4

Data Processing

In the previous chapter, we looked at privacy, why it is important, the main modern privacy bills, and the rights of the data subject.

We will continue from there, specifically talking about accountability, tools, instruments, measures, and Schrems (Max Schrems is an Austrian lawyer; we’ll get into the details later in this chapter). Getting a bit more specific, we will be going deep into data processing. Although somewhat complex, these topics help us to decipher the weak points of GDPR and the ongoing discussions on how to improve it. I’d like to point out that this discussion isn’t merely academic; since it involves people, goods, and companies, it is something that we have to deal with.

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance. When processing data, it is necessary to produce, update, and keep adequate documentation. But before that, we should introduce some definitions to better understand the matter.

In this chapter, we will cover the following topics:

• The data controller
• The data processor
• Accountability
• EU–US Privacy Shield

The data controller

The data controller has the greatest duty under GDPR and other privacy regulations for preserving the privacy and rights of the data subject, such as a website user. Simply expressed, the data controller is in charge of data utilization methods and objectives.

In brief, the data controller is responsible for dictating how and why the business will utilize data.

A data controller may use its own methods to process gathered data. In some circumstances, however, a data controller must collaborate with a third party or external service in order to process the collected data.

The data controller will not cede custody of the data to the third-party provider, even in this circumstance. The data controller will maintain authority by dictating how the data will be used and processed by the external service.

The data processor

The data processor processes any data provided by the data controller. The data processor is usually the third-party organization selected by the data controller to utilize and process the data.

The third-party data processor neither owns nor controls the data that it processes. This means that the data processor will be unable to alter the data’s purpose and method of use. Moreover, data processors must adhere to the directives provided by the data controller.

For instance, The Daily Bugle’s website gathers information on the pages its visitors see. This includes the page they entered the site on, the subsequent sites they viewed, and the amount of time they spent on each page. In this example, The Daily Bugle is the data controller since they choose how and why this information will be used and processed.

Google Analytics is used by The Daily Bugle to determine which pages on their website are the most popular and which pages cause visitors to quit. This enables businesses to better design their content by revealing the precise amount of time each visitor spends on each page. In addition to knowing which themes to write about, The Daily Bugle also discovers new topics that may be of interest to their clients. Additionally, it helps them enhance the existing material.

To get the desired insights from Google Analytics, The Daily Bugle must provide Google with the data they collect. Google Analytics is the data processor in this instance.

Accountability

The GDPR establishes the general level of responsibility that data controllers, such as entities and public administrations, have for any processing of personal data that data controller carry out directly, or that others have carried out on their behalf.

In particular, the data controllers are not only required to put adequate and effective measures in place but must also be able to demonstrate the compliance of their processing activities with the GDPR itself.

In practice, in the application of the principle of subsidiarity, each owner is called to set, within their organization, the rules (both technical and organizational) to integrate the general principles of the GDPR into business processes. For example, they must adopt internal processing policies and demonstrate the implementation of these policies.

Both entities and PAs perform this delicate function through the people who naturally exercise the function of the owner, that is, through the C-LEVEL or senior public managers to whom the decision-making power is attributed as regards the purposes and means of the processing of personal data.

These people, with the constant support of the Data Protection Officer (DPO), starting from the full awareness of the importance of this sector, must build a vision to be transformed into a mission that is expressed in the aforementioned processing policies.

In concrete terms, this mission must be transfused into a Privacy Management System (PMS), that is, a system of documents, rules, training, and control procedures that is homogeneous, integrated, and harmonious. A PMS should be constantly updated in relation to the evolution of the context, while guaranteeing the effectiveness and efficiency of company processes.

In any event, all personal data processing actions must be shown via the creation, maintenance, and preservation of suitable documentation, beginning with the design phase.

First, it should be noted that by document, we mean any graphic, computerized, photographic, electromagnetic, or other type of representation of the content of legally relevant deeds, facts, or data. This also includes internal or external documents relating to a specific business process, policy and/or administrative procedure.

Recommended documents

It’s important to evaluate which documentation should be available in public and private entities, identifying who should generate it, how it should be updated, and how it should be preserved. We will also indicate which documents are mandated by the GDPR and which are suggested as valuable governance tools.

