Friday 21 August 2020

What mixture of leadership styles should a decent data protection officer display?


I was recently asked this question and found it hard to answer. It takes a lot to be a decent DPO.  So much depends on the culture of the organisation and the resources available to the DPO. Notwithstanding the specific obligations that are set out in Section 4 of the General Data Protection Regulation, I’ve known some that operate as one-man-bands, working in virtual isolation from the rest of the organisation. I’ve known others who manage small and, in some cases, larger teams. I’ve also known privacy professionals who have directed or supported short-lived GDPR privacy transformation project teams that were created purely to help the organisation comply more completely with data protection laws and requirements.


The organisational psychologist Heather Bingham has drawn my attention to a list of common leadership styles that I'll be referring to in this article.


I’ve known privacy professionals who have failed because they have displayed a toxic mixture of some of these styles. 


I’ve also known privacy professionals who have felt that they have failed because, when joining a new organisation, they had not altered what was a winning combination in a previous role to the culture that prevailed within their new organisation.



Some organisations have a very hierarchical and deferential culture. Job grade is seen as more important than actual technical knowledge, so the purpose of the DPO may be primarily to reduce quite complicated concepts to simple PowerPoint presentations for more senior people with little technical knowledge to skim read and formally approve whatever recommendations the DPO had drafted. The autocratic DPO may exist because virtually no one else in the organisation has sufficient knowledge – or interest – in data protection matters, so their decisions will be very rarely challenged. While competent DPOs may have the technical knowledge and experience to make quick decisions quickly, they can also easily be overwhelmed with requests for advice and support. It’s hard to motivate staff in privacy teams if all the decisions are going to be taken by an autocratic DPO. 



Great DPOshave vision and can influence and inspire others. This requires a mixture of technical skills and also a willingness to accept a relatively high privacy risk. What advice or action really is appropriate, given the circumstances? It is not always the best approach simply to reply on every piece of advice that is uttered by staff working for data protection supervisory authorities. Regulatory opinions are what they say they are – only opinions. Ultimately, only the courts can determine the true extent of privacy law. This approach requires DPOs to develop their own ethical approach to key issues of the day, and then sell this approach to the organisation. The late comedian Ken Dodd once remarked that he never took his audience for granted. For each performance he felt he needed to start afresh and woo them. The same approach is often adopted by charismatic DPOs. 



Some DPOs focus on outcomes. Teams must strive to work harder each year. More Subject Access Requests, for example, must be completed within the statutory time limits. Fewer privacy breaches must be identified. Records of Processing Activities must be regularly audited. A higher proportion of staff must pass the annual privacy learning programme’s knowledge test. Turnarounds for Privacy Impact Assessments must be improved, year on year. The daily grind of privacy work can be relentless, and while privacy metrics might improve, the morale of the staff at the privacy grindstone may not. 



An important way to promote accountability throughout an organisation is to educate and then devolve privacy decisions to others. This gives them an opportunity to better appreciate the privacy consequences of the decisions they take, particularly if they are then required to accept responsibility – and perhaps even apologise personally to those who have suffered as a result of their misjudgements. I’ve found that this approach also gives individuals a greater sense of pride in their daily work and in the decisions they take.  With effective supervision from the DPO, organisations can develop a strong culture of compliance that stands a good chance of being maintained when said DPO departs for pastures new.



I’ve met few privacy staff who have job profiles that are supported by comprehensive operating instructions which explain precisely how each privacy task for which they are responsible should be completed. The absence of comprehensive sets of operating instructions can lead to inconsistencies in approach within privacy teams. When Privacy Impact or Privacy Breach Assessments, for example, are carried out by different members of staff, perhaps working in different locations, a lack of clear instructions explaining how to weight particular privacy risks can result in very different sets of privacy recommendations being made. Effective DPOs will ensure that comprehensive manuals exist to safeguard against inconsistent approaches. This approach enables staff to feel more confident that they are doing the right thing when they carry out their privacy tasks. 



