On May 22, 2023, the Irish Data Protection Commission (DPC) announced that it had issued a decision to fine a social media company €1.2 billion for violations of the GDPR’s Article 46(1) – providing appropriate safeguards in the absence of an EU adequacy decision when transferring personal data to a third country or international organization – and giving them six months to cease unlawfully processing and transferring the personal data of its EU/EEA users in the US.
The decision is the latest chapter in the ongoing data transfer issue that stems back to the Snowden Revelations in 2013 and more recently the CJEU’s decision in the Schrems II case. In this instance, the social media company made transfers of personal data from its EU headquarters to its US-based counterpart on the basis of a processing agreement that included the European Commission’s revised Standard Contractual Clauses (SCCs) and a Transfer Impact Assessment (TIA). However, the DPC deemed that the SCCs and supplementary measures implemented were insufficient to bring the level of data protection afforded to affected EU individuals to an essentially equivalent level to that found in the EU, given obligations under the Foreign Intelligence Surveillance Act (FISA), and other US surveillance laws.
Owing to the ubiquity of the use of the Commission’s revised SCCs to make trans-Atlantic data transfers post-Schrems II and the lack of an adequate transfer framework, the DPC’s decision leaves several unanswered questions around the lawfulness of EU-US transfers moving forward and how organizations can approach their ongoing transfers in light of this decision.
Practical steps for tackling data transfers post-DPC ruling
The Schrems II decision and subsequent fallout made EU-US data transfers a complicated space for organizations to navigate, and now the DPC’s recent ruling has cast fresh doubt over the effectiveness of the Commission’s revised SCCs in practice – a mechanism that most organizations will have been relying on since the invalidation of the Privacy Shield. While it is still unclear how the practical application of the DPC’s decision will impact organizations beyond those implicated in the case, there are several steps you can take in light of this uncertainty to ensure you are putting yourself in the best possible position for ongoing international data transfers and that you are ensuring the greatest possible protection of personal data when it is moved across borders.
Map your data transfers and understand their risks
Data mapping is an essential foundation for any privacy program, but if you are yet to undertake a data mapping exercise or your data map is outdated, now is the time to develop a greater understanding of your processing activities and keep this information up to date and evergreen so you can confidently rely on it. Specifically, through the lens of understanding your data transfers, you should pay particular attention to mapping where your personal data is hosted, how it flows to and from which countries, and what safeguards you currently have in place. Having a holistic and well-rounded understanding of your data transfers will allow you to scrutinize them further by prioritizing the areas of high risk and taking appropriate action to mitigate them.
When evaluating what the areas for high risk associated with your data transfers are, you should consider:
- The volume and sensitivity of personal data
- Is it a large volume of data?
- Does it include special category data?
- What countries are involved?
- Is there an EU adequacy decision in place?
- Are you relying on other safeguards (such as international treaties)?
- Do you have a clear understanding of how data is used throughout the supply chain?
- Are there any technical controls in place for the transfer protection?
The majority of risks highlighted in the DPC’s decision can be identified through conducting a thorough TIA and assessing the legal system in the third-country destination. Once you properly identify what risks actually make the transfer 'risky', you can focus on mitigating those risks which can be managed through technical measures, governance, and access controls. While a risk-based approach to data transfers won’t necessarily fully address US surveillance risk or satisfy EU regulators, understanding high-risk processes is a first step toward implementing additional measures that better protects the personal data of individuals in the EU from foreign government access.
Audit data transfers that are reliant on SCCs.
One of the most potentially impactful outcomes of this decision is the uncertainty over the viability of SCCs as an effective transfer measure considering the applicability of US surveillance laws and government access in other third countries. This is likely to affect most organizations, even if they are relying on the Commission's revised SCCs, meaning that data transfers that are reliant upon SCCs should be fully audited to understand the extent to which they offer appropriate levels of protection to the personal data concerned. Looking back at your data map should give you visibility into the data flows at play from which you can establish the scenarios where SCCs are being used and, using the result from your TIA, understand their effectiveness given the practical application of surveillance and access laws in third countries.
Given the outcome of the DPC’s recent decision, it is likely you will also need to conduct a thorough review of the supplementary measures listed within the SCCs and whether they are sufficient in the content of the data transfer. It is equally important to determine whether they have been effectively implemented downstream and whether vendors and subprocessors are actually meeting the commitments set out within the SCCs.
Identify opportunities to limit exposure to data transfer risk
Engaging different process owners from across your organization is another step you can take to identify and limit the potential risks associated with your data transfers. For instance, governance teams can help to develop and implement data localization policies to mitigate the risks posed by third countries. Alternatively, Privacy Enhancing Technologies such as anonymization, encryption, or pseudonymization, and other privacy strategies such as access controls or data minimization can be effective in reducing the scope of data being transferred. In short, if a US-based business cannot access the personal elements of the data being transferred, it would likely make the transfer more secure.
Some measures for limiting risk exposure to your personal data that should be considered include:
- End-to-end or Bring Your Own Key (BYOK) encryption
- Data localization policies
- Practicing data minimization
- Differential privacy
- Transparency reports
- Data obfuscation and various pseudonymization strategies
Be proactive to engender trust in your data transfers
As mentioned throughout, the viability of effective data transfer safeguards in light of FISA and US surveillance programs is currently uncertain in the wake of the DPC’s decision. While the measures outlined above can get you well-positioned for ongoing data transfers and make you agile for future change as more certainty around transfers comes to light, the fallout of this decision presents a perfect opportunity to project transparency relating to transfers as a way towards building trust with your key stakeholders.
In addition to finding, evaluating, and mitigating data transfer risk, there are additional steps you can take to tackle the current data transfer landscape and generate trust in your data transfer practices. You should consider publishing documents such as whitepapers or transparency reports on your transfer practices and government access requests to nurture trust with your vendors, consumers, and regulators.
How OneTrust helps you to approach the data transfer dilemma
OneTrust offers one platform for privacy, security, and marketing teams to holistically manage data transfers and data sharing requirements while providing consumers with transparency and choice.
For data exporters, OneTrust helps to document transfers, perform TIAs, research and conduct third-country assessments, evaluate the effectiveness of supplementary measures, and enforce consumer opt-out of the sale/share of personal data. For importers, OneTrust helps operationalize holistic privacy and security programs, ensuring proper operational processes, technical controls, and compliance mechanisms have been implemented across the organization.
With a thorough map of your IT assets, processing activities, vendors, the relationships between them, and how personal data is processed within each, OneTrust surfaces regulatory guidance and provides workflows out of the box to track and mitigate transfer-related risks to drive privacy compliance and automated data governance.
Recent enhancements to data mapping provide improved functionality for managing data transfers. Users can achieve visibility across the entire transfer lifecycle thanks to an improved cross-border map to visualize transfers, a new data graph visualization, and the ability to directly assess transfer records for risk. This enables organizations to ensure that the appropriate measures have been taken, such as delivering appropriate notice to consumers, conducting transfer impact assessments, and implementing safeguards.
As regulatory developments evolve, OneTrust delivers same day regulatory updates via DataGuidance and out of the box templates and workflows powered by regulatory intelligence to support ongoing changes to regulatory obligations
Request a demo to learn more about how OneTrust can help you assess your data transfers or register for the webinar to learn more about the DPC’s ruling and its impact.