The privacy dashboard

This is a document that is not required by the GDPR, despite the fact that its utility makes it highly recommended. Many refer to it as the privacy manual, but I’ve dubbed it the privacy dashboard to convey the nature and purpose of this document, which is a true control instrument and an operational dashboard accessible to C-Levels and senior public managers who exercise the tasks of the owner.

It is a synoptic document that provides a comprehensive perspective of who must do what with the protection of personal data inside an entity.

Consequently, this document must report the privacy organization chart with a general description of the tasks, sub-divided between company functions/homogeneous organizational areas, and with the indication of only the managers/officers who direct them, including their primary tasks.

The designated managers must take care to produce, maintain, and update the privacy function charts, (i.e, the papers that correctly outline the roles and duties of all the entities, such as the people who make up the different organizational units, under their management authority). All actions of designation of appointees/permitted by the operator holding the powers of the owner and all papers pertaining to the training of appointees may be linked to the functional chart.

Thus, the so-called waterfall model is created, which makes the correct implementation of the organizational model prescribed by the GDPR easily demonstrable. At the same time, this document upholds the principle that any activity that takes place within an organization must be returned to the sphere of responsibility of a company (i.e., an identifiable person).

Still on the privacy dashboard, beyond the organization chart scope, the document is required to provide proper monitoring of the company’s data processing (such as documents relating to training, information, forms for the exercise of rights, plans, treatment registers, and specific procedures).

Important clarification

The manager/official who is responsible for monitoring the stated activity must be identified in communication with each document shown on the privacy dashboard.

Now, let’s analyze in detail the privacy dashboard part that each company and function within the organizational chart is responsible for generating.

Training materials

Training is the first and most essential organizational measure since it fosters general knowledge and sensitivity and ensures the system’s stability. It is specified in both Article 29 and Article 32, Section 4, of the GDPR, which, unsurprisingly, addresses the security of processing. Any technological or organizational measure is doomed to fail in the absence of sufficient training for the operational staff.

Training is vital in the strictest meaning of the word: training activities form the basis of the data protection system.

The privacy dashboard must identify the physical person responsible for training. The DPO will need the highest care and attention for training that must be taken seriously, (i.e., it must be assessed and quantifiable). Therefore, assessments must be administered at the conclusion of training activities to determine whether, and to what degree, the training message has been received.

The aforementioned training manager is obliged to keep all paperwork that is created.

Mandatory documents

Now, we will consider all the relevant documentation for data processing.

Information and legal bases

Each time personal data is processed, there is information that must be given to the interested party to implement the principle of correctness and transparency.

For this reason, each company process manager, administrative procedure, or so-called process owner’s duty is to prepare specific information and adapt it to the concrete processing activities, taking care to insert the minimum contents prescribed by Article 13 and Article 14 of the GDPR. The information must contain a description of the life cycle of the data, and therefore also any recipients or categories of recipients, the owner’s intention to transfer the collected data to a third country or an international organization, and the existence or absence of a commission adequacy decision. In the absence of an adequacy decision, the appropriate or opportune guarantees, the means of obtaining a copy of such guarantees, or the place where they have been made available must always be specified. It is also essential to always specify the data retention period. If this is not possible, then you should use another criterion. For instance, in some EU countries, if there’s no mandatory retention period, this has been set to two years. In other countries, is de facto used the same lapse of time in which other documentation must be kept (tax receipts or similar documentation)

The legal bases that justify the processing must also be indicated. In particular, if the processing is based on consent or legitimate interest, it is mandatory to prepare further specific documentation. In fact, Article 7, paragraph 1 of the GDPR prescribes that if the processing is based on consent, the data controller must be able to demonstrate that the data subject has given their consent to the processing of their personal data.

Therefore, the process owner will have to design a procedure to collect the consent of the data subject and keep their related records stored in a secure way.

In order to base the processing on legitimate interest, however, the same process owner will need to prepare a specific procedure to carry out the so-called balancing test or a comparative test between the legitimate interest of the owner, and the interests or fundamental rights and freedoms of the data subjects. Very useful in this regard is this guide, to which you are referred: https://www.hldataprotection.com/2013/04/articles/international-eu-privacy/article-29-working-party-gives-new-guidance-on-purpose-limitation/.

