Challenges set by ‘Schrems 2’ personal data ruling ‘won’t go away’ after Brexit, Institute for IT warns
The EU‘s ‘Schrems 2’ judgement - which ruled that the Privacy Shield Framework cannot be used for transferring personal data between the EU and US - demands ‘prompt action’ from UK organisations, the professional body for IT has warned.
The Court of Justice of the European Union ruling has major and immediate implications for international flows of information as it says the current Framework does not match the EU’s standards for protection of individuals’ data. It will have sustained, post-Brexit impact on any countries that are not considered by the EU to have adequate data protection, BCS, the Chartered Institute for IT states in a new policy paper.
Chiara Rustici, privacy analyst and Chair of BCS’ Law Specialist Group said: “This is a significant decision which will require prompt action for organisations that transfer personal data outside of the EU - or those service providers you trust with your personal data which do.
“The implications of the judgment are still evolving, but already the UK’s IT professional and business communities need to pay due care and attention to Schrems 2 to safeguard their businesses and operations as much as possible. It has immediate implications for any organisation doing business by exchanging data and information flows with USA organisations, and for any organisation doing business by exchanging data and information flows with organisations based in countries the EU does not recognise as having an adequate data protection regime.
“All organisations are affected, from multinational to not-for-profit, to the extent that their data and information flows include personal data.
“Organisations based in the EU and USA are not the only ones in scope: any organisation may be relying, directly or indirectly, in some part of their value chain, on personal data flows affected by this judgment.
“Do not assume that ‘management’ is already aware and has a plan: you may be the first to be aware of it. The wider impact of Schrems 2 on business and trade has yet to be grasped by the mainstream and business press. If you are UK based, do not assume the problem will go away after Brexit and do not assume there will be no enforcement.”
BCS, The Chartered Institute for IT has set out 10 actions organisations with international data interests should take to minimise the risk of being caught by the legislation:
- Assess how much of the personal data your organisation handles are strictly mission-critical and how much is expendable. Minimize your organisation's personal data. Be mindful that most business data are also personal data and that most datasets are mixed, and it may be impossible to segregate personal from non-personal data.
- Assess in which countries your personal data ends up routinely or occasionally, directly, or indirectly, via cloud services, web-based applications, cookies and other trackers, contractors, sub-contractors and suppliers. Map all the organisation's personal data flows you are responsible for against the interactive data protection map produced by CNIL. Keeping a real-time visual of how your personal data ecosystem crosses national boundaries and of how data protection requirements for data transfers change will be useful also for upcoming changes in countries' data protection status. Consider whether your transfer counterpart is a likely target for government intelligence surveillance demands.
- Audit who has access rights to your organisation's personal data sets (databases, data streams, data repositories of any kind) and from which countries they can access it. Be mindful that, in legal terms, to access data is to transfer data. Include in this audit of permission levels: clients, business partners, employees, remote workers, freelancers, temps, interns, volunteers.
- If you have an in-house legal department, they should have reached out to the IT team by now. If you use external legal counsel , they may not have contacted you yet, so be proactive: re-read your own policies and search the terms and conditions of your suppliers, contractors and subcontractors to identify which data flows in your organisation rely, directly or indirectly, on a "Privacy Shield" clause . This is a legal basis for transferring data to the USA that is now invalid. Do the same search for Standard Contractual Clauses (SCC). These are still valid but require additional action on your part. For example, to continue to use SCCs you will need to undertake due diligence to evaluate and document the risks associated with those transfers. In practice, you will need to identify if the laws of the destination country cause concern in relation to the rights of data subjects (see action 2). To identify potential risks, an assessment of the third country’s laws and potential international commitments is now necessary and recommended by the EDPB. You should also ensure the data importer in the destination country understands that it needs to notify you of laws and other obligations that would prevent it from complying with the SCCs, including being subject to any specific government surveillance or legal monitoring.
- Address highest risk transfers first. For example, a financial institution is likely to have high levels of risk, whereas a small online retailer is likely to have lower levels of risk of surveillance interception. Where it is possible that US governmental authorities might seek to access the personal data transferred, consider including additional protections, such as encryption or tokenization, which could render personal data meaningless to a third party, or adding suspension or termination clauses in contracts that allow the data exporter to minimise the risk of an enforcement action in the EEA and the threat of fines.
