Schrems-II is not a look-alike of the Austrian privacy activist Max Schrems and it’s also not the name of his child. It’s the name of his second victory early this summer at the European Court of Justice. We already wrote an article about it because the consequences of this judgment are enormous for data exports abroad. No grace period was granted so each company that exports data to a third country immediately had to put its affairs in order. Schrems also did not allow himself a resting period, but immediately filed 101 complaints with various data protection authorities in the EU. Belgian companies have not been spared either: a complaint has already been lodged against bpost.be, neckermann.be, logic-immo.be and flair.be. So this is not something that doesn’t concern you, you’re exporting data to the US before you know it. Numerous frequently used tools such as Google Analytics, Hubspot, Sharpspring, Facebook and Twitter export data to the US, so almost every Belgian company is affected.
Recently a German data protection authority (from Baden-Württemberg) was the first to issue more concrete guidelines on how life continues after the Schrems-II judgment. We have studied these guidelines thoroughly and summarised the main findings in a number of concrete steps.
If you already have a data register, this is an easy step for you and you can immediately go to the next step. If you are not familiar with the word ‘data register’, we will gladly provide some further explanation.
The General Data Protection Regulation (GDPR) imposes an obligation on every controller to record all processing activities that take place under its responsibility. In concrete terms you map out a number of things in a data register for all the data you collect: the purposes, the means, the legal bases, the risks to the privacy of those involved, the access to that data, the transfer to third parties,… This provides an overview of all data flows within the company. It considerably simplifies possible inspections and audits.
You can use a number of qualitative questionnaires or evaluation tools for this, but of course Sirius Legal can offer you specialized assistance.
Step 2: Contact your service provider / contracting parties in the third country
We recommend you to inform all your contracting parties, service providers, etc about the Schrems-II judgment and its consequences. Sirius Legal has created a standard letter template for this with a Data Export Impact Assessment. You can download this template for free at the bottom of this blog post.
The term ‘third country’ doesn’t mean every country other than your own, but rather every country outside the European Economic Area, which is the EU expanded with Norway, Iceland and Liechtenstein.
Step 3: Check whether there is a decision on an adequate level of protection in the third country
For some third countries, the European Commission has decided that this country offers an adequate level of protection (‘an adequacy decision’), so you can export data to those countries based on that decision. The full list of those countries can be found on the website of the European Commission. Currently negotiations are ongoing with South Korea. We will of course follow this closely and keep you continuously informed about any changes through our blog and social media.
Step 4: Assess the legal situation of the third country
In the case of data export to a third country where there is no decision on an adequate level of protection, we arrive at the next step. In that case, the data protection authority of Baden-Württemberg recommends a thorough investigation of the legal situation of that third country. In this context, it is particularly interesting to check whether national safety authorities can gain access to the exported data.
You can consult your national data protection authority for this (in Belgium this is the GBA, in the Netherlands the AP, in France the CNIL and in England the ICO), the European Commission, the EDPB, your national ministry of foreign affairs, …
We understand that this is a complicated and time consuming job. Sirius Legal has an extensive network of foreign lawyers specialized in these matters. This allows us to make our own ‘adequacy assessment’ for almost every third country.
Step 5: Assess whether SCCs are sufficient
Now that you are aware of the legal situation in the third country, it is time to assess whether the Standard Contractual Clauses (SCCs) are sufficient. The SCCs have been created by the European Commission for data export to third countries. These are contracts that you can conclude with the controller or processor in that third country. If no problems were found in the step discussed above, you can use these SCCs without any problem. Keep in mind that the European Commission is reviewing the SCCs. If the SCCs do not suffice, go to the next step.
Step 6: Create additional guaranties and use customised SCCs
The Baden-Württemberg data protection authority proposes a number of additional safeguards. First, the encryption of the data on your end. In that case, make sure that you as an exporter are the only one with the ‘key’ to decrypt the data and that the encryption cannot simply be unlocked. We invite you to read the article ‘Is encryption mandatory under GDPR’ (only available in Dutch for the moment) if you want to know more about encryption.
Second, the anonymization or pseudonymization of the data on your end. This ensures that the recipient of the data cannot simply know who the datasubject really is. Keep in mind that this process often starts before you even enter the data or upload it somewhere.
Subsequently, the Baden-Württemberg data protection authority proposes a number of concrete adjustments and additions to the SCCs:
- An obligation for the data exporter to inform the data subject that his or her data is exported to a third country that does not provide an adequate level of protection;
- An obligation for the data importer to inform both the exporter and the data subject of any request for access to the data. If this is not possible, the obligation to notify the exporter’s national data protection authority;
- An obligation for the data importer to take legal action against any request for access and exhaust these legal measures;
- The granting of more rights to the data subject in a dispute with the data importer and the addition of a compensation clause.
Stap 7: And if none of that helps …
It is possible that all of the above measures are either not possible or still do not provide sufficient guarantees. In that case, the Baden-Württemberg data protection authority states that an alternative option exists, but it emphasises that this alternative is interpreted very strictly and is therefore little accepted as a reason for exporting data to a third country. This includes, for example, the possibility to request the consent of the data subject for the data export. However this consent must meet all the requirements of the GDPR. In other words the consent must be free, specific, informed and unambiguous.
If all of the above did not help, it is probably safer to stop the cooperation with the partner.
A warned company counts for two
Our previous blog post about the Schrems-II judgment and this blog post should provide you with a running start. A number of recommendations and guidelines will surely be provided by other data protection authorities in the near future which will hopefully provide more clarity. We will of course continue our investigations and inform you about it on our blog and social media. For now you can already start with the following steps:
Step 1: consult your data register / set up a data register
Step 2: inform your service providers / contracting parties
Step 3: check whether a decision has been made about the appropriate level of protection
Step 4: assess the legal situation
Step 5: check whether SCCs are sufficient
Step 6: if not, create additional guaranties and close custom SCCs
Step 7: stop the data export / find an alternative