With respect to the European General Data Protection Regulations (GDPR), it is highly unlikely that any new Standard Contractual Clauses (SCCs) issued by the European Commission (EC) - which are by nature standard and 'one size fits all' - will be able to replace the case-by-case assessment required by the CJEU in its 'Schrems II' decision for controllers that want to transfer EU personal data outside the EEA.
After all, the concept of privacy by default and design, which permeates the precepts of the GDPR, intends for there to be a climate of data privacy in organisations. Just as the US DOJ expects a climate of active compliance with respect to the Foreign Corrupt Practices Act (FCPA), as opposed to short-shrifted paper tiger policies, the GDPR also expects top-down leadership and vertical organisational buy-in to data privacy and protection.
SCCs alone will never be able to ensure that data exported outside the EEA will receive protection equivalent to that offered by the GDPR, unless the organisations exporting and importing the subject data have a climate of active compliance with the tenets of data privacy best practices imbued in their organisational cultures. This, of course, would necessitate a culture of privacy in an organisation.
While everyone is seemingly waiting expectantly for a new epiphany from the EC in the form of updated SCCs and supplemental measures, organisations should focus on understanding the intent and policies behind the GDPR. Reading the GDPR recitals, Article 20 Working Party papers and EC Guidelines are a good first step.
If organisations adhere to the intent of those principles, the assessments that must be undertaken in the data-recipient countries outside the EEA will be far easier. Of course, organisations that wish to push the limits of what would be construed as acceptable in relation to the principles underlying the GDPR will find those assessments to be less reliable and potentially subject them to greater liability under the GDPR. Compliance with the letter rather than the spirit of the GDPR is the grey area that can sting a non-compliant actor.
Assessment is a method of putting the onus on the parties to a data export-import transaction. After all, it is not the responsibility of the EC to assess the level of data protection in a non-EEA destination country. Therefore, it is likely that any new SCCs promulgated by the EC will contain an additional representation from the data exporter that it has verified that the law of the destination country will adequately protect the transferred data and that the data importer shall assist the data exporter to make this determination if necessary.
Such assessments will require both data exporters and data importers to not only determine the applicable laws in a particular data destination country, but also the attitudes of government bodies and enforcement officials in that jurisdiction. When we speak of compliance with the spirit of the law and not just its written words, we think in terms of the parties subject to the law. However, a rigorous data export assessment should also consider the spirit and attitudes of those responsible for enforcing, interpreting and creating law in any destination country. This is the root of the issue in the Schrems II case – notwithstanding individual organisational certifications under the Data Privacy Shield, the US government itself could undermine the protections the Data Privacy Shield was meant to provide.
The new SCCs will not provide a silver bullet that solves the existing problems underlying Schrems II. Data exporting organisations will need to use alternative safeguards and additional measures that comport with the fundamental intentions of the GDPR - whether that be the use of unidentifiable data, encrypted data, synthetic data or whatever method is developed to protect the data of individuals and their rights to a private and family life.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.