News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | When law diverges from reality: How are organizations responding to 'Schrems II' in practice? Related reading: LIBE meeting scrutinizes path forward for EU-US data transfers

rss_feed

""

The world, it seems, is getting ever more complex. Ever since the "Schrems II" ruling, I’ve been thinking about how to explain the challenging issues presented by EU-U.S. data transfers in an easy-to-understand way. The best I could come up with is what I call the “distant friends” allegory:

format_quoteOnce upon a time there were two children, A and B, who were close friends — some would even say they had a special relationship. They lived far apart, so had to resort to texting to stay in contact. However, child B’s parents would check her phone and read her texts, which they said they did because they had concerns she was being bullied at school.

Child A’s parents did not approve of the friendship and were mistrustful of B’s parents. They were concerned that they would read A’s texts to learn gossip about A’s parents. They told A about their concerns.

A responded, “But they are good, honest people! They’re regular churchgoers and volunteer at B’s school.” A’s parents shook their heads and said, “Participating in the local church and school doesn’t guarantee they are trustworthy. Who knows what they do with your messages?”

A tried to think of ways she could placate her parents: “What if B and I agree on a secret code — some kind of cipher that only she and I know? Then my messages to her would be secret.” A’s parents simply responded, “You’re so naïve! B’s parents could simply force her to explain the cipher, then they could read all your messages and collect gossip about us!”

In desperation, A threw up her hands and said, “But what about my friends C and D’s parents? They do exactly the same!” To which her parents replied, “They’re not the issue here: We’re talking about B’s parents. Besides, C and D live in our street, so we’re sure they’re good people.”

The argument drew to an end, and A’s parents forbade her to communicate with B anymore, out of fear that B’s parents may read A’s messages. “I don’t want this, though, and B can’t force her parents to change — they’re her parents!” A said. “Do you really expect me to abandon our special relationship?”

Some will, no doubt, say the above is a gross over-simplification, and perhaps it is. The core message, of data exporters and data importers suffering the consequences of government and regulatory behavior over which they have little to no influence, is accurate, however. 

It’s important to recognize the practical consequences of law and regulations and not just the legal theory. It was with that spirit in mind that my team and I recently decided to investigate the practical impacts of the "Schrems II" ruling. 

We all know the theory: that organizations should conduct case-by-case risk assessments and implement “supplemental measures,” in addition to their standard contractual clauses, to ensure “essential equivalence” for EU exported data.

But how are companies actually responding?

To investigate this, we ran a survey, posted online through our blog and LinkedIn, in which we asked participants to answer nine simple multiple-choice questions about how they are responding to "Schrems II" in practice. The survey provided us with revealing but perhaps not altogether surprising findings, including that:

  • In a sign of just how disruptive and impactful the "Schrems II" ruling is, approximately 75% of respondents indicated that half or the majority of their data processors are based in the U.S. or non-European Economic Area/non-U.K. territories.
  • Yet, "Schrems II" notwithstanding, only a small minority (12%) of respondents indicated that they intend to reduce their non-EEA/non-U.K. exports as a result of "Schrems II." An even smaller minority (just 5%) indicated that they plan to cease data exports altogether. A clear sign that law is, once again, diverging from the reality of modern-day data processing.
  • For organizations that previously relied upon their U.S. processors’ Privacy Shield commitments, most (58%) indicated they would proactively contact their processors to put SCCs in place, although a significant minority (about 35%) said they would wait for further regulatory guidance.
  • When it comes to conducting data export risk assessments, about 55% of respondents said they would conduct these, but with nearly 40% saying they would do so only for larger or more sensitive transfers. The idea that companies will do this for each and every data export as envisaged by the Court of Justice of the European Union seems, at best, a pipe dream.
  • In terms of the supplementary measures that organizations expect of their non-EEA/non-U.K. data processors, there was a diversity of opinion. Two clear winners emerged, however: encryption in transit (67%) and contractual or policy commitments restricting government access to data (62%), perhaps indicating what U.S. vendors need to consider to keep their EU customers happy.

For anyone interested in reading our survey methodology and detailed findings in full, these are available on the Fieldfisher Privacy, Security and Information blog here

Photo by Maria Teneva on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Phillip Lee, CIPP/E, CIPM, FIP IAPP Member Contributor
Tags
Europe
U.S.
Privacy Community
Privacy Law
Privacy Operations Management
Privacy Opinion
Privacy Research
Security Operations Management
Transborder Data Flow
4 Comments

If you want to comment on this post, you need to login.

  • comment Jason Burns • Sep 11, 2020 
    Thanks for the article Philip - just wondering if contractual/policy commitments to restrict government access actually means anything in reality? As in, you can stick what you like in a contract, but can it carry any weight in terms of politely refusing requests for access to data?
  • comment Anya Ryjkova • Sep 11, 2020 
    How does Schrems II affect situations where there are co-controllers US-EU?
  • comment Phillip Lee • Sep 21, 2020 
    Hi Jason - to your question, the reality - of course - is that if any US (or non-EU-owned) business is compelled by its own state security or local law enforcement agencies to provide access to data, it is going to do so - particularly since, at least in the case of the US, there will in most cases be legitimate reasons why those agencies need access to that data.  

That being said, there does need to be a process whereby non-EU data recipients don't simply "roll over" and hand over all data to non-EU authorities - state security and law enforcement agencies need to be made to follow due process.  To my mind, that means an EU exporter can put in place contract terms with a non-EU importer to the effect that: (i) the non-EU importer (if it is a processor) will attempt to redirect the state security/law enforcement agency to approach the EU exporter/controller for the data; (ii) that it will not disclose data in response to a "voluntary", non-mandatory requests for data (these are common in practice); and (iii) that, even if compelled, it will challenge any requests that are over-broad or disproportionate.  A further possibility, and something EU authorities will generally want to see, is that the data importer will commit to not knowingly participating in massive, disproportionate surveillance activities.  

If a data exporter and data importer can agree the above measures then, while it doesn't solve the issue per se, it certainly helps to manage the risk downwards.
  • comment Phillip Lee • Sep 21, 2020 
    Hi Anya - if you're asking what happens in a situation where one US controller transfers data to another US controller, then strictly speaking the Standard Contractual Clauses don't work in this context - the reason being that they are designed in a way that requires at least one party (i.e. the "data exporter") to be based in the EU.  

In your context, this would mean that:

*  If the data was initially exported from an EU controller, then you could have both US contorllers enter the SCCs with that exporting EU controller; or

*  If the US controller collected the data directly in the US (e.g. an EU visitor came to its website and the controller captured the visitors' data on its US servers), then the US controller would need to show either that it is out-of-scope of the GDPR or that an Article 49 derogation applies.

It gets very tricky - which is why we need a new political solution bewteen the EU and US soon!!!
Related Stories
Supplementing SCCs to solve surveillance shortfalls
9
By invalidating the EU-U.S. Privacy Shield but not rejecting wholesale the use of standard contractual clauses to transfer data to the U.S., the Court of Justice of the European Union in "Schrems II" left open the possibility that such transfers could continue. However, it emphasized that exporters ...
Read More queue Save This

Related Stories
Tags
Europe
U.S.
Privacy Community
Privacy Law
Privacy Operations Management
Privacy Opinion
Privacy Research
Security Operations Management
Transborder Data Flow
Recent Comments