Many DPOs find the time to coach their colleagues and direct reports, which is often the only way that they are eventually able to offload some their privacy work to anyone else within the organisation. Nurturing these supportive relationships takes considerable effort, though. It often takes some time for the privacy message to sink in. Some elements of privacy law, including a good few of the technical requirements that are set out in the GDPR, are not easy to comprehend.  DPOs many also find great value in engaging with support networks created by organisations such as the Data Protection Forum, NADPO and the IAPP KnowledgeNets. There is safety in numbers – or at least safety in appreciating that a DPO’s approach to a particular privacy issue is very similar to that adopted by their professional colleagues. 



Some DPOs prefer an inclusive approach, where all the key decisions are taken by committees.A weakness with this approach is that key decisions can be delayed until the issues have been considered by the committee members. There is also a risk that other corporate stakeholders, if their personalities are sufficiently strong, can override the reasoned assessments that DPOs make when forming their recommendations. DPOs must always know when to accept that their advice will be ignored. But so long as this has been properly documented, and the advice had correctly interpreted the law, the organisation can’t then lay all the blame on the DPO should a data protection supervisory authority decide to take enforcement action for a privacy transgression that results from the organisation’s failure to act in accordance with the advice.



I’ve also met privacy professionals who are just too tired to care too much about how they perform their day job. The demands placed upon them by their employers, and by virtue of the GDPR, have in some cases been overwhelming. Burnout certainly exists within the privacy profession.  


Wednesday 19 August 2020

International data transfers: an opinion the EDPB (probably) won’t publish

One of the consequences of the Scherms II decision is that EU organisations need to take greater care in determining how best to protect the flows of personal data outside the EU. This means more than just considering whether Standard Contractual Clauses (SCCs) need to be incorporated in the contracts that the data exporters negotiate with the data importers. Historically, most data flows from the EU to non-adequate countries have been safeguarded though the use of SCCs. 


Following the decision, life isn’t as simple as that. The CJEU has said that EU organisations relying on SCCs must also, prior to transferring personal data, evaluate whether there is a an “adequate level of protection” for personal data in the importing jurisdiction, and implement additional safeguards if there is not.  Data exports must cease when there are no additional safeguards that would ensure an “adequate level of protection.” 


A non-exhaustive list of elements that should be taken into account by the European Commission (EC) when assessing adequacy is set out in Article 45.2 of the GDPR. Article 45.3 requires each assessment to be regularly reviewed, at least every 4 years. Presumably EU exporting organisations should also adopt this approach.


This will cause an immense amount of work for each EU exporting organisation. In reality, it is likely that only the largest organisations will have the resources to commission such work, and each organisation could well use different criteria, in addition to the non-exhaustive list of elements set out in Article 45.2,  to determine what an “adequate level of protection” actually means in practice. Such work will lead to chaos and inconsistency. This is surely not what the creators of the level EU data protection field had in mind. 


The decision also highlights the role of EU data protection supervisory authorities in assessing, and where necessary suspending or prohibiting data transfers to importing jurisdictions “where they take the view that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”


Given the role the decision requires the supervisory authorities to play, there will be intense interest in understanding precisely how the European Data Protection Board (EDPB) will encourage the supervisory authorities to adopt a consistent approach across the EU.  


In particular, the EDPB may be asked to publish an opinion which categorises Non-EU countries as follows:


1.    Countries that provide an adequate level of protection and where additional safeguards are not required;

2.    Countries that that provide an adequate level of protection when SCCs are put in place;

3.    Countries that that provide an adequate level of protection when SCCs and other specified safeguards are put in place;

4.    Countries that do not have provide an adequate level of protection even when SCCs and other specified safeguards are put in place.


