Panellists will give their own case studies and advise on best practice and what organisations should do to ensure they are compliant with data sharing across jurisdictions.

Response to Schrems II Global Case Studies Responding to the ECJ Decision

 Transcript 

The transcript has been edited for gramatical purposes: 

Dan Raywood: [00:00:00] And, we’re going race straight off into our next session. Once again, I’d like to thank our headline sponsors for today. They are Microsoft and OneTrust. The next session then is we’re going to be handing over to Victoria Guilloit I’m sorry I pronounced that pretty terribly, who is a partner at Privacy Culture.

[00:00:16] And along with her panel, she’s going to be looking at the response to Schrems II Global Case Studies, responding to the ECJ Decision. Obviously one of the big stories of last year. So Victoria, I’ll hand over to you.

[00:00:27] Victoria Guilloit: Welcome everybody to this session on the response to Schrems II Global Case Studies, responding to the ECJ Decision. Now I’ll bring my panelists in before we give you a bit of an overview. So the first panelist is Nora Bensaid, Nora is the Data Protection Officer from ING. We also have Christopher Schmidt, who is an associate from Jones Day Cyber Security.

Welcome to Nora and Christopher. And finally we have Helen Woollett and Helen is Privacy Council and Data Protection Officer for Natura & Co. So a bit of background for you before we head into the questions. So, it was right back in July in 2020 that the court of justice for the European Union upheld a complaint by Max Schrems of NOYB That once again, expose the tension between the Protection of Public Privacy and International Governments need to access personal data in order to perform specific tasks.

So think about law enforcement, public health management, and national security. All of which are necessary, but causes all concern that the government is snooping and the access could therefore be disproportionate in the Schrems II decision the CJEU upheld that US laws regulating US public authorities accessed personal data transferred from the EU for national security purposes is not efficient.

As it stands, it doesn’t satisfy the requirements of the EU law because the rights of the performance in courts do not apply to data subjects. And further, this situation doesn’t apply to government authorities. In a nutshell, the Schrems II decision invalidated the data transfer mechanism, the privacy shield, between the EU and the US, and actually the UK estimates that data transfers between the UK and the EU is worth £87 billion alone.

[00:02:36] And that transfers between UK and USA are worth four times this. So Nora, I’m going to start with you. So with all this in mind, what does this decision by the European court of justice actually mean for an organization?

[00:02:51] Nora Bensaid: Thank you, Victoria. I think a lot of things, but at least I think any organization has to make kind of reassessment of the cross border, personal data from EU to modify the contractual documentation in order to comply with the new measures. And finally, I think more responsibilities for the exporters and importers, even on topics they can’t control like third countries, legal environment, that’s very difficult to have all the information and to assess these kinds of topics. That’s my first list.

[00:03:36] Victoria Guilloit: Yeah. And it’s already a big list as you say, I’m lot going on right now. So Helen, in terms of the list, before we get into the, “how do you prepare ?”, is there anything else that you would add to Nora’s list of things that you need to think about in this situation?

[00:03:53] Helen Woollett: Thanks Victoria. Yeah, sure. There’s a very long list. I think, as a result of the EDP EDP be supplemental guidance as well, but I think what really helps is knowing your, IT and digital contracting environment. So if you have major IT and digital contracts that your business is dependent on, and those contracts are with particular countries, then understanding those contracts is a really good start.

[00:04:21] Also really understanding the nature of your data flows and where your Head Office or your data centers might be, because particularly as a result of Brexit and the changes in the way in which SCCs work and so forth and so forth it’s really helpful to understand your contracting environment and your data center environment. I will leave it at that as a start.

[00:04:47] Victoria Guilloit: Brilliant. Thanks so much, Helen. So perhaps Christopher, we can, we can just dig in a little bit more in terms of the steps in an organization can take to get adequately prepared because it just feels like there is so much to do. There are so many other priorities for a business, so there’s probably a lot that an organization needs to do, or in particular, those in roles such as yourselves, to make sure that this is the right place on the agenda.

[00:05:16] Christopher Schmidt: Yeah, absolutely. That’s true. And I think if there’s a short phrase it’s to be, be prepared, so be aware of what’s going on. Don’t sit and wait, even if we are nine months post Schrems II.

