Greetings from Brussels!
It’s been a busy week in town, primarily due to the highly anticipated release Wednesday of the European Data Protection Board's "Schrems II" guidance on supplementary measures. The guidance is geared to assist controllers and processors acting as data exporters to navigate the uncertainty around the transfer of EU personal data outside the EU to third countries. There have been volumes written on the subject since the CJEU ruling in July. On a first reading and going out on a limb here, it’s safe to say much of the detailed guidance comes as no surprise to many in the privacy field. That said, there are 43 pages on the subject in two separate guidance documents. My colleague, IAPP Research Director Caitlin Fennessy, pens a comprehensive and compact
I spoke with IAPP Country Leader for Ireland Kate Colleary on the matter. What is abundantly clear from the guidance is that in the end, the data exporters are very much in the driver's seat and both responsible and accountable for undertaking thorough risk assessments regarding transfers and destination third-country jurisdictions, as well as the adoption of legal transfer mechanisms. Lastly, identifying appropriate technical and organizational measures, such as levels of encryption and robust contracting, all play a critical role in mitigating risks.
Colleary commented the guidance is commensurate with what many outside counsels have already started advising clients since the July ruling. She added as a caveat the guidance does not provide for any easy solutions — there are no quick fixes — particularly where transfers involve U.S. service providers. The EDPB was also clear in their guidance that data exporters should know that it “may not be possible to implement sufficient supplementary measures in every case.”
It is fair to say the pressure has increased on the European Commission and its U.S. counterparts to agree on a sturdier Privacy Shield mechanism that properly guarantees the protection afforded European data under EU law. This will be no easy task. There are considerable hurdles to overcome before that can happen. The tug and pull between EU fundamental rights and U.S. surveillance law remains the hurdle of all hurdles, and while the European Commission and U.S. Department of Commerce announced late August they had started discussions for a replacement of the now-retired EU-U.S. Privacy Shield, those conclusions are a long way off. Perhaps a change in U.S. presidential administration might serve as impetus; time will tell.
The EDPB recommendations on supplementary measures will be open for a limited public consultation until 30 Nov. However, the measures are applicable as of their publication, meaning that there is no grace period and enforceable as of now. The competent supervisory authority has the power to suspend or end transfers of personal data to a given third country if the protection of the data transferred as EU law requires is not ensured.
To pile on, as I write these very words, the European Commission has just released its draft implementing decision on SCCs for transferring personal data to third countries. The draft will now be in a feedback period until 10 Dec.
There's no rest for the weary, and no doubt, this makes for plenty of reading ahead this weekend! One thing we are sure of with absolute certainty is that the work of the privacy pro is never done.