There are more than 100 countries that have enacted data protection laws. But what work has been commissioned by the EC (or the EDPB or its predecessor body, the Article 29 Working Party) to determine which laws are of an ‘adequate’ standard? In the past 20 years, the EC has managed to reach adequacy decisions on a pathetically small proportion (perhaps some 15%) of the non-EU countries that have data protection laws: 


            2000    Switzerland

            2001    Canada

            2003    Argentina & Guernsey

            2004    Isle of Man

            2008    Jersey

            2010    Andorra & the Faroe Islands 

            2011    Israel 

            2012    New Zealand & Uruguay

            2019      Japan 


Almost half of the decisions relate to tiny countries with relatively small volumes of personal data flows: Andorra (population 78,000); Faroe Islands (population 52,000); Guernsey (population 63k); Isle of Man (population 83,000); and Jersey (population 107,000). Work on carrying out assessments of the data protection laws of many of the EC’s key trading partners does not appear to have commenced.


Such an opinion would be of immense value to EU organisations in helping them develop a consistent approach to transborder data flows, but it would be political dynamite. Which countries would the EDPB dare describe as not providing an adequate level of protection even when SCCs and other specified safeguards are put in place? Given the international trade repercussions for the EC, it would be a brave decision to put any country into that category. 


But what additional safeguards are necessary to supplement SCCs and when need they be put in place? Given how inflexible so many parts of the GDPR are, it would be surprising that there was not a demand from some stakeholders for new rules to be established to address the privacy risks of the countries that fell within these categories.


If it is left to the EDPB to recommend an approach and to categorise non-EU countries as I have suggested, I suspect that political considerations will result in EU organisations waiting a very long time before such an opinion would emerge. 




[Image credit: thanks to the CNIL for their helpful guide to data protection laws around the world. Other organisations, such as DLAPiper, have great on-line resources, too] 


Monday 17 August 2020

Data Protection: Where’s the Brexit Privacy Dividend?

One of the Government's core objectives throughout the Brexit negotiations has been to respect data protection rights, slash Brussels' red tape and allow the United Kingdom to be a competitive safe haven for businesses all over the world. With that in mind, how could the Government reduce its ties to the EU's 'data protection level playing field' while continuing to maintain a robust and effective data protection regime? 


If the EU’s ‘level data protection playing field’ means continuing to fully implement all aspects of European data protection law, including all aspects of the two-year-old General Data Protection Regulation (GDPR), then what was the point of Brexit? Is it really necessary for the UK to commit to continue to observe unnecessarily complex rules that so many organisations have struggled with, when so few benefits have been realised? 


The GDPR is meant to be a ‘living instrument’ – so committing to harmonising to GDPR standards would mean adopting European Data Protection Board (EDPB) decisions (over which the UK will have no say) and EU jurisprudence (ditto) going forward. This is a process that would never end.


Some UK organisations will inevitably have to follow all the EU’s data protection rules because they will continue to process the personal data of individuals in the EU. But these organisations are likely to form a small minority of the 738,769 data controllers that registered to pay data protection fees to the Information Commissioner’s Office (ICO) as at 31 March 2020. 


Removing the UK from the decision-making structures of the EDPB and its associated consistency mechanisms should result in the ICO (a) being able to better protect the UK public by reacting much faster to privacy breaches that affect people in the UK as well as those in the EU, and (b) quickly publishing appropriate guidance on matters of public concern. No longer might UK privacy pros feel obliged to wait for the publication of weirdly worded EDPB opinions. 


Removing the UK from the decision-making structures of the EU should also result in the UK Government feeling able to update other privacy legislation, such as the outdated Privacy & Electronic Communications Regulations, without having to delay for years and years until  EU countries managed to reach a political consensus on the way ahead.    


The GDPR has had a profound impact on many organisations. Enormous amounts of money have been spent in a belated acknowledgement of, in many cases, decades of under investment on privacy issues. Whether all this money has been spent wisely by the GDPR implementation programmes is quite another matter.


Money spent on improving information security controls is always appropriate – and such expenditure should have been made, regardless of the GDPR. But organisations have also, for example, been required to create unknown numbers of ‘Records of Processing,’ many of which are totally useless in terms of providing an organisation with information that is actually relevant to its day-to-day business operations. 


