The Schrems II judgment significantly changed the rules for data transfers from the EU or the UK to the US. The European Data Protection Board (EDPB) has published new, draft guidelines. Organizations can use Privitar’s Data Privacy Platform to de-identify data in line with the EDBP requirements for international transfers. However, this is not a general solution – it will only be appropriate for some use cases and some types of data. This blog explains what has changed and when de-identification can help.
The GDPR restricts international data transfers. International transfers are only GDPR-compliant if the organization seeking to transfer data to a third country uses one of the specified legal mechanisms. In practice, most organizations rely on either an adequacy decision or on one of the legal tools in Article 46 of the GDPR, which include standard contractual clauses and binding corporate rules.
Prior to the Schrems II judgment, US businesses could benefit from a special type of adequacy decision called Privacy Shield. EU businesses were able to transfer data to any US business certified under the Privacy Shield program. Thousands of EU businesses relied on Privacy Shield to underpin their data transfers to the US.
In July 2020, the European Court of Justice invalidated Privacy Shield. The Court found that the level of protection for individuals under US law was not “essentially equivalent to the safeguards required under EU law.” The Court’s decision aims to protect individuals’ fundamental rights. It noted that US law allows US public authorities (including surveillance agencies) to access data relating to EU citizens without a right of redress.
However, the Court also recognized that EU – US data transfers are hugely important to businesses. It therefore allowed transfers to continue so long as the transferring organization could (1) rely on an alternative Article 46 transfer mechanism and (2) implement “supplementary technical measures to make access to the data transferred impossible or ineffective.
The decision in Schrems II is hugely significant for day-to-day business operations. It affects any business using common US based software-as-a-service (SaaS) platforms. For example, the Bavarian data protection authority concluded that a German business using Mailchimp for newsletters was unlawful. Similar concerns would apply to a European organization using applications hosted with any of the major US cloud providers.
The EDPB published draft guidance on supplementary measures shortly after the Court’s decision. The consultation closed in December 2020, after collecting more than a hundred responses. These highlighted some of the practical challenges in implementing the guidance, and the impact of a strict approach to data transfers (for example, for organizations relying on SaaS products).
The draft guidance sets out a six-step roadmap to international data transfers. Perhaps the most challenging are:
For many organizations, the US is their most significant destination for international data transfers. The Schrems II ruling requires supplementary measures for transfers to the US, as the Court already considers that the circumstances of transfers to the US mean that other transfer mechanisms will not be effective on their own.
Organizations will need to assess whether supplementary measures exist which, when combined with safeguards already contained in the Article 46 transfer mechanism, can “ensure that the transferred data is afforded in the third country a level of protection essentially equivalent to that guaranteed within the EU.” This includes considering the purpose of the transfer and the nature of the data.
The EDPB explicitly states that in some scenarios no effective supplementary measures exist. For example, a transfer to a service provider requiring access to data in the clear or where the service provider manages encryption keys. This is common for SaaS applications.
The EDPB allows pseudonymous data to be transferred, provided that four conditions are met:
Privitar’s Data Privacy Platform can produce data meeting the above outlined criteria. Used alongside an organization’s robust approach for handing quasi-identifiers and for selecting use cases for which de-identified data is appropriate, Privitar enables compliance. Organizations will need to:
Although pseudonymization offers an option for transferring data to the US, it is not a general solution and will only be appropriate in some use cases (for example, analytics or research). Some utility loss is unavoidable, and generalization is not suitable for some types of data such as location traces, transaction histories and other datasets recording multiple events over time relating to the same individual.
Finally, organizations should be prepared for the EDPB guidance to evolve. The public consultation highlighted significant concerns, and policy makers are acutely aware of the challenges.
Our team of data privacy experts is here to answer your questions and discuss how data privacy can fuel your business.