Conducting the Schrems II Assessment of Supplementary Measures

The recent decision by the Court of Justice of the European Union to invalidate the Privacy Shield’s adequacy is getting a lot of attention for its geopolitical ramifications. While the Court let the other legal mechanisms for legitimizing the cross-border transfer of personal data stand, its judgment, as well as FAQs published by the European Data Protection Board (EDPB), require an assessment by both exporters and importers of existing and future transfers to third countries.

There are Two Aspects to the Assessment

The first is of the legal environment of each of the third countries used for processing in comparison to the privacy rights granted by the General Data Protection Regulation (GDPR). If the third country’s legal environment does not provide the appropriate safeguards, as is the case with the US, a second assessment should be conducted of the supplementary measures that can be applied by the exporter or the importer to sufficiently improve the current safeguards (see paragraphs 131, 133 of the Court’s judgment, and the EDPB FAQ #5, 6, 9).

If the exporter or the importer determines that the supplementary measures (whether legal, technical or organizational) do not sufficiently bring the level of data protection to that of the European Economic Area (EEA) countries, the transfer of the data must be suspended (FAQ #10).
In this post, I’ll focus on what these supplementary measures may be, and what is required to put them in place.

Examples of Supplementary Measures

Since the EDPB did not indicate when it will provide additional guidance as to what those supplementary measures could be, this post will start the operational level of this discussion, based on commonly available technical capabilities.

Here are examples of supplementary measures that may be sufficient to compensate for the lacking legal environment in a third country:

  • Exporter to replace identifiers with a unique ID for each data subject prior to sharing with the importer. The importer will not have access to the key to those IDs.
  • Exporter to use format preserving techniques to replace the personal data with fake identities while maintaining the look and feel of the original data. Importer does not need to be aware, if and when, this approach is used.
  • Exporter to keep the data hosted in the EEA and allow the importer read-only access from devices that do not allow for making copies or printing the data (“thin clients”).
  • Exporter to minimize the personal data prior to sharing with the importer to include only publicly available contact information.
  • Importer to process the personal data upon receipt and immediately delete the data upon completion of the processing activity.
  • Exporter to divide different steps of a processing activity between different importers to reduce the exposure risk with each importer.

Problematic Inherent Assumptions

The EDPB’s FAQ call for a “case-by-case analysis of the circumstances surrounding the transfer” before considering the use of supplementary measures. In other words, the EDPB expects that you know:

  1. … which of your processors receives EEA personal data;
  2. … what categories of EEA personal data your processors receive, including from different departments of your company;
  3. … which of your processors is processing EEA personal data outside of the EU (i.e., your processor is an importer); and,
  4. … who are your processors’ sub-processors, and whether they are in third countries.

The problem is that very few companies have the answers to these four points, even though they are not new. These requirements were in the 1995 Data Protection Directive, they are part of the Standard Contractual Clauses (SCC), they are in the GDPR, and they are challenging to meet. Obtaining such a degree of granularity regarding the company’s data and its processors is still thought of as a leading business practice vs. common business practice. This gap must be closed before companies can conduct their transfer assessments.

Be Proactive

The geo-political changes that are taking place this year – US-China relationships, COVID-19 contact tracing, the invalidation of Privacy Shield – are pointing companies towards a need to control personal data at a new level of granularity. Its not a quick process, but it has a clear starting point – find the data, find its users, and minimize the personal data users process.

On the bright side, at least you know where to start!

About the author:

Sagi Leizerov, Ph.D., SVP Enterprise Privacy Solutions at Dataguise

Sagi is a Certified Information Privacy Professional (CIPP/US) with over 20 years of privacy and data governance experience. You can check out his full bio here.