Meeting the High Bar of Schrems II Compliance

By Animesh Kumar

The UK has historically been a key player in digital markets due to its geographical location and position in global business.  In fact, until recent years when Brexit was still in progress, over 40% of all large EU digital companies originated in the UK and 75% of UK’s cross- border data flows were with EU countries.  The fact that the UK has been an epicenter for so many European deals made it critical for the country to maintain its adequacy status.  ‘Adequacy’ is a term the EU uses to describe countries, territories, sectors or organisations it deems to have an “essentially equivalent” level of data protection to the EU” after Brexit.

In June 2021, UK businesses were given a reprieve as the UK is now deemed an ‘adequate’ jurisdiction for receipt of personal data from the EU/ EEA (European Economic Area) by the European Commission, with a ‘sunset clause’ that limits this to four years.  However, despite this stay of execution, several regulatory requirements are still currently bearing down on UK corporates.

After GDPR (General Data Protection Regulation) came into force in 2018, UK corporates received a further barrage of additional diverse, dynamic regulatory and legislative changes including Brexit, Schrems II and LIBOR.  These have made 2020-2021 particularly demanding for UK-based financial organisations, prompting them to increase investment in strategic regulatory response efforts to repaper and renegotiate thousands, if not millions, of legacy contracts and other documents to remain compliant.

Schrems II – High Stakes Rules Governing Personal Data Transfers
From a personal data standpoint, one of the most impactful regulatory changes in the 2020-21 timeframe has been the Schrems II decision.  In July 2020, The Court of Justice of the European Union (CJEU) confirmed that the EU Standard Contractual Clauses (“SCCs) were valid to govern transfers of personal data to processors outside the EU/EEA.  This decision resulted from Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”).  However, by confirming that EU SCCs were valid, the Schrems II decision effectively invalidated the EU–U.S. Privacy Shield.

In fact, Schrems II ruled that transfer of personal data based on the Privacy Shield framework is now illegal and constitutes a breach to the provisions of GDPR Article 83 (5) (c). Organisations that had previously used the EU-U.S. Privacy Shield Frameworks designed by the U.S. Department of Commerce and the European Commission to transfer data to U.S.-based processors now need to shift to the new EU SCCs.  In response, organizations are now developing their internal policy and processes aligned with these new developments.  This entails creating an agile data privacy framework to accommodate any later changes while minimizing disruption to ongoing business.

Risks of Not Complying with Schrems II
Non-compliance with Schrems II risks a penalty of €20 million or 4% of the company’s global turnover. Furthermore, EU primary law considers data protection to be a fundamental right (though not absolute because it can be challenged.)  Therefore the recommendations with respect to GDPR require Controllers or Processors to comply with this right actively by implementing legal, technical, and organizational measures to ensure effectiveness.

EDPB Recently Finalized Schrems II Recommendations
In June 2021, the European Data Protection Board (EDPB) adopted a final version of the Schrems II Recommendations. The Recommendations identify supplementary measures during transfer of data to a third country in order to meet equivalent to the EU’s level of protection.

The point of the EDPB Schrems II Recommendations is to ensure that local laws and practices of the third country (importer’s jurisdiction) do not obstruct effective application of SCCs. The modifications require the exporters to consider additional aspects in the ‘transfer impact assessment’ that the exporter must conduct on the importing jurisdiction.

These additional considerations may include evaluation of the ‘practices’ exercised by the public authorities of the third country regarding access of the imported data.  If these practices are in conflict with GDPR requirements, adequate supplementary measures should be instilled to enable transfer to that jurisdiction. Documented practical experience of the importer dealing with prior access requests from public authorities in the third country must also be considered for countries where legal framework allows importers to provide information requested by public authorities.

“The Impact of Schrems II Cannot Be Underestimated”
EDPB Chair Andrea Jelinek said: “The impact of Schrems II cannot be underestimated: already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels.”  The rollout of the June 2021 Recommendations proves that EDPB is cognizant of the ambiguity fueled by these privacy protection changes.

The EDPB Schrems II Recommendations aid companies by providing a comprehensive understanding of the recently published SCCs.  The Recommendations identify triggers warranting invocation of supplementary measures. The EDPB is working towards safeguarding the interests of the data subjects as well as providing clarity and guidance to exporters on lawful data transfer mechanisms.

Projected Future Impact of Schrems II

While the relief of 4 more years of adequate status for the UK certainly makes transfer of data between EU/ EEA and UK less complicated for now, it also limits the UK’s autonomy to negotiate terms with non-EU countries, particularly the U.S.  It will be interesting to see how the Information Commissioner’s Office (ICO) strikes this balance for the UK since the current ‘adequate’ status is only conferred for a period of four years and is then subject to re-evaluation.

Whether the ICO will establish its own set of standard contractual clauses to regulate transfer of personal data from UK to third countries remains to be seen.  However, these clauses will probably not be drastically different from European Commission’s SCCs.  In the meantime, companies must anticipate that UK-specific provisions will eventually be added in, and this will undoubtedly create additional paperwork and revisions of existing documentation.

Qualified ALSPs Assist with Schrems II Compliance
Schrems II presents an optimal opportunity for specialized alternative legal services providers (ALSPs) like Integreon to assist corporates and their law firms with compliance efforts.  The evolving data privacy regime detailed for Schrems II is just one example.  Integreon’s clientele includes large multi-national organizations which must comply with global/ cross geography regulatory requirements such as Schrems II, LIBOR, Brexit, IM5, and US legislation such as California Consumer Privacy Act (CCPA) and other emerging US laws.

Integreon works closely with clients, able to ramp up quickly to support high volume drafting, reviewing and negotiation of commercial agreements (including privacy) with the use of cost-effective, bespoke technology-based solutions and expert resources.  The company has worked with clients on Schrems II and GDPR remediation projects and processed contracts and other related documents, leveraging specialized technology made for handling large volumes of data.

Particularly for data privacy, Integreon’s internal team of subject matter experts has deep knowledge and expertise and is able to assess, design, and implement a comprehensive approach that includes best-fit technology, resource needs, and efficiency gaining process and change management.  Integreon ensures its clients are well-placed to meet their contractual/compliance requirements and can also reduce administrative overload by managing and triaging privacy emails concerning data subject rights and complaints.

Integreon’s delivery platform focuses on three pillars:
1) People – subject matter experts who develop customized solutions
2) Process – a defined set of matrices informed by Six Sigma and Lean Six Sigma principles to ensure all changes across the documents/contracts are uniform and efficient
3) Technology – leveraging best-in-breed technology solutions to make the process accurate, efficient, and repeatable, and to reduce human effort spent on tedious, repetitive and time-consuming tasks

As regulatory compliance issues like Schrems II continue to evolve and new ones arise, Integreon is following these developments closely on a global scale.  Once a regulation becomes clearly defined, Integreon immediately establishes an internal task force to evaluate the potential long-term needs and adapts its capabilities to serve corporate and legal clients affected by the new rules.

For more information about Integreon’s Contracts, Compliance and Commercial Services, visit www.integreon.com.

About the Author
Animesh Kumar is Interim Head and Vice President of Contracts, Compliance and Commercial Services at Integreon, a global ALSP.  Mr. Kumar’s core competency lies in transformation of legal operations by leveraging AI and CLM platforms and automation.  He holds an LL.B. in Law from University of Delhi’s Campus Law Centre, and Bachelor of Arts and Master’s degrees from St. Stephens’ College at University of Delhi.

This is a Sponsored Feature.