News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Confusion about the meaning of 'Schrems II' impedes global data flows Related reading: Dispatch from Brussels: Some clarification for EU data transfers on the horizon

rss_feed

""

There is a difference between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts. The European Commission is assessing whether a third country’s laws are essentially equivalent to the EU General Data Protection Regulation when making adequacy decisions under Article 45 of the GDPR (Article 45 Assessment). 

Data exporters using standard contractual clauses to transfer personal data to a third country are required by Article 46 of the GDPR to assess whether there are legal impediments where the data importer is located to that data importer fulfilling the requirements of the SCCs (Article 46 Assessment). Commentary about "Schrems II" has led to confusion about the differences between the Article 45 and Article 46 Assessments, and that confusion has impacted the free flow of personal data from the European Economic Area. 

When the Court of Justice of the European Union issued its "Schrems II" opinion in July 2020, conventional wisdom was that it required the data exporter and its attorney to make an adequacy decision in order for a transfer to be made from the EEA to a third country when the appropriate safeguard was SCCs. This is an incorrect reading of "Schrems II." The Article 46 Assessment conducted by the data exporter (with the help of the data importer) is very different from the Article 45 Assessment conducted by the European Commission:

  • The Article 45 Assessment assesses whether a third country’s laws essentially are equivalent to those in the EU. This assessment compares the laws in the third country to those in the EU to determine whether the third country in fact ensures, by reason of its domestic law, a level of protection of fundamental rights and freedoms that essentially is equivalent to that guaranteed within the EU.
  • The Article 46 Assessment assesses: (1) the provisions of the appropriate safeguards, the SCCs, and (2) the enforceability of data subject rights and effectiveness of legal remedies set forth in the SCCs in the third country. When SCCs are the appropriate safeguard, effectiveness of legal remedies is assessed by looking at the relevant aspects of the legal system of the third country to determine whether public authorities of the third country can access the personal data transferred. What comprises the relevant aspects of the third country’s legal system is set out in a non-exhaustive manner in Article 45(2) of the GDPR. Finally, whether there is anything in the law or practices of the third country that may impinge on the effectiveness of the appropriate safeguard, the SCCs, is assessed.

A review of the Article 29 Working Party’s Adequacy Referential and the SCCs shows that this distinction is correct.

The referential provides guidance to the European Commission for the assessment of the level of protection in third countries by establishing core data protection principles that have to be present in a third country legal framework in order to obtain an adequacy decision: lawful, fair, and legitimate purpose; purpose limitation; data quality and proportionality; data retention; security and confidentiality; and transparency. 

It also requires the rights of access, rectification, erasure and objection, and restrictions on onward transfers. Finally, the procedural and enforcement mechanisms must include competent independent supervisory authorities, a data protection system that ensures a good level of compliance, a data protection framework that requires accountability, and a data protection system that provides support and help to individual data subjects in the exercise of their individual rights and appropriate redress mechanisms.

On the other hand, when assessing the SCCs issued by the European Commission in June 2021, the provisions of the SCCs themselves are examined to determine the enforceability of data subject rights in the third country and the effectiveness of legal remedies in the third country. Section II, Obligation of the Parties, contains a Third-party Beneficiary Clause pursuant to which data subjects may invoke and enforce the SCCs, as third-party beneficiaries, against the data exporter and/or the data importer. Under Section III, Local Laws and Obligation in Case of Access by Public Authorities:

  • The parties to the SCCs warrant that they have no reason to believe the laws and practices in the third country prevent the data importer from fulfilling its obligations under the SCCs and declare they have assessed the specific circumstances of the transfer, the laws and practices of the third country, and any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under the SCCs.
  • The data importer warrants that, in carrying out the assessment, it has made its best efforts to provide the data exporter with relevant information; agrees to notify the data exporter if it has reason to believe it is subject to laws or practices not in line with its warranty; in case of access by public authorities, agrees to notify the data exporter and, where possible, the data subject if it receives a legally binding request from a public authority for the disclosure of personal data transferred pursuant to the SCCs, and/or becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs; if the data importer is prohibited from notifying the data exporter and/or the data subject, agrees to use its best efforts to obtain a waiver of the prohibition; agrees to review the legality of any request for disclosure and to challenge it if it concludes there are reasonable grounds to consider the request as unlawful, including seeking interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on the merits; and to provide the minimum amount of information permissible when responding to a request for disclosure.

The recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data issued in June 2021 help data exporters conduct the assessment called for by "Schrems II" and the SCCs by setting six steps to follow. The third step is to assess if there is anything in the law and/or practices in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tool the data exporter is relying on. If legislation in the third country is not applied or complied with in practice, if practices in the third country are incompatible with the commitments of the transfer tool, or if the transferred data falls within the scope of third country legislation that impinges on the transfer tool’s contractual guarantees, supplementary measures must be implemented in order for the transfer to proceed. 

Thus, the provisions of the SCCs, including the assessment described in the SCCs, and the European Data Protection Board Final Recommendations support the conclusion that the scope of the Article 46 Assessment called for by "Schrems II" is the enforceability in the third country of the data subject rights set forth in the SCCs and the effectiveness in the third country of the legal remedies set forth in the SCCs.

It is important that policymakers, regulators and privacy professionals appreciate the difference between the Article 46 and Article 45 Assessments. 

There is a difference between who conducts each assessment: the European Commission conducts the Article 45 Assessment and the data exporter (with the help of the data importer) conducts the Article 46 Assessment. The scope of the Article 45 Assessments (equivalency of third country law) and Article 46 Assessments (enforceability of contracts under third country law) is different.  

If the distinctions between these two assessments are not understood, then data exporters may think they must do the more complex Article 45 Assessment, which is more expensive and time-consuming and may lead them to not transfer the data or may lead them to transfer the data without doing the assessment. If the wrong assessment is conducted, unnecessary expenses can be incurred (especially by small- and medium-sized companies), ultimately leading to reduction in data flows. If the assessment is not conducted, then the supplementary measures, if any, will not be identified and put in place. 

All this confusion adversely impacts global data flows. 

Photo by Duangphorn Wiriya on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Lynn Goldstein, CIPP/US IAPP Member Contributor
Tags
Europe
Privacy Law
Privacy Operations Management
Privacy Opinion
Transborder Data Flow
Comments

If you want to comment on this post, you need to login.

Related Stories
Standardizing data-processing agreements globally
5
Privacy professionals around the world are feverishly working on configuring and implementing the European Union’s new standard contractual clauses. Effective Sept. 27, companies in the European Economic Area entering into new cross-border data transfer arrangements with companies outside the EEA ba...
Read More queue Save This
A year after 'Schrems II' ruling, uncertainty remains
A whole year has passed since the Court of Justice of the European Union struck down the EU-U.S. Privacy Shield and effectively shook the privacy space. Privacy professionals are still considering whether true progress been made toward a solution to stabilize and safeguard international data transfe...
Read More queue Save This
Related Stories
Tags
Europe
Privacy Law
Privacy Operations Management
Privacy Opinion
Transborder Data Flow
Recent Comments