The Schrems II judgment continues to be one of the most talked-about developments in data protection policy. My blog on 30 April covered what Schrems II is and why it matters, so check that out if you are looking for the full background and context.
This blog covers two new developments this month relating to Schrems II and international data transfers: the European Commission adopted new Standard Contractual Clauses (SCCs) and the European Data Protection Board (EDPB) finalized their recommendations on supplementary transfer tools.
The new SCCs came into force on 27 June 2021. The European Commission envisages a transition period; organizations will have until 27 December 2022 to migrate to the new SCCs. The new SCCs aim to address the specific concerns around government access to data described in Schrems II.
Crucially, the new SCCs allow the parties to the contract to consider the real world situation with respect to government requests for access to data. The European Commission notes that the parties should take account of the “existence or absence of requests in the same sector” and the “documented practical experience of the data exporter and/or data importer.” In other words, the legal challenge in Schrems II was based on the possibility of data access, whereas the assessment required for SCCs is based on the reality.
The new SCCs also require the data exporter to use “reasonable efforts” to determine whether the data importer is able to meet their obligations under the SCCs. The European Commission explains that the parties should take account of the specific circumstances of the transfer (e.g. type of data, purposes of processing, and so on), the laws in the recipient country, and supplementary measures in place.
The final EDPB recommendations retain the option for transferring pseudonymized data, if the pseudonymization process meets four requirements. The three technical requirements are unchanged, but the fourth, procedural requirement has been updated. In summary, the four requirements are:
The fourth requirement now allows the parties to consider what information the public authorities “may be expected” to use, rather than the broader “may possess” wording in the previous draft. This brings the EBDP guidance closer to the existing GDPR standard for assessing identifiability, based on the “means reasonably likely to be used.”
Taken together, the new SCCs and EDPB guidance suggest that organizations can take existing practice into account when assessing whether data access by a government agency is likely.
Many SaaS and cloud providers publish statistics on government requests for access to information, usually broken down by requests for content (e.g. the text of an email) or metadata (e.g. the time a user accessed their account) for example Google’s Transparency Report and Amazon’s Information Request Report.
We may see organizations using this data to argue that requests for access to personal data by public authorities are relatively unlikely. Statistics from Microsoft to illustrate the point.
Privitar’s Data Privacy Platform can produce data meeting the EDPB’s technical requirements. Organizations will need to assess whether they can meet the procedural requirement in each case. Our experts can help you to understand the factors contributing to contextual risk, and how to manage them.
Our team of data privacy experts is here to answer your questions and discuss how data privacy can fuel your business.