[00:05:27] So some time has passed, but DPA’s for example, but also in organizations in the production sector are not silent, are not just sitting and waiting as well.

So you better be prepared and watch out for them, what they’re going to do. We’ve seen that for Spain, if it just may add that as a starting point, we had one of the first fines under article 44 for article 44 for the Spanish entity of, I guess it’s a mobile phone provider. We will not disclose any name, but it was a partial fine, still 2 million Euro for not having transfer saveguards in place.

So this topic, which was long regard as, yeah, SCCs. It’s interesting, but it’s complicated but now it starts to get some teeth, so to say, so we need to be aware of what’s what’s going on.

[00:06:12] I recommend everyone data controllers as little or as complex as the business may be to start using and relying on the roadmap proposed by the EPB. We have this six step plan in the guidelines. Zero one 2020 proposing six rather detailed steps of how to conduct their internal assessments and how to get prepared in terms of Schrems II.

First and the most important point, we still seeing that since May, 2018 so for more than almost three years by now, is that businesses don’t really know where the data resides. So where they’re processing actually and if there’s contractors, sub-contractors or sub-sub-contractors.

[00:06:51] We’re processing something in a third country. “Oh, well, we didn’t know that. That’s interesting”. Well, you should have known that. That’s interesting too, to know for you and for your customers without subjects.

So do the whole assessment thing as it is asked from you conduct prior checks, get into preparing your records of processing activities in a fair manner, be transparent about what you’re doing, and then follow the further steps in assessing if such transfers out of the EU or the EEA can still take place. Which means you need to look at that country legislation in a very, very detailed manner.

[00:07:24]We have some tools online, even the essential guarantees guide that I created some times ago, so I’m trying to get some input from feedback for that, but you still need to look into that for the US you have lots of guidance, you have the CG judgment, you have reports from the congressional reports research service some days ago I think so there’s lots of on the U S laws, but on other jurisdictions, you may just lack that, but so you need to get into looking into further details of such third country laws. And then as a last step, look if there’s any supplementary measures you need to adopt.

That could be, as it is like in the talks at the moment, encryption, quantum safe encryption if such thing exists at the moment, but at least some fair encryption machines.

Take a look, not only at, okay, we got it encrypted, but what’s the cyber suite, like how is it encrypted? Is it encrypted in transit and at rest, and all these steps need to be looked at. And that takes absolutely that’s I think that’s fair to say the expertise of not just save experts, but have IT, forensic, counsel, et cetera. The whole bunch of experts to be, to be prepared and know what you can do and what it’s still legitimate and lawful.

[00:08:35] Victoria Guilloit: A lot of really, really good stuff in there and as just say I think the one really important point I heard at the end is it’s not just your responsibility.

[00:08:42] There were other people in the organization that can help you. And you know, back to your original point. Businesses should have been ideally doing this anyway. Because this isn’t anything new and it’s, it’s about actually knowing, you know, where data transfers exist, where your data actually resides in the first place.

[00:08:59] But, but nevertheless, it’s still quite a long list. And I can imagine that there are. Potentially members in our audience that are wearing more than one hats and have actually potentially you’re going to struggle to get this to the top of the agenda in their organization. Helen, can I kind of move to you around that in terms of, you know, can we, is there any way to simplify the, the preparation stage.

[00:09:25] Helen Woollett: Look, that’s a really, really hard question, I think because I think the, the trouble is that there’s no easy answer. There’s no simple answer or a silver bullet, as the EDPP said, the measures could be technical.

Contractual or organizational. So depending on the nature of the organization and the relationships that has with it, providers, you might decide that technical measures are going to really do the trick.

[00:09:53] And there’s an, a lot of emphasis on encryption and sending in the guidance. But I think the trouble is the guidance does oversimplify what the options might be. And a lot of organizations have a great array of options open to them. You know, you could do something really interesting in terms of access controls.

[00:10:14] You could do much more in the contract. I think one way as a simple approach is to really look at what your IT service providers are doing because some service providers are providing some very interesting solutions already, right? If you look out there in the market in terms of what they offer by way of technical solutions already for organizations, I think that’s a start, but it’s not the only answer.

[00:10:43] So organizations need to be sophisticated in their approach. They need to look at the issue in the round. I think the temptation with all of this is to sort of leap to a very simplistic. Approach and I think organizations have to be careful about that. The other thing I would say is I think like Christopher was inferring.

