If there is one thing that we can say for certain in the world of data protection it is that it is an ever-changing landscape and the recent Schrems II decision just goes to prove the rule.
Austrian lawyer Max Schrems has long been an advocate of citizens’ rights when it comes to data protection and he came to worldwide prominence in the 2015 Schrems Vs Facebook case.
This centred on Facebook transferring the data of EU citizens into the US and using the Safe Harbour law as a shield. The 2015 ruling meant that this protection ultimately failed.
Max Schrems argued that in light of the Snowden revelations about the NSA’s data collection programme (PRISM), US law and practice did not offer adequate protection to EU citizens that are required by EU law.
Schrems II
In 2020, Schrems resubmitted a complaint to the Irish data Commissioner stating that Facebook continued to transfer data to the US but this time using the shield of Standard Contractual Clauses (SCCs).
In the subsequent case (Data Protection Commissioner v. Facebook Ireland Limited), the commissioners found that the protection of personal data had limitations due to domestic law in the United States as well as the access and use by US public authorities of personal data transferred from the EU. It was ruled that the provisions of US laws do not satisfy requirements that are essentially equivalent to those required under EU law.
In the decision The Commission noted;
- US public authorities do not restrict the use and access of EU data according to the principle of proportionality; and
- the Ombudsperson mechanism does not provide data subjects with any cause of action before a body that offers guarantees which are substantially equivalent to those required by EU law.
In other words, once the data is transferred the citizen loses the right to have their data treated in the same way as it is in the EU and US public authorities have much wider latitude when it comes to reasons for accessing data.
In relation to SCCs, the CJEU highlighted that the assessment of the afforded level of protection must take into consideration:
What does this mean for you?
There are two points that every data exporter needs to be aware of.
Firstly, you must ensure that the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country are suitable and compliant.
And secondly, the relevant aspects of the legal system of a third country in relation to any access by public authorities of the third country need to be borne in mind.
Essentially, data controllers and processors need to make sure that any third country they transfer data to has at least equivalent protection for the data owner and that their SCCs cover the use of the data.
Next steps
The first thing to do is to review your use of data and the places it goes to.
In some cases, an adequacy decision has been made meaning that the third country has data protection legislation and standards that are at least equal to or better than the EU.
The current list of countries with adequacy decisions is;
- Andorra
- Argentina
- Canada (commercial organizations)
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- New Zealand
- Republic of Korea
- Switzerland
- Uruguay
- United Kingdom
If you only transfer data between EU nations or third countries that are in this list then you are compliant in respect of Schrems II.
The second step is to review the European Commission’s revised SCCs to ensure that your documents comply. These are seen as a bare minimum and there is nothing to stop any company from going further to ensure that the Data Owner’s information is kept safe.
Keeping your data safe
At Checkback we take data protection incredibly seriously to the extent that it drives many of the operational decisions we make.
We never compromise on data safety, often going above and beyond what is mandated by GDPR and other relevant legislation.
If you are looking for a company that will process your pre-employment checks swiftly and correctly and at the same time a partner that will minimise the risk of a data breach then you’ve come to the right place.
Call us now and let’s talk about how we can help.
