In the era of digital technologies, fintech and the fourth industrial revolution, data play a key role in a company’s success. This necessitates not only data, but also their availability across locations. In this context, data transfers need to be not just efficient, but also compliant. Schrems II is a pivotal moment in this regard.
Why is Schrems II highly relevant for your organisation?
To begin with, Schrems II concluded that each data transfer needs to be reviewed separately. In the past, specific frameworks (initially the Safe Harbor and later the Privacy Shield) governed data transfers from EU (European Union) countries to the USA. The Schrems II ruling effectively invalidated the Privacy Shield. From now on, there will be no panacea which can be applied to all data transfers. In fact, as every data transfer is different, each one of them needs to be reviewed separately in order to ensure the equivalent level of data protection is provided as required under the General Data Protection Regulation (GDPR).
In addition, Schrems II requires that all transfers to all third countries are protected. Indeed, the Privacy Shield was a framework for data transfers between EU companies and the USA. Nevertheless, the Schrems II ruling and the subsequent clarifications from the European Data Protection Board (EDPB) were clear that the core principles of the judgment as well as its implications extend to all transfers to all third countries.
Furthermore, Schrems II comes at a key moment because it is vital that your organisation incorporates its developments while building both your workforce of the future and your digital capabilities. Today, all industries are facing a digital transformation in the way we work. The workforce is becoming increasingly global in terms of location. These elements are shaping and further accelerating the digital workforce of the future. On top of that, the technological developments in cloud and blockchain computing are increasing the need for cross-border collaboration. Therefore, data is transferred and accessed across the globe, in a fast, efficient and secure way.
The six-step approach: how to ensure full compliance for your data transfers
Following Schrems II, the CJEU (Court of Justice of the European Union) upholds the validity of Standard Contractual Clauses (SCCs) as a transfer tool that may serve to ensure contractually an essentially equivalent level of protection for data transferred to third countries. However, it was pointed out that controllers or processors are responsible for verifying, on a case-by-case basis and where appropriate in collaboration with the importer in the third country, whether and which supplementary measures need to be implemented in order to fill potential gaps in the protection and bring it up to the level required by EU law.
To assist data exporters with this task of assessing third countries and identifying appropriate supplementary measures where needed, the EDPB has adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. These recommendations contain a roadmap of six steps which data exporters must take to find out if they need to put in place supplementary measures and help them identify those that could be effective.
These six steps are explained in detail in our paper:
- Step: know your transfers;
- Step: identify your transfer tools;
- Step: assess the sufficiency of your transfer tools;
- Step: adopt supplementary measures;
- Step: procedural steps for implementing the supplementary measures;
- Step: re-evaluate at appropriate intervals.
Which are the essential guarantees for surveillance measures?
The EDPB underscored that the fundamental rights regarding respect for private and family life, including communications, as well as the protection of personal data, apply to everyone. Consequently, the EDPB adopted recommendations for the European Essential Guarantees for surveillance measures.
The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as justifiable interference with respect to the right to privacy and protection of personal data. And therefore, whether surveillance in third countries impinges on the commitments that GDPR enforces regarding transfer tools which data exporters can rely on.
These four guarantees are explained in detail in our paper:
- Guarantee A: processing should be based on clear, precise and accessible rules;
- Guarantee B: necessity and proportionality with regard to the legitimate objectives;
- Guarantee C: an independent oversight mechanism should exist;
- Guarantee D: effective remedies need to be available to the individual.
How can PwC help?
The global regulatory landscape of data protection is continuously evolving, hand in hand with the advancements of digital technologies and the global economy. At PwC, we offer a wide spectrum of services aimed at helping your organisation stay on top of all the developments in data protection and beyond, and more specifically on how to incorporate data protection into your various digital, organisational and resilience transformation activities. PwC can become your trusted partner and strategic advisor across your compliance, legal, implementation, post review and quality assurance efforts.
Ensuring full compliance for your data transfers
If you are interested to learn more about the significance of Schrems II and the detailed roadmap to ensure full compliance for your data transfers, read our latest publication.