News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Post-‘Schrems II': Can EU regulators set aside a risk-based approach for conducting transfer impact assessments? Related reading: Dispatch from Brussels: Some clarification for EU data transfers on the horizon

rss_feed

""

The recent public statements from EU data protection authorities, including local regulators, and the European Data Protection Board, notably at the IAPP Europe Data Protection Congress in November 2021, have raised some legitimate concerns among the privacy community. Some are academic, others practical. Most are related to international transfers of personal data under the EU General Data Protection Regulation. 

From clarity to perplexity

A first concern stems from the EDPB's guidelines dated Nov. 18, 2021, on the interplay between cross-border requirements under GDPR and its territorial scope of application. Undoubtedly, additional clarity on the definition of international transfers is more than welcome post- "Schrems II." Interestingly, the EDPB confirms that any transfer within the meaning of the GDPR shall meet three cumulative prerequisites: an organization based in the EU (acting as controller or processor); a transmission from this organization to another one; the latter located outside of the EU (regardless whether it falls within the territorial scope of application of the GDPR). That makes sense. 

What may make less sense, in my opinion, is the EDPB guidelines exclude situations where a foreign controller targets the EU market, collecting personal data from EU residents. Surely this scenario falls within the "targeting" criterion under Article 3(2) of the GDPR, triggering a high level of protection. If GDPR applies, all provisions do, including Chapter V on cross-border flows. Truly, in the absence of an adequacy decision in which non-EU entities rely on the targeting criterion for collecting information from the EU, it would have been inappropriate for those entities to enter into standard contractual clauses made for organizations and data subjects. Surely not entering into SCCs does not deprive individuals of their rights and freedoms to the extent that non-EU entities fall under such circumstances into the scope of the GDPR and then must comply with its high standards of protection.

To get there, the EDPB guidelines refer to the Court of Justice of the European Union's Lindqvist ruling, which differs in some singular aspects: the latter is pre-GDPR and pertains to the possibility of accessing data from abroad made possible by an individual's website, while the former covers a company located outside the EU, whose business comprises importing personal data of EU residents. All those factors trigger Article 49 of the GDPR on individual-per-individual situations. As a reminder, this article applies when it is impossible to rely on any EU Commission's decisions confirming the adequacy with the GDPR of a third country (as a whole, per region or industry) or on appropriate safeguards (e.g., not being able to enter into SCCs with a data subject). 

In practice, Article 49 of the GDPR allows organizations, in the context of international flows, to receive personal data from individuals, for example, either on their consent or because of an agreement between the individuals and recipient of the data. It does not prescribe whether Article 49 only covers situations where such organizations are located within or outside the EU. In other words, it does not exclude per se that there could be a transfer of personal data when an individual purposefully provides data to a non-EU-based importer. Interestingly, Article 49 has not been construed as a legal ground for international transfers but as an exemption to the general prohibition for exporting such data. It clearly provides a safeguard in addition to the other general GDPR requirements that any organization shall comply with as soon as falling into its territorial scope. It seems that all organizations that do not have an EU footprint will very much welcome the EDPB guidelines.

As a precaution, organizations should not rush to rely on the full validity of the GDPR with such non-binding interpretation from the EDPB. There is a material risk that the CJEU will take a narrower view since it has always taken a constant position to ensure the highest level of protection when it comes to essential notions under EU data privacy law. In the "Schrems II" ruling, an indicative factor of such a strict interpretation can be found in paragraph 92 that states that Article 44 of the GDPR requires a high "level of protection [to be] be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out." Arguably, a restrictive posture could extend this requirement to Article 49 exemptions, thus requiring an assessment of third countries laws compatibility with the essential EU data protection principles.

From perplexity to anxiety

Worst, perplexity gave way to some anxiety when several data protection authorities, including the France's data protection authority, the Commission nationale de l'informatique et des libertés, recently insisted at the IAPP Brussels Congress that transfer impact assessments do not rely on a risk-based approach. Such a statement is quite frustrating in light of the pathway slightly left open by the EPDB recommendations on supplementary measures and, beyond, also surprising on several levels.

Firstly, because it is difficult to articulate with the GDPR's philosophy, based on the principle of accountability, and which requires any stakeholders in the lifecycle of data to carry out an assessment of the level of risk involved. Of course, only risks for individuals and not organizations should be considered. However, the risk-based approach is the key factor for triggering the obligation to conduct impact assessments. Even if considering the GDPR as not exclusively relying on a risk-based approach but only containing risk-based approach components, how can the appropriate nature of the safeguards, enforceable rights and effective legal remedies be assessed pursuant to the "Schrems II" decision "on a case-by-case basis" without actually conducting any risk-assessment?

