Businesses Urge EU to Take Risk-Based Approach to Data Transfers

January 27, 2021Alerts

The comments to the EDPB Guidelines on the Schrems II Supplemental Measures are in. After reviewing comments from the "third country" contributors (U.S., UK, Singapore) a key, strong, repeated theme appears:

Bring. Back. The. Risk. Based. Approach ... 

... and do away with the complete ban on U.S.-based cloud providers and intercompany transfers (use cases #6 and #7).

Below are the 10 key comments, listed in order of how frequently they appeared, and their importance:

  1. Bring back the risk-based approach to analyze transfers. It should not be an "all or nothing." If U.S. authorities haven't and aren't looking into certain data transfers, that should count as part of the risk assessment.
  2. Avoid the suggestion that cloud computing and remote access to data in the clear as well as intercompany transfers (e.g. HR) are always prohibited (use cases #6 and #7).
  3. Ease the burden of each controller doing its own analysis (e.g. by establishing a resource center on the “law and practice” of third countries and provide a template for their assessment).
  4. Amend the requirements for technological measures so that they are workable for real-life situations and don't prioritize them over organizational and contractual measures.
  5. Set appropriate encryption and pseudonymization standards.
  6. Enforcement accommodations: Advocate prosecutorial discretion by the Data Protection Authorities (refraining from significant fines) for companies that assess their obligations and make a good faith effort to implement them based on a good faith analysis; provide a grace period for enforcement; or institute a period of notice and cure.
  7. Clarify that the obligations do not apply (1) if the transferee is subject to the General Data Protection Regulation (GDPR) under Article 3(2) and (2) to direct transfers (EU resident - Non EU controller).
  8. Apply increased flexibility regarding the use of Article 49 derogations.
  9. Apply a flexible interpretation of “essential equivalence” absent an adequacy finding by the Commission.
  10. Provide some allowance/guidance for Small-to-Medium-sized Enterprises (SMEs).

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with GDPR compliance issues, contact Odia at [email protected] or 215.444.7313.