Schrems II in Proteus® NextGen Data Privacy™
Proteus® NextGen Data Privacy™ is able to make this task easy for you. Automated workflow ensures that case-by-case TIAs are conducted and the associated risks are assessed. Suitable SCCs are then produced for electronic (or manual if you prefer) signoff. This solution is available as a stand-alone capability for organisations whose existing data privacy system is unable to address the new requirements brought about be the Schrems II ruling. Existing users of Proteus® NextGen Data Privacy™ have this new capability included with immediate effect at no additional cost.
Implications of the judgement
As a result of The Court of Justice of the European Union decision on 16th July 2020 (case C-311/18), the previously much relied on EU-U.S. Privacy Shield is no longer a valid adequacy instrument to enable personal data transfers from the EU to the U.S. because U.S. state surveillance powers are excessive. Relationships where third parties export personal data should be reviewed on a case-by-case basis by undertaking Transfer Impact Assessments (TIAs) and then additional measures, likely to include revised Standard Contractual Clauses (SSCs), should be introduced.
There are some practical points that arise from this judgement:
- The EU-U.S. Privacy Shield may no longer be relied upon as the basis for transfer of personal data from the EU to the US. New solutions are required, which will likely include putting SCCs in place.
- SCCs remain valid; however, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected (e.g. from potential access by law enforcement or national security agencies). This assessment is becoming known as a Transfer Impact Assessment (TIA) and, unless automated, will be burdensome for small organisations and large ones making hundreds/thousands of transfers.
- The EU Commission is expected to issue updated SCCs to incorporate the TIAs. These will be incorporated into Proteus NextGen as soon as they are available ensuring the earliest possible compliance for organisations that have completed the TIAs.
- The UK’s position following the Brexit transition period will potentially become more complex as the adequacy findings may result in EU businesses having to consider the effect of the UK government’s surveillance powers (e.g. Investigatory Powers Act 2016). Note all Proteus NextGen data is hosted on servers based in the EU.
The TIA should cover:
- The data exporter must verify “on a case-by-case basis” what protections apply
- What personal data is being transferred? How sensitive is it? How much is in the public domain?
- Where did that personal data originate?
- What technical measures are used to protect that data? For example, where customer managed encryption keys are used, the ability of third country authorities to access that data will necessarily be limited.
- What national laws apply in that jurisdiction? How are they exercised in practice? How likely are they to be exercised in relation to the particular personal data transfer?
Automatic Schrems II contracts
Transfer Impact Assessments (TIAs)
How Proteus® NextGen can help automate Schrems II
Proteus NextGen is enterprise software that already audits third parties for everything required by the new TIAs, thereby providing the case-by-case assessment required by the Schrems II ruling.
Hosted in the EU as a SaaS platform, systems can be provisioned within half a day if required. Import your third-party vendor list. Issue the preconfigured surveys which incorporate a full TIA. These are automatically risk assessed to enable easy prioritization of activity. Produce new SCC contracts automatically including appropriate standard clauses, relevant country clauses, adequacy statements and sdetails of processing activity. Automated sign off completes the process. Easy ongoing review in subsequent years. It couldn't be easier!