[00:11:06] That is very, very important to get your SCCs in place, because if you don’t have them in place, you’re not going to benefit from the new regime when it comes out on SCC’s where you’re given one year to update them. So if you don’t have anything in place, that’s much worse than having something based on the old model.

[00:11:26] And then once the new model comes in, you’ve got a year to update your SCC’s so I think it’s very important to get your SCC’s in place. Otherwise that’s about as simple as it gets.

[00:11:37] Victoria Guilloit: Thanks Helen, that’s great advice. And Nora, can we quickly hear from you in terms of, of how you’ve managed that. What does the preparation process look like for you?

[00:11:47] Nora Bensaid: Actually let’s just say, the earlier to be aware about our current contracts and DPIA’s in place, that’s very important to know how what kind of personal data transfer you, you made in your organization. That’s very important. Also identify safeguards already implemented. So in some cases it could be enough and you don’t have to implement additional measures I think. You have to identify two third countries involved in your data transfer depends your business.

So you have to, to be aware about that too. And I agree. We have to made in place our SCC’s that’s very important because if you don’t have anything, you have a lot of work to do to regularize the topics so that could be very difficult for an organization. And finally, I think we have to draft a kind of template to assess the suppliers, so importance, a transfer data or transfer impact assessment.

Yeah, I think it could be very, very interesting to have these kinds of templates because that’s a kind of documentation that focuses on the topic. So you have to know your transfer like say the decisions, so I think that that kind of documentation could be very helpful for us as DPOs of IT, security teams, legal teams that collaborative kind of tasks. So that’s my input.

[00:13:30] Victoria Guilloit: Excellent. Thanks, Nora. So I’ll just come back to you, Christopher, actually, because potentially is the TIA something that you thought about in terms of what does that document actually look like and what would that process actually entail?

[00:13:45] Christopher Schmidt: Well, yes. I might even be as bold as saying that we’ve been approached by creating such templates and clients asking for readiness in that regard.

So what kind of information to put in there? What level of detail of granularity to use in those documents. And what’s the deeper purpose or the real purpose of central documentation, because sure, it will help you identify where the lot is flooding, what type of a person’s data is being transferred as an order just to refer to. But it will also maybe help you to defend yourself and to get a sound defense strategy in terms of any finding procedure or court procedure that might see the day for any allegedly unlawful data transfer to third countries.

[00:14:31] So I think that’s the most important point that you need to put in there. We have some templates even freely available on the, on the internet, the CPL, for example, right. The posts, some approaches, you will find some bits and bytes, not much of detail, but some ideas, some stimulii in the PB guidelines from last year as well.

[00:14:49] So if you put these factors together, you assess the third country, you says your safeguards that you have in place, you try to weigh that in, into all the other aspects that may be. You try to look at the use cases, I think they are useful, even if that was a bit simplistic. I fully agree. I think Helen has a key point here that the guidelines are not the end of the story, but they need to start somewhere and craft something out of nowhere.

[00:15:12] So that’s where we’re standing right now. And I think it will develop in the following months as well. And if you, I think that’s the most, well, the most common cases are the use cases six and seven, which are the unlawful use cases from the guidelines. So the trends, certain cloud service providers requiring access to data in the clear and the seven is the remote access to data for business purposes.

[00:15:34] And if you can transform those unlawful use cases into something rather lawful, which could be use case number two, working with pseudonymized instead of clear personal data, that could be something, for example, at the end.

Not talking about technical safeguards, multi-party computation, homomorphic encryption, even if it’s still something very new and something that we’ll see, maybe in some months or years even. But that’s, I think are the most important steps to conduct and you put into your TIA, there is no specific form and I think the most important thing is to have something in place to be able to show that to a data protection authority, because having worked for such an authority myself, they will need to prove that the country you’re transfigured to is actually really a third country, which is not essentially equivalent in terms of data protection with the EU and EEA.

[00:16:22] That might be rather easy for some countries without specifying any such country right now. But I think there are countries where it becomes a bit more difficult and they will need to invest some power.