- Once you have quantified the amount and kinds of personal data transfers to the USA, servers controlled by US companies or other countries outside the European Economic Area (EEA) which do not provide adequate safeguards, escalate the matter to the highest level of risk ownership in your organisation.
- Be in the room when management works out the cost-benefit analysis of practical solutions for the parts of your business that rely directly or indirectly on Privacy Shield or SCCs. There may be several solutions. None is without consequences. Go to the meeting prepared to offer key figures of data transfers, and your assessment of IT architecture workarounds.
- IT additional safeguards or alternative IT architecture workarounds may not be the only solutions to Privacy Shield-based data transfer to the USA or those data transfers based on SCCs:
a) Business alternatives include redesigning which type of business processes are carried out by which country's business unit or switching to cloud and other IT suppliers which are not subject to US jurisdiction.
b) Legal alternatives include replacing Privacy Shield with SCC with "additional safeguards" as the legal basis for transfers or relying on one of or more of the specified "derogations" in Article 49 of the GDPR or, in the case of multi-national organisations, considering the use of Binding Corporate Rules (BCRs).
c) IT alternatives include re-allocating personal data access privileges to staff in the EEA, arranging for the business' personal data be processed exclusively by staff based in the EEA, adding encryption layers and ensuring encryption keys are in your possession, pseudonymising or anonymising personal data.
- Continue to monitor developments. The interpretation and application of Schrems 2 is rapidly changing and developing. We are expecting more guidance from authorities and other developments very soon. IT professionals should stay closely aligned with these developments and adjust their plans accordingly.
- Work with your colleagues and professional communities to influence positive change. Organisations like the BCS depend on the collective skills and knowledge of our volunteer member communities working across many disciplines to advance the cause of computing and technology for good. More information about becoming a BCS member
Latest News from
Black women coders take a major new role in IT’s professional body28/10/2020 14:20:00
Coding Black Females (CBF), a non-profit organisation, will take a leading role in the professional body for computing, as part of a project to diversify the tech sector.
Barrier-breaking computer science professor awarded Honorary Fellowship of the Chartered Institute for IT21/10/2020 14:43:00
The UK’s only black (Afro-Caribbean) female professor of Computer Science, Dorothy Monekosso, has been awarded an Honorary Fellowship by BCS, The Chartered Institute for IT.
BCS to launch new group for racial diversity07/10/2020 11:43:00
Embrace – a new specialist group for racial diversity will be launched this month by BCS, The Chartered Institute for IT to support IT professionals from ethnic minorities and to advise BCS – the professional body for computing – on diversity matters.
IT professionals urge the government to intervene in ARM sale06/10/2020 14:33:00
The majority of IT experts believe the government should step in over the sale of technology giant ARM, according to a new survey by the industry’s professional body.
BCS backs plans for life-long learning as part of post-pandemic recovery plan30/09/2020 11:48:00
The Prime Minister’s pledge to guarantee life-long learning opportunities for those without A-Levels, and to increase funding for small and medium-sized enterprises taking on apprentices is a step in the right direction, according to BCS, The Chartered Institute for IT.
Contact tracing app is safe but plans to rate users’ lifestyles for risk are ‘alarming’, says leading software testing group28/09/2020 15:10:00
A planned development to the NHS Contact Tracing app which will score users’ lifestyles for COVID-19 risk is ‘alarming’ and needs clarity, software testers have warned.
Record numbers of women in IT - but black women still under-represented, new research finds23/09/2020 13:38:00
More women than ever are working in IT roles across the UK (326,000 in total) and now make up a record 20% share of the specialist IT workforce – according to new analysis from BCS, The Chartered Institute for IT.
The public don’t trust computer algorithms to make decisions about them, survey finds08/09/2020 13:20:00
The majority of people do not trust computers to make decisions about any aspect of their lives, according to a new survey.
Algorithms must meet ethical and professional standards to recover public trust, report recommends01/09/2020 14:10:00
Algorithms that change people’s lives - for example when estimating students’ grades - should now meet strict standards of ethics and competence, according to a new report by the professional body for IT.