Irish businesses seek greater clarity on international data transfers
Uncertainty and ambiguity shroud the implications of the CJEU’s decision in the Schrems II ruling for Irish businesses. This is according to a survey from the Association of Compliance Officers of Ireland (ACOI) of 100 data protection specialists from tech and other organisations throughout the country.
Approximately 65% of those surveyed said the greatest challenge presented by the July 2020 ruling thus far is the lack of clarity from regulatory bodies, while over half of businesses surveyed said the ruling will negatively impact their business data transfers.
Highlights from the ACOI Schrems II Impact Survey include:
- The lack of clarity around implementation was cited by the majority (65%) as the biggest challenge facing their business on the back of this ruling, followed by the limits it puts on businesses when it comes to transferring data (21%), and the costs involved with implementation (14%)
- Four in 10 say it will affect their ability to do business in the US, while more firms think its impact on their ability to do business with the UK will be greater (60%)
- A total of 59% say an unsuccessful Brexit outcome will restrict their transfer of data to the UK in 2021
- Even if Brexit negotiations are concluded with any degree of success, most firms (75%) believe there will still be issues which may limit their potential to transfer data to the UK
“All sectors of business have or will be affected by the Schrems II ruling on international data transfers and, in an already challenging business environment, this is an obstacle which is going to be very difficult for many to overcome,” said Michael Kavanagh, CEO of ACOI. “The message from businesses is that the most pressing and immediate concern is the lack of clarity on how the ruling should be applied.
“The Data Protection Commission (DPC) commented in July that: “…the DPC acknowledges the central role that it, together with its fellow supervisory authorities across the EU, must play in this area. In that regard, we look forward to developing a common position with our European colleagues to give meaningful and practical effect to today’s judgment”. This has left firms in a difficult position until that EU-level guidance is published, particularly smaller businesses that are already under severe pressure due to Covid-19 related restrictions.”
Last week, a draft EU Commission decision and related new draft SCCs were published with period for feedback running until 10 December 2020. The ACOI have welcomed the development, citing it as the commencement of the guidance that ACOI members are calling for. However, they have cautioned that, given deadline for submissions, it actually gives little, if any, time for companies to prepare for Brexit.
“There’s no doubt that businesses want to be compliant, but they are unsure how to be,” continued Kavanagh. “For instance, when it comes to Standard Contractual Clauses (SCCs) how do they provide the necessary checks? This will be very onerous for smaller businesses. And with the Privacy Shield invalid with immediate effect – what can they use in the interim?”
In lieu of any concrete instruction from the DPC and the European Data Protection Board (EDPB), Kavanagh said businesses believe there is a real need for government intervention. “The vast majority (71%) are calling on the government to step in and assist and support them, such as by providing a temporary grace period whilst Irish and EU supervisory authorities provide clarity. The ruling wasn’t black and white and so it will take some time before the issues are ironed out and definitive guidance can be given. But we can’t leave firms in limbo until then. The powers that be need to address this and give these businesses a way to proceed with their daily business activities when it comes to data transfer.”
The ACOI said the requirement in particular for companies to put in place additional supplementary measures where SCCs do not provide sufficient privacy guarantees, will be onerous for the SME sector.
The survey also shed some light on the impact Schrems II will have on organisations’ business opportunities in the US and UK. While 60% of businesses said it will affect their firm’s current or future ability to do business with the UK, Kavanagh said 61% have yet to “take steps to restrict/cease personal data transfers to the UK in light of Schrems II and Brexit – most likely, because they don’t know what action to take, such is the vagueness of the guidance and the uncertainty surrounding Brexit.
“Forty percent of those surveyed said it will affect their firms current or future ability to do business with the US, which is notable considering comments last week from US secretary of Commerce, Wilbur Ross, which were highly critical of the Schrems II ruling. Mr Ross stated that the decision would have ‘severe consequences’ on transatlantic trade and undermine economic ties between the US and Europe.”
Kavanagh noted that “While the Trump administration was vocal in its intent to address this ruling, it’s uncertain as of yet whether the US will continue with this position once the new administration comes into power. However, it’s clear that the Irish government should take a leading position within European efforts to negotiate an alternative to the current Privacy Shield with the US, in order to protect Irish business.
“This ruling affects a range of industries, not just those directly involved in the digital sector. It’s critical that we address the significance of this ruling for Irish businesses, and that the Government work to acknowledge the complexity of the impact it will have. Businesses urgently need guidance and clarity to help them operate compliantly in the interim, while an alternative arrangement is being negotiated.”