Analyzing Assessments and Additional Safeguards for Cross Border Data Transfers post Schrems-II

Schedule a Demo

Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Managment

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Brazil’s LGPD

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

On-Demand Webinar

Navigating the Impact of “Schrems II” and Cross-Border Data Transfers

Michael Morgan

US Head Global Privacy & Cybersecurity Practice, McDermott Will & Emery

Srinivas Avasarala

Vice President, Product Management, Securiti

The Court of Justice of the European Union (CJEU) released a decision invalidating the US-EU Privacy Shield arrangement for transatlantic data transfers and changing obligations of data controllers when using Standard Contractual Clauses (SCCs) as a mechanism to export data. Among other things, the court held that data controllers may use SCCs to transfer data of EU citizens to a data importer based in a jurisdiction which has been deemed to have inadequate data privacy protections only after:

1. Carrying out a review of the national legislation and regulations relating to data privacy and security of the data importer and verifying whether the existing laws and regulations ensure that the contractual promises within the SCCs can be honored by the importer;

2. If the national legislations and regulations are too weak to allow the SCCs to be enforced, then the controller along with the assistance of the data importer will have to establish supplementary measures to enforce the data importer’s obligation to protect the data under the SCCs;

3. If the data controller, the data importer or the relevant Supervisory Authority believes that the contractual protections on the data as per the SCCs cannot be honored by the data importer then the data transfer between the controller and importer should be cancelled and any data already transferred under the SCCs should be deleted by the data importer.

Risk assessments

Upon a close reading of the CJEU’s judgement, it appears that the data controllers and processors should be focusing on the following factors while conducting the obligatory risk assessments under the SCCs:

1. Identity of the data importer:

Is the data importer from a regulated industry?
Who is the data importer and in which industry do they work?
Does the data importer have the capability to refuse public authorities’ requests to hand over transferred data for surveillance needs?
Whether the data importer has received surveillance requests in the past and complied with the same for similar sets of data?

The identity of the data importer matters since some data importers might be targeted more by public authorities in comparison to others due to the industry they work in. Moreover, the data importer’s history of compliance with a regulatory regime and it’s capability to challenge requests for surveillance by public authorities can also help assess the risk of exposure to the personal data being transferred.

2. Assessment of the industry-specific regulatory regime of the data importer:

What are the powers, roles and performance of the relevant local regulators?
What safeguards and redress are available for data subjects under the relevant legal and regulatory regime?

The type of safeguards and redress available to data subjects under a regulatory regime should be analyzed and evaluated in terms of scope, efficacy and enforceability of protections.

3. The nature of the data and the data transfer:

What type of data is it?
Is it sensitive personal data?
For what purpose is the data being transferred?
What is the residual risk to the data subject if the transferred data is exposed or surveilled by the public authorities of the importing country?
Has the data subject provided (enhanced) informed and free consent to have his/her personal information transferred despite the risk of it being exposed or surveilled by the public authorities of the data importer’s country?

Some data and transfers are inherently more at risk than others to be the subject of surveillance by governments due to national security concerns and/or law enforcement interests in the type of data being transferred. Similarly, the type of data being transferred also matters as sensitive personal data being exposed to surveillance is more harmful to the data subject compared to other data types.

4. The categories of data subjects:

Who are the data subjects whose data is being transferred?
Do these data subjects have access to judicial/regulatory bodies in the data importer’s country to exercise their rights and challenge the surveillance of their information?

Some data subjects might be at increased risk of surveillance by a country’s public authorities due to their employment or nationality etc. Similarly, some categories of data subjects (i.e EU citizens who have dual nationality as US citizens) will have the enhanced capability to take action to stop or redress any government action which threatens to expose their data while others might not.

5. The nature and scope of surveillance and national security laws of the data importer’s country:

Are the surveillance laws of the data importer’s country expansive or limited in their scope?
Are surveillance efforts for national security requirements curtailed by the principles of necessity and proportionality?
What is the probability that the transferred personal data will be surveilled?

Some jurisdictions have very well structured surveillance laws and the law applies to some specified industries, people, etc. but some jurisdictions have vaguely worded and overbroad surveillance laws. The risk is less if the laws (and their limitations) are well written and understood.

6. Other supplementary measures used by the data importer to protect the data:

Does the data importer employ any industry-specific protections to the transferred data?
Does the data importer apply any technical or organizational protections to the transferred data?
Are there any protections to the transferred data which are in the nature of international commitments by the data importer or the country the data importer is based in?
What supplementary measures will be used in the SCC and how effective would they be in protecting the data?

Some data importers can be subject to additional and independent supplemental measures for the protection of the transferred data that are industry-specific or international in nature (via international treaties or obligations). These can reduce the risk of the transferred data being exposed.

Additional Safeguards

The data controller after conducting a holistic assessment of the risk can choose to enact additional safeguards within the SCCs to protect the data and mitigate risk to achieve compliance with the CJEU judgment. Such additional measures may include:

technical and organizational (i.e such as heavy grade encryption of the transferred data with the data importer not having access to encryption key at all times),
data minimization (i.e reducing data flow to a data importer if they become subject to surveillance requests or the risk of them being issued a surveillance request increases),
other contractual measures that can offer some form of control over data importers by data controllers (i.e the data controller exercises total control on the data importer in relation to the imported data),
reporting obligation (the data importer is obligated to inform the data controller of data surveillance requests received on the imported data by public authorities),
data protection obligation (i.e obligation upon data importer to delete the data or transfer it forward and to challenge data surveillance requests by public authorities before domestic courts).

Conclusion

"Data controllers in the EU should immediately begin to audit their data sharing practices and prepare for the eventual compliance actions by regulators. NOYB - Max Schrems’ data rights organization - has already filed 101 complaints with various Supervisory Authorities against European companies continuing to transfer data to the US after the judgement and the European Data Protection Board has formed a task force for the implementation of the ruling. Since there is no grace period for companies to adapt to the decision, even tomorrow the Supervisory Authorities can knock on EU data exporters’ doors asking for justifications for data transfers being made to US companies."

Thus adoption and enhancement of SCCs with additional measures to mitigate the risks which arise in risk assessments is the only viable step for many companies (at least in the short term) as other solutions such as Binding Corporate Rules (BCRs) are too expensive and solutions such as enhanced consent are not sustainable or viable for systematic transfers. Until further guidance comes from the authorities or the US and EU authorities can clobber together a Privacy Shield 3.0, these steps are required to ensure the billions of dollars worth of transatlantic trade does not come to a grinding halt.

Navigating the Impact of “Schrems II” and Cross-Border Data Transfers

Michael Morgan

US Head Global Privacy & Cybersecurity Practice, McDermott Will & Emery

Srinivas Avasarala

Vice President, Product Management, Securiti

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.