Organisations have also spent many hours working out what legal basis each business process should rely on when personal data is processed. Who would have thought it likely that a supervisory authority would so quickly issue a €150k fine for using a privacy statement that referred to the wrong legal basis?  But this has already happened - in Greece. Was such a fine really appropriate?  I’ve never met anyone outside the privacy community who thought that privacy statements should include such details in the first place. It isn't easy to explain the concept that the exercise of a particular information right depends on the precise legal basis the organisation relies upon to process personal data. I’m mystified as to why the GDPR deliberately created such a complex web of rights. 


As Lee Bygrave, Professor of Law, Director of the Norwegian Research Centre for Computers and Law, University of Oslo, recently commented:“EU data protection law has taken a byzantine turn … All up, the EU data protection system has become a huge sprawling structure – a Kafkaesque castle full of semantic mazes, winding procedural alleys, subterranean cross-passages and conceptual echo chambers.”    


Brexit provides the UK with an amazing opportunity to review its current privacy laws and create standards that provide individuals and organisations with robust but simpler, more meaningful, data protection standards. 


Many European data protection opinion formers consider any UK divergence from the strict GDPR regime to be heresy. 


I think it’s worth the effort, though.


With the departure of the UK from the EU, the Government should exercise its own margin of appreciation about the extent to which it promotes and protects the ‘fundamental right’ of data protection. Should all aspects of data protection remain a fundamental right? Who, for example, ever thought that data portability should be a fundamental right until it appeared in a GDPR draft?


The UK should not feel obliged to embrace the entire EU privacy acquis when, on reflection, parts of some laws do not work as intended, or when some legal interpretations have perverse implications that unnecessarily paint everyone into a corner. 


Consider, for example, the mayhem that has just been caused by the Schrems II decision. The Court of Justice of the European Union took 7 months to review the Advocate General’s non-binding opinion. Yet, its final decision failed to provide sufficient practical guidance on precisely what controls are appropriate when personal data is exported from the EU to countries other than the 11 countries that apparently have ‘adequate’ privacy laws. A cursory glance at the immediate reactions published by EU data protection supervisory authorities indicates that, collectively, they haven't yet got a clue as to what to do. Some consulting firms have taken this opportunity to offer their own (untested) solutions to this almighty problem. 


The organisations that export personal data from the EU remain in a legal limbo. As do the organisations in the USA - and elsewhere - that import the personal data. Evidently, it is their responsibility to assess whether non-EU countries have adequate laws that guarantee appropriate data protection standards. If they don't, additional measures to enhance the protections provided by the EC’s Standard Contractual Clauses (SCCs) must be implemented. But what these are, and whether they would be sufficient: well, nobody knows.


Who in their right mind would want transborder data flows to be such a difficult issue for so many organisations to deal with? Notwithstanding the decision, which had immediate effect, I predict that almost all of European data protection supervisory authorities will exercise a large degree of regulatory forbearance about these data flows for a good few months, or at least until they are provoked by pressure groups such as noyb.  


In future, why should the UK expect UK organisations to continue to use the EC’s SCCs to safeguard transborder data flows? A UK free from the constraints of the GDPR could commend its own set of SCCs for use by UK-established organisations when data was exported from the UK. This set could comprise recommended, rather than mandatory clauses, allowing the parties a degree of flexibility over what would be agreed. 


In future, why should the UK rely on the EC to determine when or whether SCCs would be appropriate? If a test of adequacy needs to be set to determine when the UK SCCs should be used,  rather than rely on a country’s membership of the EU or an EC adequacy assessment as the determining factor, the UK could simply recognise the 11 existing adequacy assessments and, in future, allow unimpeded data flows to and from all countries that sign the Council of Europe 108+ convention[Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data].  This approach would not be too heretical, as there are currently only 36 signatories to this convention, and of the EU countries that are also members of the CoE, only Denmark has not yet signed it.


One final point. The UK’s data protection supervisory authority is undergoing the fastest expansion in its history. With such expansion should come a greater focus on ensuring that it delivers value for money. It is not an insignificant organisation. However, my twitter feed doesn’t contain many tweets that praise the ICO’s work.  UK data controllers paid registration fees totalling £48.7m to the ICO in 2018/19, a 24% increase on the previous year. Most may well have had virtually no engagement with any of the ICO’s 768 (720.3 FTE equivalent) staff. Only a decade ago, the ICO had just 282 staff and an operating income of £11.3m; its annual report illustrates how much it achieved even on that budget. 


