processors not certified to the DPF—or organisations in countries that do not benefit from a European Commission adequacy decision— must carry out assessments for these onward transfers to satisfy the legal requirements of the GDPR and Schrems II.
In any event, the European Commission’s adequacy decision was based on an assessment of changes to U.S. domestic legal practices (although there was no reform of surveillance laws) brought about by way of Executive Order (EO) 14086. These changes are considered by the European Commission to offer protections to personal data that are “essentially equivalent” to those under EU law and therefore remove the need for additional measures to safeguard personal data. Changes applicable to all data transfers to the United States include additional safeguards, oversight of personal data collection by U.S. signals intelligence agencies’ (SIGINT) activities, and a redress mechanism for non-U.S. individuals. EO 14086 may also facilitate a more straightforward TIA with regard to transfers of personal data to the United States, even if the DPF itself is not the appropriate transfer mechanism for a particular transfer.
Regulatory Scrutiny 2024
While the application of Schrems II has traditionally been focused on companies and organisations that are subject to the GDPR, we are now seeing its application with regard to supervisory authorities challenging institutions and bodies subject to other data protection laws (e.g., Regulation (EU) 2018/1725, the European Union’s data protection laws for EU institutions, bodies, offices, and agencies)). For example, the European Data Protection Supervisor has investigated the European Commission and found it to have breached data protection law requirements when transferring personal data to a cloud-based services provider.
The emphasis remains on “know your transfers,” and where there are transfers of personal data, ensuring that there are appropriate technical and organisational measures in place to provide protection essentially equivalent to that offered within the European Union. Organisations subject to Regulation (EU) 2018/1725) must comply with strict requirements, many of which align with the GDPR and the ruling in Schrems II, but further requirements are placed here on controllers. These requirements include ensuring that third-party processing is strictly necessary for a public-interest task and limiting personal data based on a specific purpose in the public interest.
Failure to comply with data protection laws can attract corrective measures, including orders to cease transfers of personal data and significant financial penalties. Noncompliance with the EU GDPR and UK GDPR can attract regulatory fines of up to 4 percent of an organisation’s global annual turnover.
Practical Steps for Personal Data Transfer Compliance