Procedure and forms for the exercise of rights

The data controller must facilitate the exercising of the rights of the data subjects regarding the protection of personal data and carry out specific procedural obligations within the time constraints established by Article 12 of the GDPR.

It is, therefore, necessary to define a specific procedure, while at the same time setting up individually written designations/authorizations for each entity called upon to apply the identified procedure or appropriate forms.

Documentation relating to data processors

According to Article 28 of the GDPR, the following is required:

• The treatments by a data controller must be governed by a contract, or other legal act, that binds the manager to the owner
• The data controller must make available to the owner all the information necessary to guarantee compliance with the GDPR, and allow the same owner to perform audits to verify the correct execution of the instructions

Therefore, during the implementation of these provisions, the person exercising the functions of the owner must prepare and keep the contract and all the documents drawn up during the contractual relationship with the manager.

Treatment register

The register, prescribed by Article 30 of the GDPR, is a mandatory document for business owners and managers. The treatment register is one of the most important accountability tools, as it is a precious information resource for the privacy authority during the control phase. Moreover, if the owner does not equip themselves with general system governance tools, such as the aforementioned privacy dashboard, the register becomes an essential monitoring tool for the owner/manager.

The register must contain a census of all the treatments performed. It may happen that the manager does not adopt it, so for safety, the owner must always expect the manager to send them a copy.

Preparation and management of the register is a task assigned to the owner, who can also delegate this task to a manager/official of the organization. However, it is important that they have the awareness that the responsibility for this task remains anchored to their sphere of competence.

The register must make it possible to identify the subjects involved in the processing of data and their purposes, the categories of data subjects and the data processed, who can access the data, to whom the data is communicated, how long it is kept, and how safe it is.

Although not required by the GDPR, I suggest inserting other items to indicate the information of each treatment, such as the legal bases and the level of risk for the fundamental rights and freedoms of the data subjects. In this way, it is possible to highlight the high-risk treatments on which the impact assessment (or data protection impact assessment) will be carried out.

It should be noted that the register should not be seen as a merely bureaucratic task but as a real operational tool, similar to the mandatory warehouse registers of medium-sized and large companies. This is the reason for the register’s usefulness in carrying out internal audits and inspections by the control authority.

Documentation regarding security measures

The measures that ensure data security within the organization are divided into two categories: organizational measures and technical measures. The latter must be identified while taking into account the state of the article and the costs of implementation, as well as the nature, object, context, and purposes of the processing. Article 32 of the GDPR recommends pseudonymization and data encryption as minimum technical measures.

The concerns of provability, in this area, are mainly to do with both physical and logical organizational measures. These are aimed at ensuring the confidentiality, integrity, availability, and resilience of the processing systems and services permanently. They are also used to promptly restore the availability and access of personal data in the event of a physical or technical accident.

To achieve this purpose, the head of the IT function must prepare an IT security policy, which is an organic set of formal rules that define the methods for managing the IT tools and data of the company or body in question. The components of the policy are the following:

• Authentication
• Internal and external data integrity
• Data backup
• Host security
• Network security
• Physical security
• The safety of operations
• Configuration management (minimum security profile)
• Alert mechanisms activated on systems (SIEM and similar)
• The operating procedures for changing the policy in the event of unforeseen external events

Tip

Similar requirements are requested by the ISO 27001. Therefore, you can incorporate all of the documentation in one place.

To apply the security policy to the entities, each process owner must, on the basis of a specific delegation issued by the owner on the privacy dashboard, make personal designations in writing.

These designations must reflect the main contents of the individual tasks assigned to each collaborator.

They should strictly regulate, at least, the matters referred to in paragraph 3 of Article 28 of the GDPR, or those that the designated/authorized person is in possession of and provides sufficient guarantees on, such as the nature, purpose, duration, and methods of processing.