So the real risk of getting a fine, it’s getting hit on your fingers is not that high. If you take the steps and follow the flow as these questions and all these measures of just about to develop, you see the approaches and the new SCC’s that Helen referred to, we still don’t know how this behaves with article three, second paragraph, if these direct transfers still need SCC’s or other transfer mechanisms.

So there’s lots of legal questions still uncertain at the moment. We need to be clear about that, I think as well. So it’s a situation of regulatory upheaval, but I think people will get them the right direction if they don’t just sit and wait and say, okay, nothing will happen. I’ll just, I just wait, it’s not too important for me, I won’t be considered.

Just interestingly, last point, maybe we’ve got some companies in Germany who receive questionnaires on the issue of Schrems II, so questionnaires from data collection, authorities asking very precise and specific questions on what measures did you implement?

[00:17:29] What’s the data flows? Please provide a copy of your register, or your records of processing activities under article 30 GDPR. So get me the full bunch of documentation, show me what you did. And well, some companies just say, well, we, we look at the court’s decision we said, well, not really, not really relevant for us.

[00:17:45] I think that’s not just credible. So if you are a bit honest I think people need to see that you’re doing something and those questionnaires will be used, that’s for certain, the EDB and some DPA’s to my, well, I don’t know, I don’t understand their position, are reluctant on providing those questionnaires, but they will be used on a European level.

[00:18:06] So you will be prepared and you will know that one day, even your organization, no matter where you are in the EU or EA may receive such a questionnaire. In that case, I can only advise, be prepared, as I said.

[00:18:21] Victoria Guilloit: Now we’ve got a number of questions coming in and I was just, as you were talking about TIA’s I was thinking, oh, in the future, I wonder how that’s going to fit in with the DPRA, and I am sure , there’s a process integration piece coming. But there’s a lot coming in. So I am going to start and feel free to jump in, or I might ask one of you if that’s okay. So the first question is the key question for me for this session.

[00:18:46] Surely most of the time transfers are not restricted? IE article three applies. So SCC’s, do not add anything to the legislation. For example, no further safeguards are required. Does somebody want to pick that one up?

[00:19:02]Helen Woollett: [00:19:02] If I can start and then maybe the others will get onto this. So in relation to third party transfers outside Europe, the SCCs are required.

[00:19:13] So it’s not a question of whether they add anything or not to the law they’re required under the law. There also needs to be a legal basis for collection and transfer. So I think what’s important to note is that the SSC’s required in certain settings. Under the new SCCs, which are in the draft proposed by the commission, they certainly do add to the law.

[00:19:36] So I think it’s important to bear in mind that they add requirements and they’re significant requirements, not to be ignored. However, we don’t know how far those details on the requirements of going and in particular, in relation to liability, I think they reinforce the provisions of what is rememory article 82 in terms of ensuring that organizations take responsibility and accountability for their, their failings on data protection controls.

[00:20:07] So I’ll let the others also answer the question. Cause I think it’s a very involved question really.

[00:20:15] Christopher Schmidt: Oh, that’s just keep it short. I think it’s reasonable minds differ as the saying goes where the article three two requires at the moment, some transfer safeguards under articles, 44, et cetera, et cetera. The EU commission draft new SCCs would, I think, indicate that it is not the case, but we have the comments from the EDPB and the ED best.

[00:20:36] We hope, rather than direction, it’s not really clear, they use their kind of specific language instead of saying, Hey, it’s, it’s that way we decided it and we interpret the law in that sense. So the most thing I can say from my personal view at the moment and the guidance I’ve read, it is an open question, but in case of doubt, try to implement it where it is.

[00:20:55] The technical legal question that we have at this stage is the notion of processing under article four paragraph two, while you have the collection at one stage and the transfer at another. And if you say no, it’s a case of direct collection that wouldn’t be a legal basis some kind of transfer is it’s just a direct collection, but you can have, and just be perfectly entitled to hold the, the contrary view.

[00:21:19] So that’s just open at the moment.

[00:21:23] Victoria Guilloit: Thanks Christopher. I will move on if that’s okay to the next question, because we have so many, so I want to try and get through as many as possible. Okay. The next question is, how does precedent work in the EU? Will the decision of the French court be binding? Nora, would you like to join?

