How worried should you be about Schrems II?

Note: this is an opinion piece and is not intended as legal advice. Contact Datatilsynet or a lawyer for an assessment of your situation.

In a recent ruling on the EUs General Data Protection Regulation (GDPR), the European Court of Justice made it more difficult for European companies to use services which export data outside of the EU.

The case is known as Schrems II and has received widespread media coverage. In this article, I argue that the attention is exaggerated, and that most businesses have far more pressing concerns under the GDPR than the Schrems II case.

What is Schrems II about?

GDPR was introduced with the goal of harmonizing data protection rules in the European Union – so that the same high level of protection for data can be assured across borders.

In order to make sure that this protection is not made meaningless by simply transferring data outside of the EU, GDPR makes it clear that data can be transferred out of the EU only if this does not undermine protection of the people whose data is processed. The GDPR then provides a list of situations in which data transfers outside of EU are allowed.

First on this list are transfer mechanisms known as “adequacy decisions”. The European Commission can make a list of countries which have such good data protection laws and practices that transferring personal data there should, for GDPR purposes, be treated like transferring data to an EU country.

The U.S. used to be on this list under the so-called Privacy Shield Framework. Schrems II invalidated this framework, meaning that data transfers to the U.S. now must be treated in the same way as data transfers to China, Russia or Pakistan.

Transfers to such countries used to be done by simply signing a template contract called Standard Contractual Clauses, in which parties make certain promises in relation to people’s rights. Schrems II further tells us that signing this contract is no longer enough.

All organizations in EU/EEA must now assess all the laws of all the countries they are transferring the data to and determine how these laws affect their data transfers. Should any gaps be identified, a broad range of technical and legal solutions must be considered.

What should you do?

Let me start by stating the obvious: assessing the legal system of another country – including data protection and privacy, national security and anti-terrorism laws – is an incredibly complex task. Before you hire an army of lawyers ask yourself: is this truly a priority for my organization right now?

Yes, all the laws should be followed; and GDPR especially so. Privacy is a human right, and data protection is its crown. However, most organizations in Norway are not at the level of privacy maturity where Schrems II should be first priority.

My advice for most organizations dealing with GDPR compliance is to start with the basics. Any compliance effort needs to be based on strong foundations and there is no need to start with Chapter V of the GDPR if the building blocks are not in place. Here are a some very generalized things you should consider doing first:

• Always start with the data protection principles in GDPR Art. 5. Make sure you know what kind of data you are gathering and why you need it.
• Ask yourself whether you are gathering more data on your customers and employees than you need to. If you are, start deleting it.
• Do not keep the data forever; delete it when you no longer need it.
• Do not start using the data you have for entirely new purposes without thinking about how this affects the people whose data you are using.
• Make sure the personal data is secured in a way proportional to the security risk. Do not just buy security software, take a moment to reflect on the actual security risks.
• Make sure you have identified a proper legal basis for each purpose of processing. Look for the cases where contracts, other laws, or balancing of legitimate interests makes it possible for you to process data without consent. Implement special protections for special categories of data found in Art. 9, such as health data, data on religious and political opinions, sex life and sexual orientation, trade union membership etc.
• Make sure people can exercise their broad rights to be informed and get access to their data, as well as their narrow rights such as having data deleted. Gain an understanding of how your choice of legal basis (contract/legitimate interest/consent etc.) affects these rights.
• Appoint a data protection officer, if needed.
• Sign contracts with your data processors, and make sure to carry out some due diligence – can they actually deliver on the GDPR requirements? If possible, ask them questions on their security measures, arrange for audits and ask which employees get access to data.
• Make an inventory of your data processing – essentially a list documenting the previous steps. You can find more details in Art. 30.
• Carry out data protection impact assessments for high-risk processing situations.

Only once this is implemented does it make sense to start focusing on Schrems II, especially if you already have signed SCC contracts with importing organizations. If you have reached that point, your organization is quite mature compliance-wise, and any potential risk of fines has already been significantly reduced.

If you are at this stage, read the guidance documents carefully; implement encryption where you can (you should be doing that anyway!); and – ace up your sleeve – contact Datatilsynet! You have the right to ask them for consultation under Article 36, so if you are looking at the lawfulness of a particular transfer, you may as well ask for their opinion. This will certainly positively affect your risk profile.

Whatever you do, do not buy into the panic. Like with many things happening around the world at this moment, it helps to have a positive outlook. This is a global problem; and your patience will pay off.