Everything you need to know about third country data transfers

For any business dealing with data transfers outside of the EEA, July 16th, 2020, is a significant and undoubtedly problematic date.

Without the right tools, knowledge, and practices in place, keeping large volumes of potentially sensitive data safe and compliant under GDPR can already be an undeniably complex process. However, after the infamous July 2020 “Schrems II” ruling by the Court of Justice of the EU (CJEU), this process became even trickier for any organization with personal data operations in ‘third countries’ – such as the US. 

Despite the release of post-Schrems II statements and guidelines, many in the US, EU, and the UK are struggling to put the far-reaching implications of the CJEU’s judgment into practice, leading to a high level of confusion and potentially risky interpretations.  

Whether you’ve never heard of Max Schrems before or are looking for tips to better protect your organization’s data, in our below guide, we run through everything you need to know about third country data transfers in 2021, including:

  • What exactly is Schrems II? A brief overview.
  • What are some examples of third-country data transfers?
  • Why are some businesses finding third-country transfers problematic?
  • What steps should businesses take to improve third country data transfers?

What exactly in Schrems II? A brief overview.

Schrems II all started with a business that is no stranger to making global headlines concerning data: Facebook. 

In 2013, privacy activist Max Schrems filed a complaint with the Irish Data Protection Commissioner, arguing the transfer of his personal data from Facebook’s legal premises in Ireland to Facebook Inc. in the US breached the EU-US Safe Harbour

The Safe Harbour had previously enabled free data flow between the EU and the US. However, Schrems took issue with the fact that under the US Foreign Intelligence Surveillance Act (FISA), the US National Security Agency has the right to access any data entering the country, including information belonging to non-US citizens.  

Schrems won his legal case, and in October 2015, the CJEU declared the Safe Harbour invalid. In response, Facebook challenged the ruling, citing their reliance on EU’s Standard Contract Clauses for best practice data protection. After the Irish DPC rejected Facebook’s latest case, Facebook invoked the infamous EU-USA Privacy Shield

Replacing the defunct Safe Harbour, The Privacy Shield (designed by the US Department of Commerce and the European Commission and Swiss Administration) once again legalized personal data transfers across the Atlantic. The Privacy Shield quickly became a common framework for any company transferring data to any third country. 

That was until Schrems round two, when the CJEU ruled the Privacy Shield invalid on July 16th, 2020. Under GDPR set out in Chapter V (Articles 44 to 50), personal data transfers from the EU to a third country (aka any country other than an EU member state and the three EEA countries -Norway, Iceland, and Liechtenstein) were now illegal if they used the Privacy Shield or solely relied on SCCs for compliance. 

Companies were now ordered to apply an ‘adequate level of protection’ and take additional steps to guarantee data is as safe and compliant in a third country as it is in the EU. With most major tech and communication companies based in the US, Schrems II has had major implications for thousands of businesses in the US, EU and UK (which has only recently been spared potential further disruption by a new EDPB official opinion).

What are some examples of third-country data transfers?

The Schrems II ruling sent such big shockwaves through the GDPR world due to the wide spectrum of data scenarios now considered third country data transfers. Essentially, irrelevant of size or sensitivity, any data transfer from the EU to a third country is affected by the July law. 

Here are a few examples of what is considered a third country data transfer:

  • An EU sales division uses a CRM service based in the United States. The EU company sends data to the CRM provider, who can then view and process data, such as client contact details, the status of a sales pipeline, and records of recent conversations with prospects.
  • An EU business uses the company’s centralized human resources provider in its Australian office. For a new round of hires, the company sends information about candidates and the interview process to the Australian service.
  • An EU marketing company uses a US-based email marketing vendor to distribute company newsletters to their employees or customer database. The organization sends on personal data such as names, email addresses, and demographics to the service to create, segment, and distribute its newsletters.

In all these scenarios, data is leaving the EU to be processed or used in a third country, meaning post-Schrems II data measures need to be applied.

It is important to note that the ICO raises the point that “a transfer is not the same as a transit.” According to the ICO,  if personal data is routed through a non-EU country, but that information is sent from one EU business to another (with no interference from a third country), you do not have to implement additional transfer protocols.

Why are some businesses finding third-country transfers problematic?

Despite the release of a series of guidelines from EU institutions concerning how new ‘adequate levels of protection’ can be achieved, for many businesses, there is still much confusion around the July 2020 ruling. 

