International data transfers have dominated the scene in 2021. Since the court of Justice of the EU issued the so-called ‘Schrems II’ decision in July 2020, companies have been grappling to understand how they can continue to transfer personal data outside the EU without increasing their legal risk. Easier said than done. Following the invalidation of the Privacy Shield, companies were first kept in a state of limbo before two important developments in June 2021 provided some clarity. First, the European Commission unravelled its much-anticipated revamped Standard Contractual Clauses (SCC) giving companies until December 2022 to start using them. Second, the European Data Protection Board (EDPB) adopted its final recommendations on “supplemental measures” explaining when these are required when transferring personal data on the basis of “appropriate safeguards” (art. 46 GDPR).
Despite these developments, data transfers continue to be a complex issue, not least because so much legal uncertainty still remains. Data transfers have become a highly political issue (Privacy Shield, Brexit, EU digital agenda) and are often at the epicentre of entrenched cultural, societal and philosophical views between countries. More importantly, regardless of the Schrems II ruling, companies don’t appear to want to reduce their transfers of data. Quite the contrary. Covid may still be looming over us, but markets are optimistic and economies are picking up again. Technology is developing fast and promises to transform our world (Metaverse). Inevitably, the world is becoming more global and more interconnected. And let’s face it, data residency is simply not an option.
So what can we expect in 2022? What will be the key areas of focus for organizations on international data transfers? And how is the legal landscape for data transfers going to evolve in 2022?
Transfer impact assessments (TIA)
In 2022, TIAs will become more commoditized and easier to carry out. As organizations gain better knowledge of their data flows, they will be able to develop more sophisticated TIAs that are more tailored to their business. Organizations are beginning to realize that a ‘one size fits all’ approach simply does not work. Each organization must fine-tune the analysis of its global data flows and, as a result, must tailor its TIAs to match the types of transfers that it is carrying out. That said, the case-by-case approach put forward by the EDPB in its recommendations (i.e. each data transfer must be analysed separately) is both inefficient and vain. While such an approach may work for small companies with limited transfers of data, this becomes hugely burdensome for large multinational organizations that are transferring massive amounts of data globally. Consequently, such organizations are likely to limit their TIAs to “high risk” countries only. Eventually, organizations may focus less on assessing the “problematic” laws of third countries and more on building robust data security and minimization solutions into their data flows. Indeed, from an EU standpoint, virtually every third country outside the EU has “problematic legislation”. Thus, assessing the laws of every third country somewhat seems like a costly and mostly vain exercise. For this reason, TIAs are likely to evolve into a data transfer toolbox as opposed to a list of “problematic” legislations. Organizations should also accept that ‘Schrems II’ has changed the rules. Inevitably, transferring data entails some risk.
The European Commission will continue to assess the laws of third countries that apply for adequacy status. By far, adequacy decisions are the most effective data transfer regime because they do not require organizations to put in place any specific measures. The downside is that the EU Commission adopts adequacy decisions at a snail’s pace (with the exception of the U.K.) and only a handful of third countries are currently recognized as “adequate”. Often, adequacy decisions are adopted simultaneously to international trade agreements that are agreed between the EU and third countries. For this reason, the EU Commission’s cautious and surgical approach to adequacy decisions will prevail. Nonetheless, third countries that have recently amended their data protection laws to be more in line with the GDPR (e.g. Brazil) can hope to obtain the ‘adequacy’ status one day. On a similar note, should the EU Commission be willing to grant adequacy status to regions (e.g. California) as opposed to countries (as permitted by the GDPR), this could also go a long way to re-shaping the global landscape for data transfers.
Recent events have shown us that law and politics are often interrelated, as was recently illustrated with Brexit. While the United Kingdom was able to obtain its adequacy status in a short period of time, this was largely due to the exceptional circumstances caused by Brexit. Some believe that the U.K. should never have been granted the adequacy status. For others, it is just a matter of time before the U.K. loses its adequacy status. Throughout 2021, the UK’s Government has shown signs that it wants to cut free from the GDPR and to introduce a more liberal data protection regime. This raises the question whether the UK can maintain its adequacy status. No one really knows as this is a highly volatile and unpredictable area of the law. What is certain though it that Brexit is not over and will continue to keep us busy in 2022. Thus, organisations may need to be prepared to implement Standard Contractual Clauses or other mechanisms for transfers to the UK.
