Under a very recent study conducted by the Association of Compliance Officers in Ireland (ACOI), released on January 28th, 76% of Irish businesses believe the data protection landscape is more uncertainty now than it was 12 months ago, due to 3 main reasons: Brexit, the increase in remote working and the impact of the Schrems II ruling.
As to such last reason, in July, the Court of Justice of the European Union (CJEU) issued a landmark ruling in the Schrems II case, when invalidating the EU-US Privacy Shield arrangement and raising questions over the level of data protection offered for those relying on Standard Contract Clauses (SCCs) when transferring data from the European Economic Area (EEA) to a third country.
Companies from all over the world are now concerned whether the existing mechanisms in place allowing for cross-border transfers outside the EEA (such as to entities pertaining to the same corporate group located in other countries) remain valid.
Due to additional factors, businesses in all countries are disoriented when it comes to the applicable mechanisms to transfer personal data overseas. In Brazil, for instance, we have a brand new Data Protection Law (the LGPD) — now finally in force and effect — that sets forth rigid instruments to allow for cross border data transfers, analogous to the ones provided by the GDPR, without a fully operational Data Protection Authority that should take actions to enable such instruments.
Certain cross-border mechanisms can be considered onerous and unworkable and the companies should evaluate the adequate procedure to be adopted. We should also not lose sight of the fact that maintaining a strong data protection culture within the corporate group is a key factor for compliance with the applicable data protection rules, including the ones covering cross-border data transfers.