18 August 2020
The EU‘s ‘Schrems 2’ judgement - which ruled that the Privacy Shield Framework cannot be used for transferring personal data between the EU and US - demands ‘prompt action’ from UK organisations, the professional body for IT has warned.
The Court of Justice of the European Union ruling has major and immediate implications for international flows of information as it says the current Framework does not match the EU’s standards for protection of individuals’ data. It will have sustained, post-Brexit impact on any countries that are not considered by the EU to have adequate data protection, BCS, The Chartered Institute for IT states in a new policy paper.
Chiara Rustici, privacy analyst and Chair of BCS’ Law Specialist Group said: “This is a significant decision which will require prompt action for organisations that transfer personal data outside of the EU - or those service providers you trust with your personal data which do.
“The implications of the judgment are still evolving, but already the UK’s IT professional and business communities need to pay due care and attention to Schrems 2 to safeguard their businesses and operations as much as possible. It has immediate implications for any organisation doing business by exchanging data and information flows with USA organisations, and for any organisation doing business by exchanging data and information flows with organisations based in countries the EU does not recognise as having an adequate data protection regime.
“All organisations are affected, from multinational to not-for-profit, to the extent that their data and information flows include personal data.
“Organisations based in the EU and USA are not the only ones in scope: any organisation may be relying, directly or indirectly, in some part of their value chain, on personal data flows affected by this judgment.
“Do not assume that ‘management’ is already aware and has a plan: you may be the first to be aware of it. The wider impact of Schrems 2 on business and trade has yet to be grasped by the mainstream and business press. If you are UK based, do not assume the problem will go away after Brexit and do not assume there will be no enforcement.”
BCS, The Chartered Institute for IT has set out 10 actions organisations with international data interests should take to minimise the risk of being caught by the legislation:
- Assess how much of the personal data your organisation handles are strictly mission-critical and how much is expendable. Minimize your organisation's personal data. Be mindful that most business data are also personal data and that most datasets are mixed, and it may be impossible to segregate personal from non-personal data.
- Assess in which countries your personal data ends up routinely or occasionally, directly, or indirectly, via cloud services, web-based applications, cookies and other trackers, contractors, sub-contractors and suppliers. Map all the organisation's personal data flows you are responsible for against the interactive data protection map produced by CNIL. Keeping a real-time visual of how your personal data ecosystem crosses national boundaries and of how data protection requirements for data transfers change will be useful also for upcoming changes in countries' data protection status. Consider whether your transfer counterpart is a likely target for government intelligence surveillance demands.
- Audit who has access rights to your organisation's personal data sets (databases, data streams, data repositories of any kind) and from which countries they can access it. Be mindful that, in legal terms, to access data is to transfer data. Include in this audit of permission levels: clients, business partners, employees, remote workers, freelancers, temps, interns, volunteers.
- If you have an in-house legal department, they should have reached out to the IT team by now. If you use external legal counsel , they may not have contacted you yet, so be proactive: re-read your own policies and search the terms and conditions of your suppliers, contractors and subcontractors to identify which data flows in your organisation rely, directly or indirectly, on a "Privacy Shield" clause . This is a legal basis for transferring data to the USA that is now invalid. Do the same search for Standard Contractual Clauses (SCC). These are still valid but require additional action on your part. For example, to continue to use SCCs you will need to undertake due diligence to evaluate and document the risks associated with those transfers. In practice, you will need to identify if the laws of the destination country cause concern in relation to the rights of data subjects (see action 2). To identify potential risks, an assessment of the third country’s laws and potential international commitments is now necessary and recommended by the EDPB. You should also ensure the data importer in the destination country understands that it needs to notify you of laws and other obligations that would prevent it from complying with the SCCs, including being subject to any specific government surveillance or legal monitoring.
- Address highest risk transfers first. For example, a financial institution is likely to have high levels of risk, whereas a small online retailer is likely to have lower levels of risk of surveillance interception. Where it is possible that US governmental authorities might seek to access the personal data transferred, consider including additional protections, such as encryption or tokenization, which could render personal data meaningless to a third party, or adding suspension or termination clauses in contracts that allow the data exporter to minimise the risk of an enforcement action in the EEA and the threat of fines.
- Once you have quantified the amount and kinds of personal data transfers to the USA, servers controlled by US companies or other countries outside the European Economic Area (EEA) which do not provide adequate safeguards, escalate the matter to the highest level of risk ownership in your organisation.
- Be in the room when management works out the cost-benefit analysis of practical solutions for the parts of your business that rely directly or indirectly on Privacy Shield or SCCs. There may be several solutions. None is without consequences. Go to the meeting prepared to offer key figures of data transfers, and your assessment of IT architecture workarounds.
- IT additional safeguards or alternative IT architecture workarounds may not be the only solutions to Privacy Shield-based data transfer to the USA or those data transfers based on SCCs:
a) Business alternatives include redesigning which type of business processes are carried out by which country's business unit or switching to cloud and other IT suppliers which are not subject to US jurisdiction.
b) Legal alternatives include replacing Privacy Shield with SCC with "additional safeguards" as the legal basis for transfers or relying on one of or more of the specified "derogations" in Article 49 of the GDPR or, in the case of multi-national organisations, considering the use of Binding Corporate Rules (BCRs).
c) IT alternatives include re-allocating personal data access privileges to staff in the EEA, arranging for the business' personal data be processed exclusively by staff based in the EEA, adding encryption layers and ensuring encryption keys are in your possession, pseudonymising or anonymising personal data.
- Continue to monitor developments. The interpretation and application of Schrems 2 is rapidly changing and developing. We are expecting more guidance from authorities and other developments very soon. IT professionals should stay closely aligned with these developments and adjust their plans accordingly.
- Work with your colleagues and professional communities to influence positive change. Organisations like the BCS depend on the collective skills and knowledge of our volunteer member communities working across many disciplines to advance the cause of computing and technology for good.
More information about becoming a BCS member