The process owner should administer and verify the acts of designation at the beginning of the activities, and periodically (at least once a year), the designations are subject to a process of analysis and possible revision. The system administrator must be designated by an individually written document, containing an analytical list of the areas of operation allowed on the basis of the assigned authorization profile. The identification details of the persons designated as system administrators, with a list of the functions assigned to them, must be reported in an internal document to be kept updated and available in the event of an investigation by the privacy authority. If the activity of system administrators also indirectly concerns services or systems that process or allow the processing of personal information of workers, the public and private owners are required to make the identity of the system administrators publicly available in the scope of their organizations, according to the characteristics of the company or service, in relation to the various IT services for which they are responsible, making use of the information provided to the interested parties pursuant to Article 13 of the GDPR.

After implementing the organizational security measures, to meet Article 32, paragraph 1, letter d) of the GDPR, the operator of the functions of the owner or a suitable delegate must prepare a procedure to test, verify, and regularly evaluate the effectiveness of technical and organizational measures in order to guarantee the security of the processing.

This is the well-known penetration test (or pen test) performed by white hat hackers to analyze and evaluate the robustness of a computer system.

Data Protection Impact Assessment (DPIA)

While, as we have seen, safety assessments must be performed on all treatments, impact assessments should only be carried out when the treatment involves the use of new technologies and can present a high risk to the rights and freedoms of individuals.

Therefore, the merchant, or a suitable delegate specifically indicated on the privacy dashboard, will have to execute and document the process developed, following the WP 248 rev.01 guidelines adopted by WP29 on October 4, 2017.

Documents concerning the management of any data breach

The security measures described previously, however accurate they may be, can never eliminate the likelihood of a data or security breach.

When a data breach occurs, the owner must do the following:

• Notify the authority within 72 hours, pursuant to Article 33 of the GDPR, of the violation if it presents a risk to the rights and freedoms of individuals
• Communicate the violation to the interested parties when it is likely to present a high risk to the rights and freedoms of individuals
• Document any violations of personal data (even those not relayed to the guarantor and not communicated to the interested parties) including the circumstances relating to it, its consequences, and the measures taken to remedy it

Therefore, the owner is obliged to keep a register of security breaches, which must be kept up to date.

Furthermore, since it is necessary to react to the data breach in a timely, structured, and effective manner, it seems appropriate to prepare a procedure for managing the violation by identifying the entities involved in the particular process and entrusting them with specific tasks in writing.

For this task, it is suggested to follow the Guide to Personal Data Breach Management and Notification published in May 2018 by the Spanish Authority (AEPD).

The data controller must ensure that the DPO is promptly and adequately involved in all matters concerning the protection of personal data in order to allow them to carry out the tasks of consulting the data controller and monitoring the compliance of the treatments, which are attributed to the DPO by the GDPR. In case of doubts, please remember that data controller will control how data is collected from data subjects, ensuring that the required consent is obtained from the users. In addition, they will appoint a DPO to ensure that all information remains confidential as governed by the GDPR. So, to cut it short, DPO and data controller are not the same function.

It is important to specify that the owner, in cases in which they decide not to follow the indications offered by the DPO, must draw up and keep the document in which they indicate the reasons why they intended to make a decision that differed from the indications and suggestions received.

So, in this particular case, the communication of data to third parties and the export of data outside the EEA must be adequately documented, perhaps even by structuring specific procedures in which the conditions, contexts, and methods of communicating with third parties and exporting data are specified. As mentioned, this type of documentation must be reflected in the information provided to the interested parties pursuant to Articles 13 and 14 of the GDPR.

Data protection – the last warning

All of the requirements discussed so far represent a difficult organizational burden that must be met to effectively defend the basic rights and freedoms of people and to foster the confidence essential for the free flow of personal data and corresponding economic growth.

Consider the probability of harsh and dissuasive sanctions in the case of noncompliance if these lofty goals do not provide adequate incentives for the owners.

*As a warning, consider the financial sanction of 300,000 Euros that was imposed on a significant public body at the beginning of 2021, after the authority found insufficient documentation to demonstrate which decision-making levels were involved, the assessments made, and the reasons underlying the decisions made.

The personal body also failed to provide adequate documentation of the measures adopted in relation to their processing of personal data.

Moreover, the DPO was not promptly involved even though according to the regulation, the DPO should have been quickly and properly engaged in all data protection-related problems.

EU–US Privacy Shield

One of the most controversial parts of the GDPR is the so-called Privacy Shield, which followed the Safe Harbor, and has since been invalidated by the Schrems II judgments.