All UK organisations will, by now, have heard of the GDPR, but how many know enough about privacy laws to be able to explain how fully they comply?


And, does it really matter if the majority of them can’t fully comply?


Rather than clinging so tightly to the privacy rules that have been embedded within the GDPR, the Government could develop an alternative approach in a post Brexit world which ensures that: 

  • people in the UK benefit from robust and effective data protection standards;
  • UK organisations can demonstrate that appropriate data protection controls are in place; and 
  • the ICO delivers regulatory value for the money it spends. 


Heresy aside, Brexit ought to be capable of providing the UK with a data protection dividend. 

Data Protection: Whither the EU’s SCCs …

It is possible that the European Commission will fail to provide the UK with a data protection adequacy assessment by the end of the year. It is also possible that, in the near future, the EU will publish revised sets of Standard Contractual Clauses to replace the existing SCCs in a bold effort to ensure that flows of personal data outside the European Union remain suitably protected.

So what?

If the UK receives an EU adequacy assessment, presumably the UK Government will simply anglicise the new EU SCCs and ask UK organisations to use the new versions for the Non-EU, UK - Rest of the World data flows.

But, if the UK does not get an EU adequacy assessment, some commentators will suggest that this is the time either to leave the existing SCCs alone, or to adopt a very different approach. 

The Conservative Party won the General Election in December 2019 on the manifesto promise that it would get Brexit done.

If the point of Brexit is for the UK to remove itself from the straightjacket  embrace of the European Union, it is surely now up to the UK to determine for itself what contractual clauses are really necessary, in today’s world, to safeguard personal data flows outside the UK. 

My experience of using SCCs over the past few decades is that few organisations take much, if any, notice of the clauses once they have been incorporated into a data processing contract. They are part of the non—negotiable legal boilerplating text that is slipped into a schedule towards the end of the contract. The very few occasions I’ve noted the processor’s lawyers raising an issue with any of the clauses have been the times when they had realised that “my side” had a right to (1) audit “their” processes, or (2) be consulted and provide prior consent to the use of sub-processors.  

What evidence is there that SCCs are of any value? I’ve never been involved in a contractual dispute with a processor that has required the parties to rely on the SCCs to address or resolve an issue. And, in the past 20 years of attending data protection conferences (with the exception of presentations on the never-ending Schrems cases) I’ve never knowingly come across anyone who has.


So, if I were to take an evidence-based approach, I would ask why it was necessary for the UK Government to change the existing SCCs, or why it was necessary to have them at all. What evidence is available to justify their existence, or at least to justify their existence in their current form? Why can’t any of the current clauses be capable of being negotiated between the parties on a risk basis? Why not give UK data controllers more flexibility?

Whatever tweaks are proposed by the European Commission will invariably require EU-based organisations to undertake an absolutely enormous repapering exercise. It could take years to complete. Many of my privacy colleagues are only now recovering from the repapering rigmarole that was required to meet the GDPR Article 28 requirements. To expect them to commission a similar exercise so soon is cruel (and costly). 

No doubt some EU-based organisations will want to ‘simplify’ their contractual arrangements by requiring contracts with all processors, regardless of whether the underlying personal data is within the scope of the GDPR, to be changed to reflect the new SCCs.

But why should the UK Government tell UK organisations to follow the EU’s approach if the EU had decided that the UK doesn’t have sufficiently adequate data protection standards in the first place?  Would the UK really want to copy a GDPR regime that did not properly respect the UK’s privacy standards? 

Isn't there a better approach?

I’m looking forward to a passionate debate. 

In praise of ... the Investigatory Powers Act 2016

A number of commentators will assume that, should the UK not receive an adequacy assessment by the European Commission with regard to its data protection standards, a key reason will be the impact of the UK’s Investigatory Powers Act (IPA) which prescribes how UK public authorities obtain personal data for national security and law enforcement purposes. 

