Unpacking Schrems II: Analysis, Updates & Next Steps

Slide Note
Embed
Share

Explore the implications of the Schrems II decision on transatlantic data transfers. Understand the impact on GDPR, Privacy Shield, and Standard Contractual Clauses. Learn about best practices moving forward in light of regulatory updates from European and US authorities.

raighan
raighan Follow

Uploaded on Sep 16, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Unpacking Schrems II: Analysis, Updates & Next Steps Sara DePaul Associate General Counsel & Senior Director, Technology Policy sdepaul@siia.net

  2. Roadmap for today Transatlantic Data Transfers and How We Got to Schrems II Analysis of the Schrems II Decision Updates from European & US Regulators Best Practices for Moving Forward

  3. But first, why do you need to know this? Personal Data Subject to GDPR Transferring of Data Outside the EU Need to Know Schrems II Web Scraping

  4. GDPR and Data Transfers to Third Countries Chapter 5 governs transfers, with Art. 44 stating the Chapter is to be applied in order to ensure that the level of protection of natural persons guaranteed by [the GDPR] is not undermined. Article 46 Transfers Subject to Appropriate Safeguards: Standard Contractual Clauses (Valid, but subject to Schrems II holding) Article 45 Transfers Based on Adequacy Decisions: Privacy Shield (now invalidated) Article 49 Derogations for Specific Situations: Generally not available for transfer of large sets of data

  5. How did we get here? CJEU invalidates Safe Harbor with Schrems I decision; Max Schrems Files Amended Complaint October 2015 Edward Snowden Disclosures, followed by Schrems I Complaint June 2013 CJEU releases Schrems II decision July 2020 EU Data Protection Directive October 1995 Privacy Shield is adopted July 2016 EU-US Safe Harbor Framework July 2000 Schrems I referred to CJEU June 2014 GDPR is adopted April 2016 Schrems II referred to CJEU October 2017

  6. What did the CJEU decide in Schrems II? The Privacy Shield was an adequacy decision by the European Commission under GDPR, Art. 45 Any company using this as a transfer mechanism must find a new transfer mechanism immediately Privacy Shield is INVALID The CJEU found that while SCCs are valid in general, they do not automatically ensure the adequacy required by the GDPR Instead, the adequacy of the SCCs must be determined on a case-by-case basis prior to transfer Standard Contractual Clauses are Valid, BUT .

  7. What are the US and EU Officials Saying About Privacy Shield? U.S. U.S. Federal Trade Commission European Data Protection Board Department of Commerce Continues to expect companies to comply with their ongoing Privacy Shield obligations Committed to working with the EU No grace period for the Privacy Shield Will continue to administer the Privacy Shield program, including submissions for certification and re- certification Companies should continue to follow robust privacy principles and review their privacy policies to ensure they are described accurately Participants are not relieved of their obligations to comply with the Privacy Shield Participants may withdraw but must meet ongoing obligations with respect to data collected under Privacy Shield

  8. What about SCCs? Irish DPC: questioned the validity of SCCs for transatlantic transfers in light of the CJEU ruling Berlin DPA: called for data controllers storing data in the US to transfer data back to the EU, saying data cannot be transferred to the US until the legal framework at issue is changed French DPA: carrying out an analysis to determine the consequences of transfers from the EU to US

  9. But the most important statements came from the EDPB FAQs If you are using SCCs with a data importer in the U.S., the EDPB notes: that the CJEU found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on: the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you can put in place. [t]he supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data.

  10. What did the EDPB say about other transfer mechanisms? For BCRs, the CJEU s assessment that the Privacy Shield is invalid due to insufficiency of U.S. law to provide adequate protection applies in the context of BCRs as well because U.S. law will also have primacy over this tool. Thus, like with SCCs, whether you can transfer data using BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you can put in place. These supplementary measures, along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. Law does not impinge on the adequate level of protection they guarantee. The EDPB is assessing the impact on other Article 46 transfer mechanisms The EDPB notes that it is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 GDPR provided the conditions set forth in the Article apply.

