One of the consequences of the Scherms II decision is that EU organisations need to take greater care in determining how best to protect the flows of personal data outside the EU. This means more than just considering whether Standard Contractual Clauses (SCCs) need to be incorporated in the contracts that the data exporters negotiate with the data importers. Historically, most data flows from the EU to non-adequate countries have been safeguarded though the use of SCCs.
Following the decision, life isn’t as simple as that. The CJEU has said that EU organisations relying on SCCs must also, prior to transferring personal data, evaluate whether there is a an “adequate level of protection” for personal data in the importing jurisdiction, and implement additional safeguards if there is not. Data exports must cease when there are no additional safeguards that would ensure an “adequate level of protection.”
A non-exhaustive list of elements that should be taken into account by the European Commission (EC) when assessing adequacy is set out in Article 45.2 of the GDPR. Article 45.3 requires each assessment to be regularly reviewed, at least every 4 years. Presumably EU exporting organisations should also adopt this approach.
This will cause an immense amount of work for each EU exporting organisation. In reality, it is likely that only the largest organisations will have the resources to commission such work, and each organisation could well use different criteria, in addition to the non-exhaustive list of elements set out in Article 45.2, to determine what an “adequate level of protection” actually means in practice. Such work will lead to chaos and inconsistency. This is surely not what the creators of the level EU data protection field had in mind.
The decision also highlights the role of EU data protection supervisory authorities in assessing, and where necessary suspending or prohibiting data transfers to importing jurisdictions “where they take the view that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”
Given the role the decision requires the supervisory authorities to play, there will be intense interest in understanding precisely how the European Data Protection Board (EDPB) will encourage the supervisory authorities to adopt a consistent approach across the EU.
In particular, the EDPB may be asked to publish an opinion which categorises Non-EU countries as follows:
1. Countries that provide an adequate level of protection and where additional safeguards are not required;
2. Countries that that provide an adequate level of protection when SCCs are put in place;
3. Countries that that provide an adequate level of protection when SCCs and other specified safeguards are put in place;
4. Countries that do not have provide an adequate level of protection even when SCCs and other specified safeguards are put in place.
There are more than 100 countries that have enacted data protection laws. But what work has been commissioned by the EC (or the EDPB or its predecessor body, the Article 29 Working Party) to determine which laws are of an ‘adequate’ standard? In the past 20 years, the EC has managed to reach adequacy decisions on a pathetically small proportion (perhaps some 15%) of the non-EU countries that have data protection laws:
2003 Argentina & Guernsey
2004 Isle of Man
2010 Andorra & the Faroe Islands
2012 New Zealand & Uruguay
Almost half of the decisions relate to tiny countries with relatively small volumes of personal data flows: Andorra (population 78,000); Faroe Islands (population 52,000); Guernsey (population 63k); Isle of Man (population 83,000); and Jersey (population 107,000). Work on carrying out assessments of the data protection laws of many of the EC’s key trading partners does not appear to have commenced.
Such an opinion would be of immense value to EU organisations in helping them develop a consistent approach to transborder data flows, but it would be political dynamite. Which countries would the EDPB dare describe as not providing an adequate level of protection even when SCCs and other specified safeguards are put in place? Given the international trade repercussions for the EC, it would be a brave decision to put any country into that category.
But what additional safeguards are necessary to supplement SCCs and when need they be put in place? Given how inflexible so many parts of the GDPR are, it would be surprising that there was not a demand from some stakeholders for new rules to be established to address the privacy risks of the countries that fell within these categories.
If it is left to the EDPB to recommend an approach and to categorise non-EU countries as I have suggested, I suspect that political considerations will result in EU organisations waiting a very long time before such an opinion would emerge.