A fascinating panel at the PrivSec Global conference looked at how individual courts and regulators have responded to the Schrems II decision on international transfers of personal data. That decision, and the subsequent guidance from the European Data Protection Board, aimed to establish a consistent regime for transferring personal data from the EEA to external countries. However individual regulators now seem to be applying the case in ways that reflect particular local circumstances, such as the existence of functionally-equivalent alternatives or the sentiment of local populations towards transfers (in particular to the US). That may be good for avoiding a complete breakdown in personal data flows, but such divergence doesn’t help organisations trying to work out what they need to do, either as exporters or importers.
Although Schrems II stressed that exports might be possible, based on an assessment of risk, the EDPB guidance sets a very high standard. In effect it permits only exports for encrypted storage and technically-arcane forms of processing. Exports to most normal data handling services are essentially prohibited. Individual regulators do, however, seem to be returning to the risk-based idea: asking what is the risk to data subjects of transferring that data to that organisation for that purpose. As a per-instance assessment, this is still onerous: perhaps something that large corporate law teams can do, but unlikely to be feasible for a start-up. Even the corporates may be pointing out that this is the third export regime in a decade with, at least in the case of exports to the UK, every possibility of another one within four years. Worryingly, they may be tempted to consider corporate risk – will we get caught and how much will it cost – rather than the risk to data subjects.
This is made worse by the fact that the main risk that Schrems II focused on – compelled access by foreign security services – may be unknowable, certainly to foreign exporters, and quite possibly to local importers as well. Until or unless regulators start providing, at least, baseline per-country or per-sector opinions, the best option seems to be for exporters and importers to collaborate to make a reasoned assessment. This should include not only differences in law (exports to a bank may well have more legal protection than those to a technology company) but also in practice (a dating site may have a different level of law enforcement interest to one dedicated to professional networking). The good news is that, as far as the panel were aware, regulators’ actions have not yet gone beyond warnings and – admittedly short notice – orders to cease transfers. In a world where even regulators seem uncertain, exporters and importers who do their best to assess the risks and document their decisions may hope they will not suffer worse than these.