[00:21:39]Nora Bensaid: Yes. Sure. I think it’s about the decision of last week of their high in jurisdiction of France. I think the information, the important information from this decision, is that the French courts rule that both legal and technical measures were enough. In this use case. And I think it’s very interesting because I think we have to be, you know, pragmatic on this topic because the decision talked about yeah, additional measures are also supplementary measures, but we have to assess our transference so it could be okay.

It could be already okay. So we don’t have to implement a lot of additional measures. I think it could be not relevant and this decision, it’s very interesting because the completion with legal and technical that’s okay for this use case, but we can just extend to other use cases.

[00:22:43] Victoria Guilloit: So that’s my point. Thank you, Nora, Christopher,

[00:22:47] Christopher Schmidt: Just, just a short note that that was, I think if I’m not mistaken was a summary proceeding, so it’s not a finally bending decision. We don’t have precedent in the EU. I think that’s fair to say. It’s a very rather a principle, not belonging to our continental laws fair that we’re having in here.

[00:23:02]So case law is not binding. It may serve as a, as a kind of example, but it will not bind everyone with legally binding summary proceedings. And I was astonished to the level of detail, they looked into the transfer, they looked into the technical safeguards. So it’s up there to saying, okay, it’s US so it must be illegal, but they took a rather detailed view in summary proceedings.

So that’s, I think necessitates, you need to be able to provide that level of information to the court, to any DPA or in any proceeding. So that’s just underlining what we said before.

[00:23:40] Nora Bensaid: Yeah. The point is to say that’s yes, that’s just a decision.

[00:23:43] That’s just a French decision, but that’s very important for our expertise to have this kind of example where the safeguards are already implemented, are enough in this use case.

[00:23:56] So that’s it.

[00:23:59] Victoria Guilloit: Thank you both. And perhaps this one for you, Helen can you give some examples of supplementary measures please?

[00:24:07] Helen Woollett: Well, the EDPB does speak a lot about encryption but that is a technical measure. So supplemental measures can be either technical organizations, contract or contractual, as I’ve said before. And I think a very good supplemental measure is, you know, really good access controls. So the thing, I think that’s labored in the EDPB guidance is this emphasis on encryption and where the keys are stored and so forth.

[00:24:38] But there are many other supplemental measures that are technical, that could be applied, which are in some respects, more effective. So are, there are many, many different kinds of technical controls that organizations can apply. And then the other area that’s definitely worth examining is looking really closely at the contract to determine the scope of work of the services, because the services will dictate the kind of contractual measures that might be put in place.

[00:25:10] And certainly there are various contractual measures that can be put in place such as reviews or audits, controls in a more sort of managerial organizational sense that could be done as well.

[00:25:26] Victoria Guilloit: Excellent. Thanks so much, Helen. That was really good and really helpful. I think there’s a comprehensive answer.

[00:25:33] So I’m going to move on to question four, if that’s okay with everyone, because we’ve still got quite a number. So how can an SME building a multi-region footprint know what impact Schrems will have on GDPR and whatever the privacy shield.

[00:25:48] Ultimately be. I see you nodding Christopher. So I’m going to ask you.

[00:25:53] Christopher Schmidt: Oh, that’s a massive one, right?

[00:25:54] I mean, it’s up to SME’s and even the global players, having their massive legal, technical IT whatever teams are struggling with that. So sit back, not relaxed, but sit back, take a deep breath and then start working. Because you’ve got no other choice, basically. So to say, so the multi region footprint, so to start, I think, is to identify the data flows that are business critical start by these because you need these just to get on working and get the economics flow especially in these times of an ongoing pandemic.

[00:26:26] So you still need to look at the economic impacts of, of such decisions, just cutting the cables. But yes, you will need to look at those jurisdictions and maybe you get some inspiration from either tools. I mentioned the essential guarantees guide that I’m hosting, but I think there are other resources as well.

[00:26:39] And try to look where you may have some problems where you may require further help and assistance, and which other transfers you may do. And even try to look, if you can take some things back into Europe, if that’s possible. I mean, some solutions can be self hosted.

So why we go to anything that is in a cloud on I don’t know, a third country basis, which can be done as well is perfectly good in Europe as well. So that I think is important on the privacy shield I wouldn’t allow myself to just defer to, I think it’s Thursday, so the 25th, we have a panel on here as well on 3:45 GMT on the US privacy shield talks and future. So well tune in on Thursday, I might to say.