  11. What is missing from all of this? Any Guidance on What Constitutes A Supplementary Measure that Can Safeguard the Data

  12. Begin by assessing your transfers If you are using Privacy Shield, you must stop and find a new transfer mechanism. (But remember, be mindful of statements from U.S. regulators that you have ongoing obligations with data received under the Privacy Shield Framework) If you are using or switching to SCCs, be mindful that this is going to be a changing landscape. Some early actions you can take, including: Assessing and memorializing the risk that data you receive via this mechanism would be subject to the law enforcement access at issue in Schrems II (Sec. 702 FISA & EO 12333). For many companies the risk will be minimal to nonexistent. Consider if there are supplementary measures you can take while waiting for clear guidance, such as encryption (both when data is at rest and in transfer) or data minimization? If you are using or switching to BCRs, you may want to take the same steps as for SCCs in light of the EDPB FAQ. If you are switching to derogations, be mindful of prior EDPB guidance on these mechanisms. Consent, for instance, means consent under the GDPR (explicit, informed, and voluntary)

  13. Remember, this is about evaluating risk Without clear guidance on supplementary measures for SCCs and BCRs (or even a potentially wider impact on other transfer mechanisms), the only risk free solution is to store your data in the EU But this is not a workable solution for the vast majority of businesses As a result and until more guidance is forthcoming, your best course of action is to evaluate risk and make business decisions that mitigate the risk to the extent you can

  14. Thank you! Thank you!

Related


Importance of Unpacking Standards for Effective Learning

Importance of Unpacking Standards for Effective Learning

peridot
Safe Handling of Hazardous Drugs: Training and Protocols

Safe Handling of Hazardous Drugs: Training and Protocols

cal_g
Unpacking Poetry: Four Easy Steps

Unpacking Poetry: Four Easy Steps

zak_mei
Unpacking the Associative Property of Multiplication in Elementary Classrooms

Unpacking the Associative Property of Multiplication in Elementary Classrooms

torben
Challenges and Solutions in Cross-Border Data Transfers: A Privacy Perspective

Challenges and Solutions in Cross-Border Data Transfers: A Privacy Perspective

casimir
Yuba Community College District Town Hall Updates

Yuba Community College District Town Hall Updates

emmajea
Enhancing Children's Learning Through Involvement in Planning

Enhancing Children's Learning Through Involvement in Planning

kamiyah
Extension Connections and Updates at UMaine - September 2021

Extension Connections and Updates at UMaine - September 2021

vela_l
Bimonthly Volunteer Webinar Agenda and Updates - May 2018

Bimonthly Volunteer Webinar Agenda and Updates - May 2018

eibh_598
CSI School Leaders Regional Gathering Updates April 2023

CSI School Leaders Regional Gathering Updates April 2023

mmyl
Humanitarian Shelter & WASH Group Meeting Updates

Humanitarian Shelter & WASH Group Meeting Updates

maa_wh
Competitive Event Preview 2019-2020 Updates and Guidelines

Competitive Event Preview 2019-2020 Updates and Guidelines

paidynst
Updates and Reminders for P2P Super User Group

Updates and Reminders for P2P Super User Group

myer_ize
Bonneville Power Administration Workshop Update

Bonneville Power Administration Workshop Update

ashub
Shifting Political Sentiment in Gauteng: Analysis & Insights

Shifting Political Sentiment in Gauteng: Analysis & Insights

hasan
Unpacking Problem-Driven Political Economy Analysis at The World Bank

Unpacking Problem-Driven Political Economy Analysis at The World Bank

joyl_976
Upper Thames Hydro Project Updates and Next Steps

Upper Thames Hydro Project Updates and Next Steps

seven
Unpacking the Theme of Coping with Pressure in

Unpacking the Theme of Coping with Pressure in "The Surprising Power of a Good Dumpling

zinnia
Unpacking Road Safety at a District Level: The Case of Cape Town, South Africa

