Blog post -
Schrems II Judgement: A US Perspective
It has been a few weeks since the decision was made to invalidate Privacy Shield under what is being referred to as the Schrems II Case.
As a quick reminder, Maximillian Schrems, an Austrian citizen, raised a complaint against Facebook Ireland to the Irish Data Protection Commissioner. In the complaint, Mr. Schrems claimed the transfer and processing of his personal data outside of the European Union (EU) to Facebook US didn’t maintain the same standards of security as required by the General Data Protection Regulation (GDPR). A data transfer framework between the EU and US (known as Privacy Shield) came under question.
On July 16, 2020, a decision was made by the European Court of Justice invalidating Privacy Shield. The court agreed with Mr. Schrems regarding the adequacy of the protection provided to EU citizen data being transferred to the US. Due to the surveillance nature of the US government, the privacy afforded to EU citizens under the Privacy Shield data transfer mechanism did not meet the requirements of GDPR.
In other words, supervisory authorities of the EU must suspend or prohibit transfer of data to any third country (i.e., the US) and organizations in the EU cannot rely on organizations in the US “self-certifying” to the Privacy Shield requirements.
For EU organizations wanting to transfer data to the US, they must ensure appropriate controls are in place, as may be required (and enforceable) by Standard Contractual Clauses (SCC). For US organizations offering goods and services to EU data subjects (irrespective of whether payment is required), they must now agree to SCCs along with implementing appropriate controls to protect the privacy of any data transferred to them.
Although the Privacy Shield data transfer mechanism is still being used until new guidance comes out, as of this writing, there has been no additional information regarding any replacement to Privacy Shield. Unfortunately, approved code of conducts and/or certifications for GDPR, which could allow organizations to attest to their compliance and demonstrable accountability over GDPR requirements, are still being worked on.
What can US organizations do to prepare for these changes?
NCC Group recommends the following actions in order to prepare for changes brought on by the Schrems II judgement.
- Perform a formal data asset inventory of all the data you create, receive, maintain, or transfer. Note: If you don’t know where your data is at, you can’t protect it.
- Develop or update your data flow maps. You need to understand what data is coming in (especially if it involves EU data) and where your data is going
- Perform a privacy impact assessment (PIA) or, as referred to under GDPR, a data protection impact assessment (DPIA). Although a DPIA may not be required in certain circumstances, it is a good idea to formally identify your data risks and address these risks accordingly. Note: GDPR does require a DPIA to contain certain elements, but doesn’t require a specific method to perform a DPIA. The Information Commissioner’s Office (ICO) has put out some guidance/samples of a DPIA and there is also an ISO standard available [ISO/IEC 29134 – Information Technology – Security Techniques – Guidelines for Privacy Impact Assessment].
- Once you perform a PIA or DPIA (which is similar to a risk assessment), you must determine controls to mitigate any identified risks to a reasonable/acceptable level.
- These controls should be assessed for design and effectiveness of implementation against a standard framework (or accepted certification). There are a number of frameworks or certifications regarding privacy to include:
- NIST Privacy Framework v1.0
- ISO/IEC 27701:2019 - Security Techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management (PIM)
- Asia-Pacific Economic Cooperation (APEC)Cross Border Privacy Rules (CBPR) and Privacy Rules for Processors (PRP) Certification
- Note: NCC Group is one of four Accountability Agents in the US able to certify US organizations to this voluntarily, but enforceable privacy framework.
- Don’t forget to update your contracts to include the required standard contractual clauses and ensure these requirements are being met. NCC Group can assist you with these efforts.
To learn more, visit NCC Group’s Data Protection and Privacy Services and speak with an expert today for guidance on how to align under the Schrems II Judgement.