Secondly, because it contradicts the former Article 29 Working Party, now replaced by the EDPB, whose the first version of guidelines, but not the second which made it disappear, clearly listed international transfers as factors for conducting DPIAs. Not to mention EDPB recommendations on supplementary measures highlighting that "the categories of data transferred and their sensitiveness will be relevant to the assessment of the risk and the appropriateness of the measures," or "the risk of potential application to your importer and/or to your transferred data of laws" of surveillance measures.

At least, and despite any post-Brexit considerations, the British Information Commissioner's Office is more explicit about it. Its recent draft (still subject to public consultation) explicitly referred to the exercise as a transfer risk assessment. 

Above all, the posture of EU regulators is not all aligned with the more pragmatic approach of other institutions. The European Commission has clearly indicated the importance of taking into account not only the local practices of the third country, in particular by industry but also any "specific circumstances of the transfer (such as the content and duration of the contract, the nature of the data to be transferred, the type of recipient, the purpose of the processing)." This obviously presupposes an examination of the likelihood, for example, that local courts are likely to grant or set aside requests for access by governmental authorities to personal data coming from Europe. In practice, the EU Commission strongly recommends relying on "different elements (…) as part of an overall assessment, including reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer." Clearly, this is not an exact science but merely a risk assessment, done as accurately as possible.

That is actually what France's administrative supreme court, the Conseil d'Etat, did when reviewing whether the supplementary measures implemented by Doctolib for the management of its anti-COVID-19 vaccination platform hosted by AWS met "Schrems II" standards. To do this, it assessed the sensitivity of the processed information, the level of security measures and the organizational mechanism in place by the hosting company. The Conseil d'Etat concluded that, in the absence of medical information (although such qualification for appointments for anti-COVID-19 vaccination could be challenged with a more inclusive definition of health data under the GDPR), the level of third-party encryption measures implemented by Doctolib to manage the platform and the existence of an internal procedure at AWS to review and challenge any access request by U.S. governmental authorities was not insufficient with regard to potential risks of violating GDPR. Actually, the Conseil d’Etat confirmed its previsions ruling. It indeed adopted the same risk-based approach in the Health Data Hub case, where it ruled that the actual risk of a U.S. court/authority requesting an access to this database appeared to be low, because health data are not likely to be useful for criminal/anti-terrorism purposes, and even less likely where data are pseudonymized, without the identity of the individuals.

Of course, there should be no confusion. Transfer impact assessments shall not inappropriately justify excessive transfers of personal data outside of the EU. They are not only about asserting that transmitted data is unlikely to be accessed by government authorities. Conversely, the purpose of the third country law assessments, as contemplated by the CJEU, is to identify the key characteristics of any transfer in order to assess what supplementary measures should be implemented to leave outside the perimeter of bulk surveillance program personal data that are not likely to present even indirect link with national security and public safety considerations. Rather than excluding any risk-based approach, is it perhaps more realistic, if not more supportive, for the countless entities (including the EU and non-EU) that have no other choice but to exchange personal data on a daily basis with actors located outside the EU to clarify what risk-based components exporters can rely on for securing their cross border data flows?

Photo by Christian Lue on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Romain Perray IAPP Member Contributor
Tags
Europe
Enforcement
Privacy Law
Privacy Opinion
Transborder Data Flow
1 Comment

If you want to comment on this post, you need to login.

  • comment R. Jason Cronk • Feb 11, 2022 
    Romain, in general I like this article and found it helpful. But one thing is bothering me and I'm not sure if I'm reading you right. I think it's clear that all of Chapter V and the concept of transfers, especially in light of the EDPB guidelines on the interplay, governs transfers between entities. Article 49 is no different. Though it does cover more individualistic rather than holistic approach to the data being transferred (i.e. having to look at each data subject situation), it still only governs transfers between entities. A non-EU based entity receiving data from EU person without an intervening entity (controller or processor) does not a transfer make. There is a cross border transmission, for sure, but not a "transfer" because a transfer, as a legal term of art in GDPR, is the legal transfer of data between controllers and processors. [Note for clarity: an individual, who is not the data subject, can be a controller or processor.]
Related Stories
Sorting through EDPB's data transfer guidance
With recent guidance on the interplay between data transfers and territorial scope in the EU General Data Protection Regulation, the European Data Protection Board addressed the uncertainty around what constitutes an international data transfer. But was there truly a debate to begin with? Join the I...
Read More queue Save This
Related Stories
Tags
Europe
Enforcement
Privacy Law
Privacy Opinion
Transborder Data Flow
Recent Comments