I see the IPA as an outstanding example that Governments of all countries should adopt to ensure that public authorities act transparently and put effective mechanisms in place to ensure that human rights are appropriately respected. 

To recap, in 2016 the IPA brought together all the existing covert and overt statutory powers that were then available to enable the UK’s intelligence agencies, police and other investigatory authorities obtain intelligence and communications data. This included introducing new safeguards in the approval of the use of investigatory powers use and created a single independent Investigatory Powers Commissioner responsible for oversight.

In 2019 the Investigatory Powers Commissioner established the Office for Communications Data Authorisation. This body is responsible for safeguarding an individual’s right to privacy under the Human Rights Act 1998. It makes independent decisions on whether to grant or refuse communications data requests, ensuring that all requests are lawful, necessary and proportionate.

In terms of transparency, a great deal of information about how the IPA has worked in practice is available from the annual reports that have been published by the Investigatory Powers Commissioner. The first annual report, published in January 2019, was organised into chapters which reflected each of the powers the Commissioner oversaw and (its 129 pages) contained a significant level of detail as to how each of these powers were used. 

The second annual report, published in March 2020, has a different structure, with chapters on each of the types of organisations that are inspected and (its 138 pages) focused on the key findings from the inspections. This gives a clear sense of the range of issues that impact the different bodies. 

Many people will never be satisfied with the way the UK’s intelligence and investigative communities operate. But they should be reassured to some extent by appreciating the great care that is taken by the Commissioner and his staff, including the Judicial Commissioners, to authorise warrants using the ‘double-lock’ method (so decisions made initially by politicians and senior public officials must also be authorised by a judge before the warrant is effected); to conduct regular inspections of the agencies that have been authorised to use investigatory powers; and, when errors are reported, to carry out ad-hoc investigations into to determine the root causes. 

Additionally, some people may also be reassured through the work that is carried out by the Commissioner’s communications and policy staff, who engage with a wide range of opinion formers to enhance public confidence in the use of investigatory powers and improve understanding of the Commissioner’s independent oversight. 

Before the coming into force of the IPA, the Home Office and the UK's intelligence agencies spent much less time engaging with representatives of civil society and other opinion formers. Important lessons were learnt following the failure of the IPA’s predecessor, the Communications Data Bill, to reach the Statute Book and replace the Regulation of Investigatory Powers Act 2000. It was realised that, actually, the Government had a good story to tell about the care it took to respect human rights in the context of exercising powers to obtain communications data. Engagement with stakeholders outside the closed investigative world was something that should not be feared but embraced. Where opinion formers had concerns, these issues should be addressed. With more transparency, and more resources devoted to explaining how transparent the new processes were, the Government would have an even greater story to tell.  

In my experience, no UK intelligence, police or investigations officer has ever wanted to have had their reputations traduced by being unfairly accused of trampling over human rights. The Investigatory Powers Act has set out what behaviours are acceptable, and the Commissioner’s annual reports have evidenced compliance with these behaviours. 

As a specialist advisor to the Joint Parliamentary Committees that reviewed both the ill-fated Communications Data Bill in 2012, and the Investigatory Powers Bill in 2016, I’m honoured to have played a small part developing legislation and promoting investigative practices that ought to be the envy of the world.

The Schrems II decision – some EU data exporters will face a huge task to work out whether SCCs are sufficient

Many privacy professionals will be shocked to learn that, in terms of safeguarding personal data flows from an EU to a non-EU country, in the absence of an adequacy decision, more is required than simply slipping the right set of SCCs into a vendor contract. 

The CEJU has clarifiedthat one of the key tasks facing data exporters, when considering whether SCCs are appropriate, is to consider whether there is a conflict between the protections afforded by the SCCs and other local laws, particularly those laws that enable public authorities to access the data. If a conflict is discovered, data exporters will need to do something about it. 

