Doing business remotely continues to gain in popularity, both allowing work to continue (often from home) when pandemic conditions require it and actually increasing many individuals’ overall productivity in certain industries. Despite its advantages, however, the data implications of remote working have recently become more complex.
Dora Petranyi, CEE Managing Director at CMS, Olga Belyakova, CEE Co-head of CMS’s Technology, Media and Communications group, and Marton Domokos, coordinator of CMS’s CEE Data Protection practice, insist that companies need to take a number of things into consideration in this new era of remote working.
“Perhaps one of the most important issues,” Petranyi begins, “is data security during video calls.” She notes that the Berlin Data Protection Commissioner published a “position paper” in April, “ruling that certain video-calling software – for example, Zoom, Google Meet and Cisco WebEx –are problematic.”
This ruling questions the security of data transfers during video calls made through video conferencing services operated by service providers outside the EU, but specifically from the US. From its statement, it appears that the Berlin data protection authority already considered the data protection level under the EU/US Privacy Shield to be inadequate and also found certain defects in the standard contractual clauses used. The questions around the above instruments center on the potential for unauthorized monitoring and recording of the content, as well as their exploitation in the US. Despite service providers’ assurances that the personal data of Germans would be stored in Germany, the Berlin Data Protection Commissioner nevertheless concluded that there was a significant risk that this commitment would not be honored.
However, in July the issue took another turn with the “Schrems II” case. According to Olga Belyakova, “Schrems II rejected the European Commission’s Decision on the adequacy of the protection provided by the EU/US Privacy Shield and ruled the Shield invalid, immediately, and without a transition period. Until then, over 5,000 US businesses had relied on this for the proper transfer of personal data from the EEA to the US. Schrems II followed on from Schrems I, which back in 2015 ended the Safe Harbour framework (a mechanism that lawfully allowed the transfer of personal data from the EU to the US). But what lies at the heart of this case is a clash between US national surveillance laws and EU data protection standards.”
Although the Court of Justice of the European Union ruled that the EU/US Privacy Shield was invalid, standard contractual clauses (SCCs) can continue to be used as a safeguard for transferring personal data outside the EEA. However, the CJEU ruled that additional steps will need to be taken by exporters, importers, and data protection authorities to ensure compliance with the clauses and that transfers are suspended when required. According to Belyakova, “when the abrupt cessation of the Privacy Shield hobbled businesses, the SCCs they switched to were – and are – not a watertight solution. If personal data can’t be adequately protected in the data importer’s country despite a SCC being in place, then the data exporter must stop those data transfers. If the exporter fails to do so, then the relevant supervisory authority may order the transfer suspended or stopped. This concerns data transfers to all third countries outside the EEA, not only the US.”
In addition to SCCs, organizations also rely on “binding corporate rules” to transfer data internationally. Marton Domokos says: “BCRs don’t differ a great deal from SCCs. The issue here is that each organization is responsible for assessing how the governmental authorities in the destination country are permitted to interfere with the exported personal data.” He goes on to stress: “It’s important to note also that all organizations in the supply chain (controller, processor, sub-processor) are affected. So, if your company processes EU personal data in a third country that has been deemed inadequate (including the US), it must be able to address any controller/exporter concerns and ensure that its own onward transfers to sub-processors provide adequate safeguards, even though the primary responsibility is on the controller and exporter of personal data to make the assessments before allowing any personal data to be transferred out of the EEA. Processors should address this issue now so that they are prepared when an EU controller reconsiders using service providers in inadequate countries as a result of the Schrems II decision and the questions around the SCCs.”
So what can companies expect in the near future? “On the upside,” Domokos says, “some of the large tech players are opening subsidiaries in the EU – in Ireland in particular – to conform with EU law and guarantee that the personal data of EU citizens doesn’t leave Europe, and the US Department of Commerce and the European Commission recently announced that they were working together to draw up a new agreement as a replacement for the Privacy Shield.” Of course, there are problems as well. “On the downside,” he adds, “Schrems II has led to hundreds of complaints being filed which will be stuck in a legal bottleneck for a while yet. These could take years to be resolved.”
However, Belyakova offers useful advice. “The best route is, if possible, to ensure the personal data of your employees and clients doesn’t leave the EEA. If that’s not possible, then it’s important to realize that the time for ‘wait and see’ is definitely over. Recently, the data protection authority in Baden-Wurttemberg in Germany issued guidelines on how companies should approach their data transfer analysis in the post-Schrems II environment. Pursuant to those guidelines, first, standard contractual clauses on their own do not provide a good enough basis for data transfer. Using supports, such as encryption and anonymization, is paramount in ensuring that individual data is protected when it is transferred. Second, make sure your service providers know about the Schrems II decision; ask them what their legal basis for the data transfer is. Third, you might want to revisit every data transfer with your service providers and ensure they are still legally justifiable. Finally, it is a good idea to take another look at contracts and make sure they are appropriate for the data transfers that take place.”
“This issue is unlikely to be resolved soon,” Petranyi concludes. “I would expect that a number of other data protection authorities in the EU will also issue guidance for data controllers and data processors. In the meantime, if you have any doubts, you should of course consult your legal advisers and have the comfort of expert help.”