The world, it seems, is getting ever more complex. Ever since the "Schrems II" ruling, I’ve been thinking about how to explain the challenging issues presented by EU-U.S. data transfers in an easy-to-understand way. The best I could come up with is what I call the “distant friends” allegory:
[quote]Once upon a time there were two children, A and B, who were close friends — some would even say they had a special relationship. They lived far apart, so had to resort to texting to stay in contact. However, child B’s parents would check her phone and read her texts, which they said they did because they had concerns she was being bullied at school.
Child A’s parents did not approve of the friendship and were mistrustful of B’s parents. They were concerned that they would read A’s texts to learn gossip about A’s parents. They told A about their concerns.
A responded, “But they are good, honest people! They’re regular churchgoers and volunteer at B’s school.” A’s parents shook their heads and said, “Participating in the local church and school doesn’t guarantee they are trustworthy. Who knows what they do with your messages?”
A tried to think of ways she could placate her parents: “What if B and I agree on a secret code — some kind of cipher that only she and I know? Then my messages to her would be secret.” A’s parents simply responded, “You’re so naïve! B’s parents could simply force her to explain the cipher, then they could read all your messages and collect gossip about us!”
In desperation, A threw up her hands and said, “But what about my friends C and D’s parents? They do exactly the same!” To which her parents replied, “They’re not the issue here: We’re talking about B’s parents. Besides, C and D live in our street, so we’re sure they’re good people.”
The argument drew to an end, and A’s parents forbade her to communicate with B anymore, out of fear that B’s parents may read A’s messages. “I don’t want this, though, and B can’t force her parents to change — they’re her parents!” A said. “Do you really expect me to abandon our special relationship?”[/quote]
Some will, no doubt, say the above is a gross over-simplification, and perhaps it is. The core message, of data exporters and data importers suffering the consequences of government and regulatory behavior over which they have little to no influence, is accurate, however.
It’s important to recognize the practical consequences of law and regulations and not just the legal theory. It was with that spirit in mind that my team and I recently decided to investigate the practical impacts of the "Schrems II" ruling.
We all know the theory: that organizations should conduct case-by-case risk assessments and implement “supplemental measures,” in addition to their standard contractual clauses, to ensure “essential equivalence” for EU exported data.
But how are companies actually responding?
To investigate this, we ran a survey, posted online through our blog and LinkedIn, in which we asked participants to answer nine simple multiple-choice questions about how they are responding to "Schrems II" in practice. The survey provided us with revealing but perhaps not altogether surprising findings, including that:
- In a sign of just how disruptive and impactful the "Schrems II" ruling is, approximately 75% of respondents indicated that half or the majority of their data processors are based in the U.S. or non-European Economic Area/non-U.K. territories.
- Yet, "Schrems II" notwithstanding, only a small minority (12%) of respondents indicated that they intend to reduce their non-EEA/non-U.K. exports as a result of "Schrems II." An even smaller minority (just 5%) indicated that they plan to cease data exports altogether. A clear sign that law is, once again, diverging from the reality of modern-day data processing.
- For organizations that previously relied upon their U.S. processors’ Privacy Shield commitments, most (58%) indicated they would proactively contact their processors to put SCCs in place, although a significant minority (about 35%) said they would wait for further regulatory guidance.
- When it comes to conducting data export risk assessments, about 55% of respondents said they would conduct these, but with nearly 40% saying they would do so only for larger or more sensitive transfers. The idea that companies will do this for each and every data export as envisaged by the Court of Justice of the European Union seems, at best, a pipe dream.
- In terms of the supplementary measures that organizations expect of their non-EEA/non-U.K. data processors, there was a diversity of opinion. Two clear winners emerged, however: encryption in transit (67%) and contractual or policy commitments restricting government access to data (62%), perhaps indicating what U.S. vendors need to consider to keep their EU customers happy.
For anyone interested in reading our survey methodology and detailed findings in full, these are available on the Fieldfisher Privacy, Security and Information blog here.
Photo by Maria Teneva on Unsplash
