END OF THE PRIVACY SHIELD:
RECOMMENDATIONS FOR
INTERNATIONAL
DATA TRANSFERS

Dr. Fank Schemmel

“With its judgement in the matter of “Schrems II”, the ECJ has created a virtually unsolvable dilemma for data controllers, processors, supervisory authorities, legislators and not least, us consultants. The good news: data transfers to countries such as the USA, China or Russia continue to be possible. However, the bad news is that more time and effort will be required than previously, in order to make these compliant with data protection. No complete solution (one size fits all) can exist for this. In fact, we must make do with industry-specific approaches and partial solutions for each individual case. At DataGuard, we have developed concrete technical, organisational and contractual solutions, which have received a positive response from the supervisory authorities.”


THE CURRENT SITUATION

The judgement of the European Court of Justice (ECJ) on 16 July 2020 regarding the “Schrems II” case has also made big waves outside the data protection world, with its far-reaching implications for international data exchange. But what are the concrete consequences of the Schrems II judgement? What do companies and organisations need to pay attention to in future for data transfers to the USA, as well as to other so-called third countries? And which concrete measures should I take as a data controller?

In this detailed white paper, we are addressing these questions, without making any claim to completeness or conclusive answers. The focus is primarily on the expected practical implications, as well as practical measures for mitigating possible risks. Different interpretations of the judgement and the associated implications are naturally also possible – this is already evident alone from the different opinions of European data protection authorities about this issue. Nevertheless, we are convinced that we are adopting a justifiable and above all, practical, middle course in this paper.

AT A GLANCE –
11-POINT PLAN FOR MITIGATING RISKS

01 Examination of possible restrictions/terminations of the third-country transfer (particularly to the USA)
02 Switch from Privacy Shield to Standard Contractual Clauses
03 Implementation of additional technical measures prior to third-country transfers (particularly to the USA)
04 Directives and requirements for all data importers (particularly processors)
05 Directives and requirements specifically for processors and sub-processors
06 Use of additional contractual clauses for processing contracts and SCC (Standard Contractual Clauses)
07 Use of the derogation rules in Art. 49 GDPR
08 Consideration of alternative providers
09 Examination and adaptation of Binding Corporate Rules (BCRs)
10 Examination and adaptation of the privacy policies (particularly on websites and apps)
11 Updating the records of processing activities