The importance of Cross Border Data Transfers (“CBDTs'') for organisations should not be undermined in the digital era, as organisations rely on transfers of personal data to third countries (i.e. located outside of the EU/EEA) to provide competitive prices. That said, precautionary measures must be taken as typically, importers of personal data in non-EU/EEA countries do not offer a level of protection equivalent to that within the EU. As a counterbalance, the General Data Protection Regulation (“GDPR”) imposes several obligations on controllers and processors in such transfers.
Generally, data transfers to third countries are prohibited unless the receiving country has received an adequacy decision from the European Commission (“EC”). In the absence of this, outward transfers may only be conducted if the receiving jurisdiction proves that they have implemented appropriate safeguards that guarantee data subject’s rights and effective legal remedies. These safeguards are set out in Chapter V of the GDPR, with the most common being Standard Contractual Clauses (“SCCs”) published by the EC, as recently updated on 4th June 2021.
Following Case C-311/18 (more commonly known as Schrems II), companies engaging particularly with US-based organisations must take stock of their data processing activities and ensure that transfer safeguards (such as the execution of SCCs) are implemented. The decision in Schrems II also cast doubt upon the validity of the SCCs now that the GDPR is in force. While the SCCs were not invalidated per se, organisations will now have to undertake a Transfer Adequacy Risk Assessment (“TARA”) over and above the execution of SCCs. In a TARA, organisations would assess whether the data importer offers a level of protection which is essentially equivalent to that found within the EU.
Therefore, the data exporter and importer must jointly create a data map of all transfers and assess the effectiveness of their transfer tools (such as the SCCs) in light of the European Essentially Guarantees (“EEGs”). In essence, the EEGs require that processing is based on clear, precise and accessible rules, is necessary and proportionate to the legitimate aims perused and that the data importer’s jurisdiction guarantees an independent oversight mechanism. Additionally, where such transfers take place, involved data subjects must have access to an effective remedy to exercise their rights under the GDPR. If the abovementioned evaluation proves to be negative, the data importer must identify and implement effective supplementary measures which may be technical, organisational or contractual. Lastly, there must be documented processes in place to ensure the ongoing re-evaluation of the above at appropriate intervals.
More recently, in March 2022, the EU and EC committed to a new Trans-Atlantic Data Privacy Framework, which should (in theory) address the concerns raised by the Court of Justice of the European Union in the Schrems II judgement. The US appears to have shown commitment to implement new safeguards to ensure that data surveillance activities are necessary and proportionate in the pursuit of defined national security objectives. Such initiatives would be in line with EU personal data law requirements and would create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by US intelligence activities.
Article provided by INPLP member: Gege Gatt (Malta IT Law Association, Malta)
Dr. Tobias Höllwarth (Managing Director INPLP)