[00:27:21] Victoria Guilloit: That’s really helpful, Christopher, thank you. Okay. Perhaps this one, but to Nora, how likely is it that the EU will determine that the UK doesn’t provide adequate data protection? Some thoughts on that?

[00:27:39] Helen Woollett: I can do that if you want it. So the UK government has negotiated a draft agreement with EU Commission and that draft agreement needs to go through the common tology process. It’s hard to tell or judge the likelihood, I haven’t read any pronouncements on the likelihood of it being agreed through that process. But I think we would be surprised if there wasn’t commitment at a political level to get it agreed.

We have about six months for that process to occur. And to just go back to the original comment I was making about SCCs in response to Christopher’s comments. The point I’m making about SCCs and it relates to the previous question, is that SCCs are a common form of transfer mechanism.

[00:28:30] It’s one of the main tools that organizations use. So everybody has to realize that now, one of the only solutions is SCC’s, unless you, in a small number of cases, have adequacy. Organizations can’t rely on the privacy shield and they’re therefore under schrems II they have to use SCC’s plus adopt these additional measures.

[00:28:56] You can’t really, as an organization, rely on one-off transfers or some of the other provisions in the GDPR EU and UK GDPR. So what we’re faced with here, and I think this is the important thing for everybody to bear in mind is we’re all faced as organizations with a very limited number of options. Those being SSC’s and the repapering of those SCC’s.

[00:29:18] When it’s clear what they’re going to look like, both from a UK perspective and a EU perspective. So what we’re all doing is waiting to see whether the SCCs will take a different format. If we’re all based in Europe and the UK. And then once that becomes more apparent, I think organizations will take more steps to reinforce the environment they have to protect data transfers. Thanks

[00:29:46] Victoria Guilloit: Helen. Yeah, absolutely. I think that’s, that’s key here. And we’ve got a question for Christopher specifically next actually. It says Christopher, similar to GDPR, where can we find the six steps that you referred to? I think that was earlier on preparation.

[00:30:03] Christopher Schmidt: I think that’s just an easy one, a short one, if you https://edpb.europa.eu/our-work-tools we’re guidelines zero one 2020, and will find that I think on the first couple of pages, you have the six step roadmap from the EDPB. So, use that. And they do as, as we have the done with statement from the CGU as well, the 49 exceptions.

We don’t know yet if those derrogations will be applicable and to what extent, but he had some very, a fabulous comment saying, well, I wouldn’t see that narrow. I wouldn’t say that those transfers contact plays. We had that last paragraph in Schrems II it might still be possible. No one really knows what that means has been discussions on going over the last weeks. But it’s interesting to see in that system, we are in a situation where things change from one week to another.

[00:30:47] And as long as I think, organizations are willing to, to keep that on the agenda and say, okay, we will watch that issue. And not just say it’s, it’s complicated. We’ll never, it will never work, but say, Hey, we’ll, we’ll follow the information flow and then try to be upfront with it. I think they’re good to go.

[00:31:05] Victoria Guilloit: Excellent. Thanks very much, Christopher. And I think this, this is an opinion really, and I think all of you might want to comment on this one. So do you see international data sharing, reduced as a result of Schrems II and restrictions across the world. Does somebody want to take that?

[00:31:22] Nora Bensaid: Yeah, I can take that. From my point of view, no, I think that’s the occasion to focus on maybe security measures to extend the enforcement of GDPR all over the world. And maybe about you know, the get fam businesses to be more interested on privacy, on security and yeah, that’s a lot of monitoring topics with this decision.

[00:31:53] But from my side, I don’t think that could be reduced, the data sharing because data sharing is already in place. All over the world the data transfer are ongoing. So it’s very difficult to stop this kind of activities, but I think that’s a really location to focus on security and privacy.

[00:32:17] Victoria Guilloit: Excellent. Thanks Nora. Helen or Christopher, did you have an opinion on that one before we move on?

[00:32:21]Helen Woollett: Just to say, I think that the IT industry as a whole is very dynamic in how it answers some of these regulatory conundrums. And I think that. We’re learning as you know, in various industries to adapt to the changing circumstances much more quickly than we would have previously.

[00:32:44] So I think gradually we’re becoming more adaptable, and that means that it may not necessarily instances data flows, you know?