Complyon’s GDPR and Compliance specialist, Alexandra Sigursteinsdóttir, explains further:

“Under Schrems II, there are all these different points that a company needs to be able to live up to, and some are much harder to demonstrate than others. One major example is that a third country cannot put your information at a larger risk than if it were under the EU’s protection.
In reality, this concept of equal protection is almost impossible if you’re talking about data transfers to the US. American authorities are entitled to view that data in line with anti-terrorism policies, and therefore, data is automatically categorized as more at risk.

But with so many companies based in the US, particularly in marketing and communications such as Hubspot, Google, Mailchimp, and Salesforce, European businesses can’t simply stop working with them, especially if they have no viable EU alternative.”

As Alexandra points out, the fact that EU-US personal data transfers are technically forbidden isn’t the only issue facing many European businesses:

“Most people have got the theoretical part right. So, step one, assess the country you’re going to be sending data to. Step two, assess the actual data transfer (for example, what kinds of data is it and who are you sending it to?). Step three, ask yourself if you can do anything additional to ensure that people’s data is safe such as data minimization, pseudonymization, and anonymization. They also know to follow issued guidelines from the EDPB on transfer tools and to take any supplementary measures if required.

However, applying this theory is much more complex. Within the market, a lot of people have read the rules and realize if they have to apply these additional measures to every single data transfer their company does, it’s an incredible amount of work. 

Imagine you’re buying a service that requires you to send data outside of the EU, such as sending out emails or daily newsletters via a US vendor; you’d spend all of your time simply assessing data scenarios and implementing data protection policies rather than getting on with your workload.

As it’s impractical, and in most cases impossible, to make a data assessment for every single data transfer, many people are essentially at a stage where they’re defending their data practices by making regular rather than individual assessments. 

But one company’s definition of a regular assessment will differ from another’s – for some, a regular basis is once a week; for others, it’s a month or every half year. Then, there’s the question around frequency and the nature of data being transferred. Does the frequency of assessments change with data that’s more sensitive or voluminous? 

What’s becoming clear is that Schrems II has led to a huge variation of processes and opinions, with no clear understanding of the best way to put theory into practice.”

What steps should businesses take to improve third country data transfers?

While the confusion surrounding how to safely and legally transfer information to third countries may sound daunting, it’s helpful to remember that a business is yet to be penalized for third country data activity. Most companies might not be getting it right, but they’re also not being punished for doing so.

This said, a lack of GDPR fines around third country data isn’t a free pass to treat data as you would under the Privacy Shield. As the situation evolves, there is no doubt that firmer regulations will come into play, and businesses with solid foundations and processes will find it much easier to transition to new compliance measures. 

If you’re looking to start improving or implementing best practice policies around third country data transfers, Alexandra shares her top four tips below:

1. Assess your third country’s data laws thoroughly and regularly.

“Start by assessing the country you intend to transfer your data to, so you have a very good overview of the laws and regulations in place around data protection. Then you can make a call on how safe your transfer is and the protection measures you need to take.

Make assessing the third country’s data laws and regulations a constant process. If a new law comes along, you don’t want to be asleep in class and miss out on a ruling that finds you in breach of an important clause.”

2. Get data mapping

“After you assess the country you’re transferring to, you need to assess the specific transfer itself. To do this, you need to have a robust data mapping process in place to give you a full picture of the data you’re dealing with. This oversight allows for more effective data minimization, helping you work out if you can scale down a transfer, reducing compliance issues.

Data mapping also helps you work out if you’re dealing with any particularly sensitive data and identify if additional steps are necessary to protect that data in its transfer.”

3. Apply additional security measures

“Where sensitive data has been detected, apply the appropriate level of supplementary security measures – whether that’s encryption, pseudonymization, or anonymization.

In the case that there is a breach or interception, you want to make it as hard as possible for someone to detect the person behind your data. Can you give your data subjects an ID number instead of a name, for instance, or double encrypt your dataset, so the recipient needs an encryption key to access your information?”

4. If in doubt, onboard a GDPR consult

“GDPR can be complex and requires businesses to be completely up-to-date with the latest rules and regulations in third countries and the EU. Having a specialist to hand also gives you peace of mind that you’re always compliant with the latest industry ruling.

An external GDPR consultant can help you work out the best approach for your business. For example, I often see companies over-investing in unnecessary risk assessments when they simply need to have a more structured data mapping process in place that would save them time and money.

I’ve heard many people describe it as though they feel like they’re drowning in data, rules, and processes sometimes, which is never good. A GDPR consultant can help take away that stress by streamlining your operations while optimising compliance.”

If you’d like to learn more about how Complyon’s expert GDPR consultants can assist your team or would like to discuss the benefits of our data mapping software, we’d love to talk. Simply contact us here, and we’ll be in touch.