At last count 132 out of 194 countries worldwide have data protection or privacy regulations. But not all regulatory regimes give “essentially equivalent” protections to all of those countries and, in particular, to those under the EU General Data Protection Regulation.

To assist with cross-border data transfers, countries and regions have implemented safe harbors, shields, cross-border protection rules and frameworks to seek to “ensure” that the transfer of personal data from one country (or region, e.g. the EU) to another has the equivalent level of data protection. 

Two of the mechanisms used to enable GDPR equivalency requirements were the EU-U.S. Privacy Shield (if you are a U.S. company) and standard contractual clauses. In a recent decision, the Court of Justice of the European Union ruled on the legality of these mechanisms in the case of C-311/18: Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems.

During recent global pandemic efforts to enact public health measures for our personal safety we often heard “we are all in this together.” However when it comes to equivalent privacy protections for cross-border personal data transfers following “Schrems II,” we are clearly not “all in this together.” While “Schrems II” relates to Privacy Shield arrangements between the U.S. and the EU and will primarily impact the transfers of personal data from the EU to the U.S., this ruling also affects the ability of other countries, such as Australia, to prove equivalence with the GDPR—even where  SCCs are used.

The ‘Schrems II’ decision

For international business and data flows involving EU personal data it needs to be shown that the recipient country and company have an approved/acceptable level of data protection guaranteed by the GDPR, which is where certification under the EU-U.S. Privacy Shield came in to play for U.S. companies. Privacy Shield was a framework that allowed certified U.S. companies to lawfully receive personal data from the EU without many of the usual requirements under the GDPR.

On July 16, the CJEU ruled Privacy Shield invalid due to U.S. “surveillance laws” (such as the Foreign Intelligence Surveillance Act) which allow the U.S. government access to EU personal data without sufficient judicial review or oversight, and limited data subject remedies for any improper collection/use of such data. This lack of judicial review and limited data subject remedies resulted in the court finding U.S. law was not equivalent to the data protections of the GDPR, even for certified U.S. companies, and the ruling effectively struck down Privacy Shield.

In general, the CJEU upheld the use of SCCs for data exports as a valid mechanism and adequate safeguard when transferring personal data from the EU to a receiving party outside of the EU. However, and some might argue unnecessarily, the CJEU imposed new conditions on the use of SCCs depending on the privacy protections and “surveillance laws” in the receiving party’s country. In other words, while SCCs are still a valid mechanism they do not (and cannot) by themselves overcome any fundamental overarching local law impacts (e.g. surveillance law) on the equivalency of local privacy protections. According to the CJEU, a comprehensive case-by-case assessment is now required prior to any data transfer by the EU data exporter, even where SCCs are in place.

The CJEU ruling also requires EU supervisory authorities to assess and monitor compliance with the SCCs and, potentially, prohibit any data transfer from the EU to a non-compliant receiving country (i.e. based on its surveillance laws). In particular, the prohibition action will be triggered when the data exporter itself has not suspended the data transfer (for non-compliance) or engaged additional safeguards to address any perceived shortcomings.

State surveillance

In its ruling, the CJEU calls for close scrutiny of personal data transfers under SCCs (or other cross border mechanisms) to any country without an adequacy decision and with surveillance laws that relate to national security interests of the country in which the recipient resides, such as in Australia with its Assistance and Access Act 2018 (Cth) and Australia’s involvement in the Five Eyes Intelligence Oversight and Review Council. However, unhelpfully, it remains unclear exactly what level (if any) of national security surveillance is compatible with the GDPR and how such will affect future adequacy decisions and the determination as to whether a country outside the EU affords data subjects an equivalent level of protection to the GDPR when SCCs are imposed.

Standard contractual clauses

Australia does not have adequacy recognition under the GDPR or an intergovernmental “shield” to evidence our equivalency. Australian businesses must therefore rely on SCCs (or binding corporate rules for group entities) to lawfully transfer personal data from the EU to Australia. However, use of SCCs for EU-Australian data transfers will now be subject to the EU data exporter’s organization taking additional proactive steps to assess the laws of Australia to determine if there is an “adequate level” of protection for personal data.

In practice, this will require EU organizations that use SCCs to undertake a comprehensive assessment of each and every organization — and the country in which they are based — in the data transfer flow, their data handling practices and the country’s privacy and surveillance laws. These significant additional assessment requirements will be challenging, and a real burden on both the parties and the EU supervisory authorities.

Unfortunately, based on the ruling, we suspect that our surveillance laws — like those in the U.S. — and the Five Eyes Intelligence alliance will prevent SCCs alone from creating equivalency to the GDPR protections.

The role for ISO 27701

Whether using SCCs or a state agreed mechanism (e.g. similar to Privacy Shield or Cross-Border Privacy Rules System), post “Schrems II” businesses must now assess the overarching adequacy of data protection arrangements in both the recipient company and the country in which it is based.

One way an organization could seek to do this more efficiently (and reduce some of its burden) is to use independent certification against a global standard such as ISO/IEC 27701 standard to determine if there is an equivalent level of protection in those organizations/countries it wishes to transfer personal data to. This will be especially so, if ISO 27701 is recognized as a “certification mechanism” under the GDPR.

ISO 27701 provides a global, independently certified framework for assisting organizations to demonstrate personal data protection and privacy compliance with different privacy laws, including the GDPR. This, in turn, makes the consideration of whether one can safely send personal data to an organization outside of one’s own country/the EU a lot easier. Of course, based on “Schrems II” for export from the EU, one will still need to be satisfied as to how any problematic local surveillance laws have been neutralized or sufficiently addressed. Conveniently, however, this can also be addressed — and certified — under a “privacy information management system” such as ISO 27701.

Requiring ISO 27701 certification is an efficient and comprehensive tool for organizations to assess, inform and determine the “equivalence” of those (in the countries in which they are based) to which they wish to transfer personal data. This could include meeting the “Schrems II” requirements and will assist the EU supervisory authorities with their post-"Schrems II” role.

SCCs could be used in conjunction with ISO 27701 certification to fully satisfy the GDPR obligations to implement an appropriate safeguard for data transfers outside the EU. Also, if it works (i.e. is approved) for the GDPR then, in all probability, it will also work for all regional privacy/data protection laws.   

Conclusion

Our global economy demands the cross-border transfer of personal data and innovative ways to adequately protect the transfer of personal data among the sea of privacy regulatory regimes. “Schrems II” has again shown the fragility of country-to-country bilateral or multilateral solutions, highlighted the impact of local privacy and surveillance laws and thus, the practical challenges ahead in evidencing equivalence.

An international standard PIMS with independent certification, such as ISO 27701, can greatly assist the post-“Schrems II” challenge to determine, inform and certify that a recipient organization in the country in which it is based has the equivalent level of data protection to enable cross-border transfers of personal data from the EU and any other region or country.

Photo by Brett Zeck on Unsplash