Focus on the basics first.
Hands off social media
Should companies try to hold the steering wheel in online discussions about corporate social…
Focus on the basics first.
Note: this is an opinion piece and is not intended as legal advice. Contact Datatilsynet or a lawyer for an assessment of your situation.
In a recent ruling on the EUs General Data Protection Regulation (GDPR), the European Court of Justice made it more difficult for European companies to use services which export data outside of the EU.
The case is known as Schrems II and has received widespread media coverage. In this article, I argue that the attention is exaggerated, and that most businesses have far more pressing concerns under the GDPR than the Schrems II case.
GDPR was introduced with the goal of harmonizing data protection rules in the European Union – so that the same high level of protection for data can be assured across borders.
In order to make sure that this protection is not made meaningless by simply transferring data outside of the EU, GDPR makes it clear that data can be transferred out of the EU only if this does not undermine protection of the people whose data is processed. The GDPR then provides a list of situations in which data transfers outside of EU are allowed.
First on this list are transfer mechanisms known as “adequacy decisions”. The European Commission can make a list of countries which have such good data protection laws and practices that transferring personal data there should, for GDPR purposes, be treated like transferring data to an EU country.
The U.S. used to be on this list under the so-called Privacy Shield Framework. Schrems II invalidated this framework, meaning that data transfers to the U.S. now must be treated in the same way as data transfers to China, Russia or Pakistan.
Transfers to such countries used to be done by simply signing a template contract called Standard Contractual Clauses, in which parties make certain promises in relation to people’s rights. Schrems II further tells us that signing this contract is no longer enough.
All organizations in EU/EEA must now assess all the laws of all the countries they are transferring the data to and determine how these laws affect their data transfers. Should any gaps be identified, a broad range of technical and legal solutions must be considered.
Let me start by stating the obvious: assessing the legal system of another country – including data protection and privacy, national security and anti-terrorism laws – is an incredibly complex task. Before you hire an army of lawyers ask yourself: is this truly a priority for my organization right now?
Yes, all the laws should be followed; and GDPR especially so. Privacy is a human right, and data protection is its crown. However, most organizations in Norway are not at the level of privacy maturity where Schrems II should be first priority.
My advice for most organizations dealing with GDPR compliance is to start with the basics. Any compliance effort needs to be based on strong foundations and there is no need to start with Chapter V of the GDPR if the building blocks are not in place. Here are a some very generalized things you should consider doing first:
Only once this is implemented does it make sense to start focusing on Schrems II, especially if you already have signed SCC contracts with importing organizations. If you have reached that point, your organization is quite mature compliance-wise, and any potential risk of fines has already been significantly reduced.
If you are at this stage, read the guidance documents carefully; implement encryption where you can (you should be doing that anyway!); and – ace up your sleeve – contact Datatilsynet! You have the right to ask them for consultation under Article 36, so if you are looking at the lawfulness of a particular transfer, you may as well ask for their opinion. This will certainly positively affect your risk profile.
Whatever you do, do not buy into the panic. Like with many things happening around the world at this moment, it helps to have a positive outlook. This is a global problem; and your patience will pay off.