Brief summary

Following Edward Snowden’s 2013 revelations of Facebook and other US service providers’ participation in the US government’s PRISM mass surveillance program, Austrian activist Maximillian Schrems filed a complaint with the Irish Data Protection Commissioner (the complaint was filed in Ireland because it is Facebook’s European headquarters) arguing the unlawful processing of your personal data, which would have been transferred to the United States and subjected to the massive control of the US government authorities, along with the data of millions of other individuals. This would have been eased by the 2000 EU Commission-approved Safe Harbor agreement, which permitted the unfettered flow of personal data between the EU and the US, under specific circumstances.

After the matter was referred to the Court of Justice of the European Union, it accepted Schrems’ complaints with judgment C-362/14 of October 6, 2015 (the Schrems I judgment), invalidating Decision 2000/520 / EC, in which the EU Commission had deemed the level of protection provided by the Safe Harbor Privacy Principles to be adequate and referred the matter to the Irish Guarantor for a new ruling.

In the meantime, also at the invitation of the Working Party pursuant to Article 29 (today known as the European Data Protection Board (EDPB)), which brings together all the privacy authorities of the Member States, the EU Commission and the US Department of Commerce reached an agreement called the Privacy Shield in February 2016. This was intended to resolve the inadequacy concerns raised by the Court of Justice in relation to the Safe Harbor agreement. The Privacy Shield, which was approved by the EU Commission with Decision 2016/1250 on July 16, 2016, stipulated stricter obligations for US companies that import the personal data of European citizens, including the periodic monitoring of compliance with these obligations, the application of sanctions, and the provision of guarantees and transparency obligations for the access of the US government and public authorities to the personal data transferred for law enforcement purposes.

Following the advent of Regulation (EU) No. 679/16 of the GDPR (which replaced Directive 95/46/EC and all local transposition regulations), it was inevitable that the referral proceedings pending before the Irish Data Protection Commissioner would necessitate a new assessment of the adequacy of the protection provided by the Privacy Shield and, more generally, of the so-called standard contractual clauses (SCCs)

In May 2018, the Irish High Court, which had jurisdiction over the case, referred a number of questions to the European Court of Justice concerning the legality of the SCCs and the Privacy Shield’s data transfers, highlighting the potential violation of Articles 7, 8, 47, and 52 of the EU Charter of Fundamental Rights.

Schrems II ruling

With the judgment of July 16, 2020 (the Schrems II ruling), the Court of Justice found the 2016/1250 Decision by which the EU Commission approved the Privacy Shield’s adequate protection of personal data for EU-US data transfers, to be incorrect.

To be more precise, the Court of Justice of the European Union (CJEU) investigated the EU-US Privacy Shield’s legality in light of the GDPR’s requirements during the proceedings. The CJEU determined that there were restrictions on the protection of personal data because of domestic law in the US as well as the access to and use of personal data obtained from the EU by US public bodies. It was decided that US legal provisions do not satisfy standards that are almost identical to those set forth by EU law.

The CJEU noted the following in its ruling:

• The proportionality principle did not place limitations on how the US governmental authorities used or had access to EU data
• The Ombudsperson mechanism does not give data subjects any recourse against a body that provides protections that are at least somewhat comparable to those demanded by EU legislation

In contrast, the ruling does not directly affect the validity of the SCCs approved by the EU Commission for the transfer of data to non-EU countries. However, the Court has clarified that, unless there is a valid decision on the adequacy of the country’s privacy law data importer adopted by the EU Commission, the supervisory authority of each Member State is required to suspend or prohibit a transfer of personal data to a non-EU country when it believes, in light of the specific circumstances, that the transfer cannot be guaranteed by other means.

Nonetheless, several supervisory authorities, such as the Irish one, intervened with an official remark on the Schrems II judgment, questioning the validity of transfers made on the basis of SCCs to the United States and urging the other authorities to adopt a unified stance on the issue. The Italian Authority for Data Protection did not comment on this issue.