[00:32:56] Victoria Guilloit: Excellent. Thanks very much. Both of you, Nora and Helen for that one. Next question. In what instances would you suggest that SCCs are not used please? Christopher, maybe you’d like to try response to that one?

[00:33:09] Christopher Schmidt: In cases where it’s either not necessary or unlawful, easy question, easy answer. No, well I think idea of it is a bit more difficult, but well, if you have VCRs for example binding corporate rules, if you already tried to get a certification, which can be as a mechanism as well under 46 GDPR, for example, if you think that your transfer is limited to just one or two occasions, and there is a vital interest in doing so.

[00:33:34] In the, one of the derogations and 49 GDPR. Well, that might still work. There’s no need to refer to the SCCs. And when referring to the SCC you’ll need to have your transfer impact assessment, ready to say, well, we looked into that because as the courts, they are still valid, you can still refer to them or make use of them to accompany the transfer of personal chair, third country.

[00:33:54] But you need to look at the consequences if there’s guarantees on it, circumvented by domestic law in any third country.

[00:34:01] Victoria Guilloit: Okay. So some fairly substantial SaaS providers in the UK with a US base or sub-processes make it very difficult or unclear about their UK, US transfers in light of the ruling. They also provide SCCs of their own DPA’s, neither of which are robust enough. Apologies. It’s a long question. How do you legislate for providers not helping this situation?

[00:34:27] It’s a good question. Would anybody like to try and picking that one up, Helen?

[00:34:31]Helen Woollett: I think that the, so it is a very interesting question, I think you’ve always got a choice to go to a different provider. So the first thing I would say is nobody’s stuck these days with limited choice on providers.

[00:34:45] And also the other important point to make is that you must ask your providers more questions about their service provision and if they don’t answer or they can’t satisfy you then I think that speaks for itself. So it’s very, very important to do your due diligence on the provider and make an assessment for yourself as an organization, whether that satisfies the controls that you require of your providers.

[00:35:14] Victoria Guilloit: Yeah, great response Helen thank you. And we’ve got to, we’ve got a few questions due in about five minutes, so hopefully we can get through three or four more. When can we expect the alternative instruments for international transfers of personal data or the review of the existing standard contractual clauses?

[00:35:31]Christopher, would you like to pick that one up?

[00:35:34] Christopher Schmidt: Well, yeah, I think the, the EU commission is still, is still in the process of reviewing all of these instruments and there’s something else in the pipeline, but not yet seeing the day. It’s hard to say what we will see what actually we’ve got the one year timeframe or the one year kind of shifting period from the old SCC’S to new ones.

[00:35:51]For the privacy shield, they were much more pessimistic. I think it was, I’m not sure, was it somebody from the commission just saying it will take several years. If nothing changes on the US side, if ever we have something going on and, and align us to put up a new kind of privacy shield. So I wouldn’t once again, sit and wait for those new transfer instruments, because it is fairly complicated.

[00:36:14] So everyone needs to stop at itself and look at the possibilities that are presenting in the respect situation. And not just wait for the year commission. I think providing a timeline, we’re not the right audience to do so, I think Brussels may know that, but I think even they are not 100% sure when something will see the day, because things are generally change and you will see that in the press as well.

[00:36:37] So we’re waiting for it as well, but there’s still something to do at the moment.

[00:36:42] Victoria Guilloit: Great. Thanks, Christopher. On this one to you, Nora, do you agree with those that say that the use of us owned cloud hosting platforms is not compliant with the GDPR in light of Shrems II? Even if the data is hosted within the EU?

[00:36:58]Nora Bensaid: I don’t think we can just say it’s a cloud hosting, so that’s not compliant with Schrems II, and if the data is hosted within EU I think you have to assess this provider to see what is hosted, what is in cloud, what is in EU. And also we have to, to know if there is effective data transfer between EU and US, and the decision from French was about this because that’s the provider was located in the US and but there is no personal data transfers.

[00:37:40] So that’s not a question. So my answer is to assess all the cycle of the data, where all the data were all located. If there is. Any transfer effectively. But not just say, ah, that’s US so that’s not you know, comply with Schrems II. We have to to make some you know, deeply assessment on the use case.

