Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Schrems II: SCCs plus… what?

The recent Schrems II decision on Standard Contractual Clauses found that, in some situations, data exporters and importers might need to agree additional measures beyond just relying on SCCs. While we’re waiting for the Information Commissioner and EDPB to give more detailed advice on which situations and which measures, here are some themes I’ve spotted in articles and webinars:

  • Those additional measures can’t be contractual in nature, because the problem identified in Schrems II was that the US Government was not bound by any contract that a US organisation might enter into;
  • The concern still seems to be with personal data that is physically moved to the US, not merely put within the technical reach of US companies. The laws quoted in paragraphs 60-63 of the judgment as giving the US Government power to access data despite contractual protection appear to be limited to particular physical locations;
  • Additional measures could be in the form of laws of the foreign state, since these could bind that state’s Governmental authorities. Interestingly the judgment mentions GDPR Article 45(2)(a), which covers “both general and sectoral” laws as something that should be taken into account in an adequacy decision or, now, what I’m thinking of as an SCCplus discussion. Since the US does have a sectoral privacy law covering educational institutions – the Family Education Rights & Privacy Act (FERPA) – this might be something to discuss with the recipient if you are exporting to a US university or college;
  • Additional measures could be technological, if they protect against the foreign Government’s legal powers. Encryption has been mentioned as an option. This clearly works best if the exporting organisation controls the encryption throughout, for example if storing encrypted backups on an IaaS cloud server;
  • But, as far as I can see, there’s no requirement for a single measure to cover the whole transfer of data. So, for example, you might argue sufficient protection was provided by a hybrid solution that used encryption to technically protect data as it flowed over public networks into (and back from) an enclave that was protected by law.

I’ll update this post as and when there’s any more detailed guidance from regulators.

[UPDATE: not from Regulators, but Chris Pounder has posted a helpful summary of how we used to think about transfers under the 1998 Act. This may be relevant once again]

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *