TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | When law diverges from reality: How are organizations responding to 'Schrems II' in practice? Related reading: LIBE meeting scrutinizes path forward for EU-US data transfers

rss_feed

""

""

""

The world, it seems, is getting ever more complex. Ever since the "Schrems II" ruling, I’ve been thinking about how to explain the challenging issues presented by EU-U.S. data transfers in an easy-to-understand way. The best I could come up with is what I call the “distant friends” allegory:

format_quoteOnce upon a time there were two children, A and B, who were close friends — some would even say they had a special relationship. They lived far apart, so had to resort to texting to stay in contact. However, child B’s parents would check her phone and read her texts, which they said they did because they had concerns she was being bullied at school.

Child A’s parents did not approve of the friendship and were mistrustful of B’s parents. They were concerned that they would read A’s texts to learn gossip about A’s parents. They told A about their concerns.

A responded, “But they are good, honest people! They’re regular churchgoers and volunteer at B’s school.” A’s parents shook their heads and said, “Participating in the local church and school doesn’t guarantee they are trustworthy. Who knows what they do with your messages?”

A tried to think of ways she could placate her parents: “What if B and I agree on a secret code — some kind of cipher that only she and I know? Then my messages to her would be secret.” A’s parents simply responded, “You’re so naïve! B’s parents could simply force her to explain the cipher, then they could read all your messages and collect gossip about us!”

In desperation, A threw up her hands and said, “But what about my friends C and D’s parents? They do exactly the same!” To which her parents replied, “They’re not the issue here: We’re talking about B’s parents. Besides, C and D live in our street, so we’re sure they’re good people.”

The argument drew to an end, and A’s parents forbade her to communicate with B anymore, out of fear that B’s parents may read A’s messages. “I don’t want this, though, and B can’t force her parents to change — they’re her parents!” A said. “Do you really expect me to abandon our special relationship?”

Some will, no doubt, say the above is a gross over-simplification, and perhaps it is. The core message, of data exporters and data importers suffering the consequences of government and regulatory behavior over which they have little to no influence, is accurate, however. 

It’s important to recognize the practical consequences of law and regulations and not just the legal theory. It was with that spirit in mind that my team and I recently decided to investigate the practical impacts of the "Schrems II" ruling. 

We all know the theory: that organizations should conduct case-by-case risk assessments and implement “supplemental measures,” in addition to their standard contractual clauses, to ensure “essential equivalence” for EU exported data.

But how are companies actually responding?

To investigate this, we ran a survey, posted online through our blog and LinkedIn, in which we asked participants to answer nine simple multiple-choice questions about how they are responding to "Schrems II" in practice. The survey provided us with revealing but perhaps not altogether surprising findings, including that:

  • In a sign of just how disruptive and impactful the "Schrems II" ruling is, approximately 75% of respondents indicated that half or the majority of their data processors are based in the U.S. or non-European Economic Area/non-U.K. territories.
  • Yet, "Schrems II" notwithstanding, only a small minority (12%) of respondents indicated that they intend to reduce their non-EEA/non-U.K. exports as a result of "Schrems II." An even smaller minority (just 5%) indicated that they plan to cease data exports altogether. A clear sign that law is, once again, diverging from the reality of modern-day data processing.
  • For organizations that previously relied upon their U.S. processors’ Privacy Shield commitments, most (58%) indicated they would proactively contact their processors to put SCCs in place, although a significant minority (about 35%) said they would wait for further regulatory guidance.
  • When it comes to conducting data export risk assessments, about 55% of respondents said they would conduct these, but with nearly 40% saying they would do so only for larger or more sensitive transfers. The idea that companies will do this for each and every data export as envisaged by the Court of Justice of the European Union seems, at best, a pipe dream.
  • In terms of the supplementary measures that organizations expect of their non-EEA/non-U.K. data processors, there was a diversity of opinion. Two clear winners emerged, however: encryption in transit (67%) and contractual or policy commitments restricting government access to data (62%), perhaps indicating what U.S. vendors need to consider to keep their EU customers happy.

For anyone interested in reading our survey methodology and detailed findings in full, these are available on the Fieldfisher Privacy, Security and Information blog here

Photo by Maria Teneva on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

4 Comments

If you want to comment on this post, you need to login.

  • comment Jason Burns • Sep 11, 2020
    Thanks for the article Philip - just wondering if contractual/policy commitments to restrict government access actually means anything in reality? As in, you can stick what you like in a contract, but can it carry any weight in terms of politely refusing requests for access to data?
  • comment Anya Ryjkova • Sep 11, 2020
    How does Schrems II affect situations where there are co-controllers US-EU?
  • comment Phillip Lee • Sep 21, 2020
    Hi Jason - to your question, the reality - of course - is that if any US (or non-EU-owned) business is compelled by its own state security or local law enforcement agencies to provide access to data, it is going to do so - particularly since, at least in the case of the US, there will in most cases be legitimate reasons why those agencies need access to that data.  
    
    That being said, there does need to be a process whereby non-EU data recipients don't simply "roll over" and hand over all data to non-EU authorities - state security and law enforcement agencies need to be made to follow due process.  To my mind, that means an EU exporter can put in place contract terms with a non-EU importer to the effect that: (i) the non-EU importer (if it is a processor) will attempt to redirect the state security/law enforcement agency to approach the EU exporter/controller for the data; (ii) that it will not disclose data in response to a "voluntary", non-mandatory requests for data (these are common in practice); and (iii) that, even if compelled, it will challenge any requests that are over-broad or disproportionate.  A further possibility, and something EU authorities will generally want to see, is that the data importer will commit to not knowingly participating in massive, disproportionate surveillance activities.  
    
    If a data exporter and data importer can agree the above measures then, while it doesn't solve the issue per se, it certainly helps to manage the risk downwards.
  • comment Phillip Lee • Sep 21, 2020
    Hi Anya - if you're asking what happens in a situation where one US controller transfers data to another US controller, then strictly speaking the Standard Contractual Clauses don't work in this context - the reason being that they are designed in a way that requires at least one party (i.e. the "data exporter") to be based in the EU.  
    
    In your context, this would mean that:
    
    *  If the data was initially exported from an EU controller, then you could have both US contorllers enter the SCCs with that exporting EU controller; or
    
    *  If the US controller collected the data directly in the US (e.g. an EU visitor came to its website and the controller captured the visitors' data on its US servers), then the US controller would need to show either that it is out-of-scope of the GDPR or that an Article 49 derogation applies.
    
    It gets very tricky - which is why we need a new political solution bewteen the EU and US soon!!!