[00:38:05] Helen Woollett: Yeah, sorry. I was just gonna say Victoria on that point, I think per se, just because it’s a cloud provision, it doesn’t mean it’s non-compliant. I think this idea that seems to be floating around in the cloud, is that cloud service provision is inherently risky. And I don’t, I don’t necessarily agree with that from a personal perspective.

[00:38:26] But I think it also means that you need to understand, like go back to the original point that I think we’re all making. You just need to understand your service provision model, understand what it means from a risk and control perspective, and then make some really informed decisions about how you do your IT service provision.

[00:38:43]There is nothing inherently wrong or risky with cloud. It’s just a question of how you, you know, how you manage your risk and control.

[00:38:55] Victoria Guilloit: Excellent. Thanks. Thanks very much, Helen. I think we’ve got time for just one last question before a few sort of closing remarks from you. So the last question, I think I’m going to ask this to Christopher.

[00:39:05] Can you be sued retrospectively for non-compliance?

[00:39:09] Christopher Schmidt: Okay. Well, there are some cases, in some case law, rather recent case law, even in Germany, we had that case and a very interesting situation still going on at the regional court of Berlin and the Berlin DPA trying to sue. It was an attempt because it was obvious that it would not work.

[00:39:26] And I’m a bit astonished about the level of noncompliance, so to say, from the DPA in Berlin, they’re facing much criticism at these days, but it’s totally justified I’d say, because they try to do just that they try to retroactively or retrospectively say you did something wrong. It was before the full applicability of the GDPR.

[00:39:45] But still it’s some kind of ongoing violation. So you get some hefty fine and well, it didn’t work out. So I think that will not work. And I think we need to, even if I invoke the term fine it’s like the, the, the buzzword for the GPR fine. Right. Okay. Everyone’s on. But I think maybe DPA’s was a bit more reasonable in that case.

Would not already take the incident of a five would rather look into it. If you can get the transfer in a compliant manner, or if that doesn’t work at all or to you to stop or to limit, to put a ban on a transfer, which is also rather cruel instrument for some controllers.

So being sued retrospectively for non-compliance, it depends much on the use of the case when it’s happened, if that’s an ongoing infraction or something. So in general terms, there are limitations to that concept and I would not necessarily already refer to the fines. And in that case, if there are some problematic, so to say, I might say, just seek the help of a lawyer that might help.

[00:40:42] Victoria Guilloit: Excellent. Thank you so much, Christopher. And I’m sorry, but we’re out of time and there were some great questions, so I’m sorry if we didn’t get to yours, but our panelists has been absolutely fantastic with a wealth of great information and we’ve got some really good questions coming through. You know, for me, the summary, there is, there is a lot of advice and guidance out there.

[00:41:01] Yes, there’s a lot to do, but everyone needs to be prepared to some degree. Pragmatism is key. And it’s a holistic approach. It’s not just about technology. It’s also about organization. There’s a lot to do with your contracts, but ultimately organizations need to understand what is happening in regards to data transfers regardless of this decision.

[00:41:22] So, yeah, just be prepared. And I’d like to say thank you again to our panelists. That was a really great session.

[00:41:33] Christopher Schmidt: Thank you Victoria, thank you for hosting.

[00:41:34] Nora Bensaid: Thank you.

[00:41:34] Helen Woollett: Thank you.

[00:41:34] Victoria Guilloit: My pleasure. And I believe we’re going back to Dan

[00:41:45] Dan Raywood: Yep. Thank you very much. Thanks very much to Victoria for the panel and for the panelists. Just a reminder you can visit the GRC world forum page by the left-hand menu and register your interest for their new initiatives, which includes the GRC red flag series with Michael Rasmuson.

This is a monthly 90 minute digital event that identify and debate the current and future critical risks, and regulatory changes that can impact businesses. So for those of you interested in compliance, obviously what we’ve just been learning about hopefully that is of interest to you. I, I’m about to call time on my chairing this morning.

[00:42:16] Just a quick reminder again, to thank our headline sponsors who are one trust and Microsoft, and I’m delighted to be handing over for the afternoon now to Steve Wright, who is partner at privacy culture, who will be anchoring for the rest of the day.

[00:42:28] So Steve, best of luck. Thanks everybody for watching this morning and enjoy the rest of your day.