Unpacking Road Safety at a District Level: The Case of Cape Town, South Africa

adelain
Market Analysis (Project Formulation)

Market Analysis (Project Formulation)

simeon
Task 4.3 Meeting Conclusions and Next Steps

Task 4.3 Meeting Conclusions and Next Steps

pemberton_g
2023-2024 Child Find Program Updates

2023-2024 Child Find Program Updates

alvi
MO HealthNet Oversight Committee Meeting

MO HealthNet Oversight Committee Meeting

saint
Texas Community Development Block Grant Program Updates for PY 2023

Texas Community Development Block Grant Program Updates for PY 2023

harry

More Related Content

Kansas Board of Nursing Updates and Contacts
Kansas Board of Nursing Updates and Contacts
Student Services Webinar: Agenda, Updates, and Contact Information
Student Services Webinar: Agenda, Updates, and Contact Information
Dyslexia Advisory Council Meeting and Professional Learning Updates
Dyslexia Advisory Council Meeting and Professional Learning Updates
Behavioral Health and Developmental Disabilities Administration Quality Improvement Council Meeting - December 1, 2021
Behavioral Health and Developmental Disabilities Administration Quality Improvement Council Meeting - December 1, 2021
IEEE 802.11-21/0262r0 Critical Updates Discussion Summary
IEEE 802.11-21/0262r0 Critical Updates Discussion Summary
PTGO General Meeting Agenda and Updates - February 8, 2024
PTGO General Meeting Agenda and Updates - February 8, 2024
FEAD Committee 5 Meeting - Updates on Legislative Matters and Consultations
FEAD Committee 5 Meeting - Updates on Legislative Matters and Consultations
Early Childhood Data System 2022-2023 Updates
Early Childhood Data System 2022-2023 Updates
Dahuk Shelter & NFI Cluster Coordination Meeting Agenda
Dahuk Shelter & NFI Cluster Coordination Meeting Agenda
NAU WordPress Unit Updates and Training Highlights - July 2019
NAU WordPress Unit Updates and Training Highlights - July 2019
Task Force Meeting @ISPO - 28th November 2023 Summary and Updates
Task Force Meeting @ISPO - 28th November 2023 Summary and Updates
Updates on Accounting and Verification Activities in HN Groups
Updates on Accounting and Verification Activities in HN Groups
Next Generation Updates and Initiatives for 2022
Next Generation Updates and Initiatives for 2022
Virtis/Opis Technical Updates and Releases Over the Years
Virtis/Opis Technical Updates and Releases Over the Years
Unpacking the Illinois Assessment of Readiness (IAR) Results for Instructional Enhancement
Unpacking the Illinois Assessment of Readiness (IAR) Results for Instructional Enhancement
Unpacking the New ELAL Curriculum for Grades 4-6
Unpacking the New ELAL Curriculum for Grades 4-6
Unpacking the Human Impact of Climate Change: Resources for 11-14-Year-Olds
Unpacking the Human Impact of Climate Change: Resources for 11-14-Year-Olds
Unpacking the Islamic Significance of Hajj Through Historical Context
Unpacking the Islamic Significance of Hajj Through Historical Context
Exceeding Righteousness: Unpacking Jesus' Teachings from Matthew 5-7
Exceeding Righteousness: Unpacking Jesus' Teachings from Matthew 5-7
Understanding Microaggressions in Everyday Interactions
Understanding Microaggressions in Everyday Interactions
Unpacking Gender Inequality and Stereotyping in Society
Unpacking Gender Inequality and Stereotyping in Society
Building Trust in Official Statistics: Key Determinants and User Engagement
Building Trust in Official Statistics: Key Determinants and User Engagement
Global Health Challenges and Opportunities in the 21st Century
Global Health Challenges and Opportunities in the 21st Century
Unpacking Translanguaging as a Rhizomatic Multiplicity
Unpacking Translanguaging as a Rhizomatic Multiplicity