The key paragraphs in the decision are: 

Although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. That is the case, in particular, where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates. [para 126]

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available…Those safeguards may be provided by standard data protection clauses drawn up by the Commission. However, those [GDPR] provisions do not state that all safeguards must necessarily be provided for in a Commission decision such as the SCC Decision.  [para 127]

In the absence of a Commission adequacy decision, it is for the controller or processor established in the European Union to provide, inter alia, appropriate safeguards. Recitals 108 and 114 of the GDPR confirm that, where the Commission has not adopted a decision on the adequacy of the level of data protection in a third country, the controller or, where relevant, the processor ‘should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject’ and that ‘those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies ... in the Union or in a third country’. [para 131]

The contractual mechanism provided for in … the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses. [para 134]

Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data. [para 135]

I recommend 6 steps that privacy officers should take to assure stakeholders that the CJEU’s decision is being respected:

  1. Document the data flows so it is clear what data is exported to what country.
  2. Identity the relevant laws and practices, including national security laws and practices, that permit local law enforcement authorities and other regulators to access the personal data that is processed in those countries.
  3. Consider how the GDPR rights of in-scope individuals may be adversely impacted by these laws and practices.
  4. Identify what additional contractual measures would be necessary to achieve a level of adequacy with GDPR rights.
  5. Discuss and agree the additional contractual measures with the data importer.
  6. Return to step 2 at regular intervals to check whether the laws or practices have changed.

From a practical perspective however, the problems start at step 2. It can be hard, when a large number of data importers are engaged, to maintain a list of the relevant laws and practices, including national security laws and practices, that permit local law enforcement authorities and other regulators to access the personal data that is processed in non-EU countries. Will it always be possible to rely on the explanations and assurances provided by third parties, including the data importer, who might possibly have a vested interest in ensuring the correct spin is placed on any explanations they provide about local practices?

Let’s be clear. The CEJU’s decision does not only affect EU - US data flows. Personal data flows from the EU to just about every other country on the planet. And the majority of these countries will have their own national security and other regulatory laws. Official or unofficial English translations of these laws will have to be read and understood.

Unfortunately, life doesn’t get any easier after that.

Turning to step 3, it may well be challenging to document a comprehensive statement which explains how the GDPR rights of in-scope individuals may be adversely impacted by each of these laws and practices. As many organisations may lack the capacity to complete this task themselves, perhaps it could be carried out on their behalf by their trade associations.

With step 4, it may be even more challenging to identify what additional contractual measures would be necessary to achieve a level of adequacy with GDPR rights. Given that even the European Commission’s decisions on what contractual measures are appropriate have been quashed, twice, by the CEJU in the context of the US Safe Harbor & the Privacy Shield data transfer mechanisms, what hope is there for a significantly less-well resourced data controller to successfully identify all the right measures? Is this a task that even individual members of the European Data Protection Board are capable of completing?

The difficulty is compounded by the tight timescales that apply to many commercial contract negotiations. Assessments on the impact of the relevant laws in a particular country can’t take months, or years, to compete. If an organisation’s data protection team is unable to provide their contract negotiators with appropriate information and support within a matter of days or weeks, there’s a real risk that any advice from the data protection team will be ignored. 

On the matter of reaching agreement on any additional controls that should be applied to the data importer, where do you start? Given the poor understanding by many organisations of the context within which SCCs are currently used, it would be a brave commentator to forecast that it would be easy, or even practicable, to agree any additional contractual measures. This may particularly be the case when the data importer had not yet found it necessary to accept any new clauses to supplement the SCCS in contracts that importer had signed with other EU data exporters.

Alternatively, organisations might revisit their rationale for relying on SCCs in the first place, rather than any of the other complex data transfer mechanisms that are set out in Chapter 5 of the GDPR.

However, we are where we are. European data protection standards are high – and for a good reason. European politicians demanded a gold standard and that is what exists. In theory, anyway. 

The CEJU’s decision has moved a large number of contracts into a data protection wilderness. Precisely how many are there? Which can be remediated? If so, how? By when? And how active will the supervisory authorities be in requiring organisations to address this issue?

The peak summer holiday season has started. Even so, I hope that European data protection supervisory authorities will soon reach a common agreement on what the decision means, and explain how they expect, or will help, organisations to address privacy gaps that many thought the SCCs alone existed to fill.