SCHREMS II and Privacy Shield a major headache for Supervisory Authorities

Nop... not going to explain what the Privacy Shield was and why it was already dead before this last final blow from the European Court of Justice nor to draw any considerations about Mr. Schrems and his "Greta Thunberg" role within the Personal Data Protection context.

Following a legal action moved by Mr. Schrems, the European Court of Justice ended up deciding (last week on the 16th) that the EU-U.S. (and Switzerland) Privacy Shield was not a valid "tool" to ensure the Protection and Security of Personal Data that is transferred from the EU to 3rd countries (those that the EU does not recognize as having Personal Data Protection legislation and mechanisms that represent parity with what the EU has).

The Elephant in the Room

In the case of the U.S. one very important factor consists of the fact that national security agencies can and do "sniff around" data communications under the legal argumentation that it ensure/ fosters National Security.

Let's imagine a U.S. established company that hosts the Personal Data in the EU, yet the U.S. based Technical and/ or Operational Team has access to the Personal Data... the "issue" remains because they can and will be monitored.

The Standard Contractual Clauses (SCC) end up also not addressing this "issue" and, in fact, raise a new one in terms of the U.S. standpoint. The SCCs require (under Appendix 2) that the "Importer" demonstrates compliance, not requiring the "Exporter" to demonstrate anything. So, from a U.S. stand-point, no longer having the Privacy Shield but just the SCCs means that U.S. established companies are the only ones that have to demonstrate compliance towards Security and Confidentiality assurance over Personal Data Processing Activities.

It is a Political "issue" and it must be addressed in a first instance by "politicians" not Privacy Professionals.

Why this is now a Problem for the Supervisory Authorities

Nevertheless, the GDPR reads that:

• Recital 83 - "... In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. ..."
• Recital 84 - "... Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing ..."
• Recital 94 - "... Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted prior to the start of processing activities ..."
• Article 32, Security of Processing - (1) "... Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk ..."

So, if I were the DPO of a EU/ EEA established company, which Core Business strongly depends on having Personal Data hosted on the U.S. under the Privacy Shield (and even with SCCs in place), I would be reaching out to the local Supervisory Authority asking for guidance...

Supervisory Authorities across the EU are becoming overwhelmed by requests and complaints from Data Subjects and now the risk is that they will start receiving growing numbers of requests from companies...