The frequently asked questions issued by the EDPB

In response to a request from the Irish Supervisor, the EDPB prepared a Frequently Asked Questions (FAQs), where, in essence, the EDPB emphasizes that parties, meaning EU exporters and extra-EU importers of personal data, are required to conduct their own assessments of existing transfers within the SCCs (the FAQs document also includes the Binding Corporate Rules (BCRs) that typically regulate intra-group transfers) in light of the Court’s concerns.

The FAQs mean that the ability to transfer personal data on the basis of the SCCs would rely on the outcome of the data exporter’s assessment of the assurances supplied in the importing nation (namely the United States) in terms of adequate protection. The evaluation must take into consideration the circumstances surrounding the transfer and any further contractual steps taken to alleviate the Court’s concerns. These procedures should guarantee that the transfer of personal data outside of the EU does not compromise the degree of protection required by the GDPR and relevant European laws.

In addition to the comments on individual assessments, the most important comment is related to the validity of SSCs and BCRs.

The FAQs specifically recognize that the SCCs and BCRs may still be regarded as appropriate instruments if additional measures are introduced that are capable of addressing the Court of Justice’s concerns. Specifically, after reiterating that the parties are responsible for evaluating the transfers, they stated: The EDPB is currently analyzing the Court’s ruling to determine the type of additional measures that could be provided in addition to the SCCs and BCRs, such as legal, technical, or organizational measures, in order to transfer data to third countries where the SCCs or BCRs alone do not provide an adequate level of protection. The EDPB is studying further what these new steps could entail and will offer further direction. In this context, informal talks with various European authorities show that the EDPB is contemplating potential measures, and some proposals involving technological precautions, such as encryption, have already surfaced. In reality, technicians and engineers are expected to analyze the technological consequences and alternative solutions.

What occurs next? Vade mecum for entities

The EDPB has not formally declared a moratorium on inquiries into the legality of personal data transfers to countries outside the EU, particularly the United States. Despite what transpired following the first judgment of the Court of Justice in the Schrems case, which deemed Safe Harbor illegal, avoiding a moratorium seems to be the course chosen. In fact, it is impossible to take action against corporations who have commenced renegotiation of their contracts based on the Court of Justice’s ruling. In the FAQs, the data protection authorities urge enterprises to take urgent steps to comply with the ruling, including doing a study of their data transfers overseas and initiating an adequacy evaluation of the SCCs.

These are, in short, the recommendation from EDPB:

• To avoid potential sanctions and, above all, to avoid measures to block the transfer of personal data by the supervisory authority, companies should take appropriate measures to demonstrate that data transfers outside the EU comply with the GDPR and take into account the concerns expressed by the Court of Justice in the Schrems II decision. To this end, it is preferable that enterprises exporting personal data undertake specific virtuous behaviors that the regulatory authorities would definitely value. For instance, where the Privacy Shield has been used as the legal basis for the transfer of personal data to the United States, they should assess whether it is permissible to alter the legal basis of the transfer, taking into account, for instance, the hypotheses stated in Article 49 of the GDPR, such as the following:
  • Consent of the interested person (considering the preceding EDPB standards about the validity of consent).
  • Transfer (essential) for the performance of a contract between the data subject and the data controller or for the performance of pre-contractual measures at the request of the data subject.
  • Transfer required for the conclusion or performance of a contract between the data controller and another natural or legal entity in favor of the interested party (such as a contract in favor of a third party.
  • Transfer required for significant public interest considerations. This exception has a wide scope. Typically, the public interest is determined by statute or administrative regulation and not by the judgment of the person. However, the existence of public interest must be evaluated periodically.
  • Transfer required to establish, exercise, or defend a legal claim. It is the case in which the European owner must defend themselves or assert their own right before the courts of a third country, in which case the transfer of personal data (possibly to a consultant, to a defender, and then to the judicial authority of the third country) is required to allow the defense activities to be carried out. In any instance, the proportionality limitation applies to both the substance of the transmitted data and the duration of its storage.
  • Transfer required to safeguard the vital interests of the data subject or of another person if the data subject is physically or legally incapable of providing permission. It is the standard case of a patient receiving medical care overseas.
• If the preceding hypotheses cannot be adopted as a valid legal basis for the transfer, it is necessary to first check the decisions of the EU Commission on the adequacy of the personal data protection laws of certain third countries. More important, is necessary to check any statements by the EDPB relating to the legality of data transfers to certain countries on the basis of the SCCs, with specific attention to data transfers to the United States. In fact, it is conceivable (and probably desirable) that the supervisory authorities will issue a vade mecum or recommendations on the use of SCCs and any other contractual protections applicable to certain nations. Moreover, it is probable that the EU Commission anticipates any potential EDPB ruling.
• In the near term, however, where no alternative legal foundation is possible (i.e, the SCCs have already been stated between the parties), it is preferable to discuss with the data importer the inclusion of additional security measures to the SCCs assurance for the parties engaged in the transfer in the manner indicated by the European Court of Justice in the Schrems II decision. This action must be preceded by a kind of due diligence about the assurances provided by the importing country:
  • Identify the flows of personal data transmitted and the degree of risk for the persons concerned in the event of subsequent transfer to the supervisory authorities.
  • Analyze the local laws of the recipient country and the obligations contained therein for the transmission of data to public authorities. In this regard, for data transfers to the United States, it will be especially pertinent to determine the extent to which the recipient of the data is subject to Section 702 FISA and EO 12333.
• Process and negotiate with the data importer, based on the findings of the verification, a series of extra-contractual measures to be included in the SCCs in order to improve the assurances for the data subjects in the case of the transfer of their personal data. Until the EDPB publishes recommendations or provides clarifications on the most appropriate extra steps to safeguard the rights of data subjects in the case of the transfer of personal data via the SCCs, there are a number of technological and organizational measures to take:
  • Preventive examination of which data must be sent based on the proportionality and privacy by design principles
  • Application of cryptographic methods
  • Data pseudonymization
  • Modification of access methods: instead of providing the data to the importer, give restricted access importer personnel with remote access credentials to the exporter’s systems and databases
  • Access documentation
  • Additional provisions mandating the exporter’s prior notice and authorization in the case of a disclosure request by a foreign public body, or the exporter’s power to restrict the flow of data and effectively prohibit further transfer
  • The provision of forms of cooperation between exporter and importer to enable the interested party, in addition to transparency with respect to subsequent transfers of his data, to use, without incurring economic or legal costs, the procedural tools and rights of action required by the legislation of the importing country to oppose the disclosure

Conclusions

Beyond the proposed solutions, there is a serious danger of generating actual blacklists of non-EU governments that do not guarantee the protection of the privacy of European residents, with obvious implications for international commerce and geopolitics. The review of the “countries at risk” might have significant effects on international transactions and the worldwide supply of services, including cloud computing, banking, and insurance. The majority of transactions and commerce rely on the transfer of data to non-EU nations, including the United Kingdom. If it is true that personal data is the new black gold and that the accumulation of enormous masses of data (so-called big data), and its study and use for commercial and market purposes, is the foundation of the fortunes of big players (online service providers, cloud computing, social media, big tech), then it is also true that the majority (if not all) of them are located in the United States or other non-EU, countries such as China and South Korea.

One, therefore, wonders if the judgment in question is not the result of a political will to redesign future relations in the context of a European neo-sovereignism vis-à-vis the excessive power of non-EU suppliers; if you want to force the retention of data within European borders by making it more difficult to transfer data outside the EU in order to entice stakeholders to choose European suppliers, as opposed to US operations, then Europeans need to create a whole technological ecosystem, starting from cloud operations, but the technological gap will increase.

Moreover, the large players themselves may be compelled by this decision to explore a Europeanization of their services, bringing them inside the EU, as many of them had already done before the Schrems II ruling, and resolving the issue of the transmission of personal data upstream.

In a sense, the principle affirmed by the European Court of Justice is unavoidable, according to which, going forward, the effective sovereignty of European citizens’ data will always be safeguarded against mass data collection by foreign government authorities under the guise of security surveillance. Could this be the conclusion of Orwell’s 1984?

Summary

In this chapter, I was trying to help you understand the laws around data protection and that, even though the GDPR is a good bill, it is quite far from perfection. Always remember that bills, laws, frameworks, and so on are made by humans, and, therefore, are not perfect. But there is time to get them closer to perfection. We have now finished exploring data protection. In the next chapter, we will dive into risk management.