Schrems II – now what?

So, you’ve read through the Schrems II FAQs and you know you need to do something…but perhaps you’re not quite sure exactly what that ‘something’ should look like. Luckily for you, we at Protecture have been giving this a lot of hard thought and we’ve produced this decision-making guide to help you work out your overall approach and next steps.

Does this affect my organisation (and if so; what should we do about it)?

  1. The first step is to work out whether your processing involves any transfer of personal data to the US (either by you, fellow Joint Controllers, your Processors or their sub-Processors). If you’ve already mapped your dataflows and populated your ROPA, this information should be ready and waiting for you – if not; then you should seriously consider moving this work up the priority list.
  2. Once you have a clear picture of your US dataflows, you should investigate whether the ‘importers’ (the US organisations receiving personal data that you’re the Controller for) may be affected by FISA-702

These will be:

  • Remote and cloud computing service providers,
  • Electronic communication service providers,
  • Telecommunications carriers,
  • Any other kind of communication service provider whose staff, agents or contractors have access to wire or electronic communications as they are transmitted or stored.

(NB: hosting data on servers located within the EU does not provide protection from FISA-702, if a US-owned- or US-based company is involved in the hosting or processing of the data. It may be possible for these companies to put practical restrictions in place to keep the data out of the US’s intelligence agencies’ hands, but you’ll need to ask for the specifics of how this is/can be achieved.)

  1. Identify whether you are relying on Privacy Shield or SCCs for (any of) these data transfers to the US. If so, something will need to be done, because these conditions are officially invalid and your processing is therefore unlawful. It’s time to look at your options…
    1. Is it possible to obtain informed, freely-given, specific and unambiguous consent from the data subject for the transfer of their data to the US? Can the data be retrieved and barred from further transfer if consent is withdrawn? If the answers are all ‘yes’, then you may be able to use consent as the condition for transfer. However, you should approach this with caution as consent is highly unlikely to be appropriate in most cases, and misuse or misapplication of consent is considered as serious as a security breach in the GDPR.
    2. Is there a contract between you, the Controller, and the data subject that cannot be fulfilled unless the data is transferred to the US? (Examples would include, booking a flight to the US, ordering goods to be shipped from the US, transferring personnel between the US and the EU parts of a global business)
      1. Does justification for the transfer stem from your organisation’s choice of a US provider, on the grounds of price, convenience or available features? If so, the necessity test is not met, and the contract won’t be a suitable condition for transfer.
    3. If your organisation is a public body, is transferring data to the US for the purposes of exercising or defending legal claims, or has a legally-binding international agreement, then you may be able to rely on these – but you need to consult experts in these areas, and may need legal advice.
  2. If you are unable to identify any suitable alternative to Privacy Shield or SCCs for your US data transfers, then these transfers amount to unlawful processing of personal data and will prevent you from being ‘compliant’ with the GDPR. However, you’re in the same boat as a lot of other organisations and probably not in immediate danger of getting into trouble – what you do about this will depend on the degree of risk your business is willing to accept.

Data protection risks of unlawful transfers

Caveat: these are generalisations that don’t factor in specifics of industry or circumstance

  • Regulatory risk: MODERATE.

Enforcement against unlawful transfers will be a long time coming in the UK, and is likely to be focused against large or high-profile organisations first. If your organisation is subject to regulation by EU Data Protection Authorities, then you may face an increased risk of enforcement, and civil action by data subjects remains a possibility. Unlawful transfers are likely to be an exacerbating factor in breaches or other non-compliance incidents.

  • Commercial risk: HIGH.

Customers and corporate supply chains will be seeking assurances that you won’t put their data at risk or expose them to liability for non-compliance, especially if you operate in highly-sensitive or regulated areas (healthcare, finance, politics, etc).

  • Operational risk: MODERATE.

If you don’t already have suitable data protection checks and procedures in place for procurement, new projects and programmes that involve the processing of personal data; you’re likely to be building up ‘compliance debt’ which will be more disruptive to fix, the longer it carries on.

  • Ethical risk: HIGH.

Considering the current political climate in the US, there are several categories of people for whom covert access to their data by US intelligence services could be viewed as a serious problem. Organisations which claim a strong ethical stance should think carefully about the potential impact to the rights and freedoms of their staff (including volunteers and contractors), customers or service users, and supporters; even if that impact is not visible or traceable.

You shouldn’t try to apply a one-size-fits-all approach to addressing the problem of unlawful transfers – you should look at the dataflows individually, and consider:

  • What purpose(s) the dataflow serves, and whether it is business-critical
  • The solidity of the lawful basis on which the dataflow is based – for example, an unlawful transfer will undermine the applicability of the basis of a legitimate interest to the processing.
  • The practical and technical feasibilities of making changes

Whatever actions you decide to take, you must document your decision-making process and be able to show evidence of your implementation.

When dealing with unlawful transfers, you have 3 options:

  1. Terminate – stop doing the thing that incurs the risk

Suspend processing activities which rely on unlawful transfers. This is only going to be realistic for non-critical dataflows for non-critical business operations, or where there is a suitable and safe alternative already in place ready to go. It’s the ‘nuclear option’ and will likely have a significant operational and commercial impact.

  1. Treat – reduce the likelihood or the impact of the risks turning into issues

Examples of ways to treat this risk are:

  • Find an alternate provider in a destination country within the EU, or with a finding of adequacy.
  • Seek legally-binding assurances from the provider that in practical (‘factual’) terms, the personal data is protected against being accessed or obtained by any US-based supplier parent, subsidiary, department or sister entity.
  • Reduce the dataset which is being transferred to the bare business-critical minimum.
  • Improve your organisation’s data protection overall, to reduce the chance of an incident that could turn the risks into issues.
  • Allow data subjects to opt-out of features or services that rely on transfer of their personal data to the US, provide the necessary tools and procedures for their data to be excluded.
  1. Tolerate – do nothing and hope the risk doesn’t turn into an issue

This is obviously the low-cost and low-effort course of action, and it may be appropriate for a limited time, but is unlikely to be sustainable in the long-term. While there may be more urgent or important things to think about right now, you should at least document a timescale, or triggers, for revisiting this decision.


Contact Protecture on 01743 636 562 or log a ticket if you have any privacy shield questions or queries.