Privacy Shield seems like a never-ending story and is certainly causing a lot of fatigue on both sides of the Atlantic. The question on everyone’s lips is whether a Privacy Shield 2.0 will see the light in 2022. Recent declarations made by EU and US officials at the end of 2021 are reasons to hope that the adoption of a new Privacy Shield is imminent. However, until the ink on the paper has dried, organizations will remain cautiously optimistic at best. In fact, the question is not whether the EU and US will reach an agreement, but whether such agreement will stand the test of time. European DPAs are likely to view Privacy Shield 2.0 with scepticism while privacy activists will want to shoot it down from day one. Not to mention that if the validity of the Privacy Shield 2.0 is challenged before the EU Court of Justice, there is no guarantee that the Court will deem it to be adequate. For this reason, organizations are unlikely to massively adhere to the Privacy Shield 2.0 in the same way they did the Safe Habor and the first Privacy Shield, simply because they will find it difficult to trust a framework that has so much legal uncertainty.
Many people in Europe are hopeful the US will adopt a federal privacy law. For several reasons it would be a mistake to think that a US federal privacy legislation will solve the trans-Atlantic dilemma. First, is seems unlikely such legislation will be adopted any time soon, if at all. Second, even if the US does adopt a federal privacy legislation, it is unlikely to mirror the GDPR. And third, supposing the US does adopt a federal privacy legislation, it would then have to apply to the EU Commission in order to be granted the adequacy status, which could take years before this happens, if at all. Realistically, it seems that the EU – US transfer issue will continue to be problematic not just in 2022, but for many years to come.
Binding Corporate Rules (BCR)
When BCR were introduced in the GDPR, they were presented as the ‘golden standard’ for data transfers. Many multinational organizations viewed BCR as the future of data transfers. The strongest selling point was that organizations could draft a single group policy which (once approved) would apply to all entities and employees across the board. It was without anticipating the painfully long and bureaucratic process that organizations must undergo to get their BCR approved in the EU. Prior to the GDPR, companies could expect to have their BCR approved within 12 to 18 months from their submission to the Lead DPA. Nowadays, they must wait 3 to 4 years, sometimes without a clear deadline when is the finishing line. Failure to streamline the process and the lack of resources and sound expertise within the DPAs are also heartfelt. As a result, data protection officers are finding it more challenging nowadays to convince their board members to go down the BCR route compared to pre-GDPR years. Similar criticisms have been voiced regarding codes of conduct that are adopted at an industry-level. As a result, fewer organizations are applying for BCR and codes of conduct than expected. For all these reasons, organizations are more likely to be drawn to the new SCC.
Standard Contractual Clauses (SCC)
SCC are like the ugly duckling who transforms into a beautiful swan. In the past, the SCC were criticized for being too rigid, impractical and ill adapted to the reality of data transfers. The European Commission heard these criticisms and adopted a revamped version of the SCC in June 2021, which enables companies to choose between different modules and thus provides them with a more comprehensive and flexible tool for transferring data. Most of the criticisms of the past (including the impracticality of having to sign a separate set of SCC for each transfer) have now been fixed (e.g. docking clause). For organizations who were already relying on the SCC in the past, they can easily transfer from the old SCC to the new SCC without too much pain. Of course, the new SCC are far from perfect and, like any legal document, there is always room for improvement. However, they were significantly improved in comparison with the old SCC, and organizations seem to be adopting them well. Furthermore, since the GDPR came into force, organizations can use the SCC without having to seek any regulatory approval, unlike BCR and codes of conduct. For all these reasons, the SCC will be the preferred method for transferring personal data in the future.
Schrems II has changed the rules. Tensions between countries are palpable and organizations are more aware of the risks when transferring personal data outside the EU. That said, no one expects a world without data flows. Building a digital fortress around the EU where all our data gets stored is wishful thinking. Europe’s economy is heavily dependent on the US tech industry and for this reason, companies will continue to transfer personal data to the US. Europe must continue to work with its economic partners around the globe to find practical and future-proof solutions that enable European organizations to share data outside the EU. Regulators must also improve their review process for BCR and codes of conduct to make these more streamlined and less burdensome.
Organizations must also accept that the rules have changed and, as painful as this may seem, they must adapt to these changes. Data transfers will continue to be one of the hot topics in 2022!