With a lack of true guidance from the European Commission and/or the EPDB in how to make the assessment required to ensure art 46 is effective in practise following Schrems II for countries without Adequacy Decisions. There is a wider industry concern with it being left up to companies it will lead to a clear difference in the assessments which is counter to the objectives of GDPR initially. That said from a company perspective how are people managing it? Do you get legal advice for each location? Or alternative? The required scope for the assessments aren’t feasible for smaller companies so looking to understand how it is being managed. Not making the transfers is not a business option.
Even if you don’t feel you can make the best informed assessment of risk, you must make an assessment – one of the points that the BayLDA made re use of MailChimp was that the data controller had not assessed the risks or additional measures that could be put in place. https://gdprhub.eu/index.php?title=BayLDA_-_LDA-1085.1-12159/20-IDV
There are some really good resources to help you assess the risks which may help you understand foreign privacy legal and surveillance frameworks – they will give you a springboard if nothing else.
DLA Piper – https://www.dlapiperdataprotection.com/
Citizen Lab (part of Toronto Uni studying the interactions between surveillance, privacy, and technology – https://citizenlab.ca/
EPIC – https://epic.org/
I ask a couple of questions:
Does third country have a respect for human rights (per ECHR)?
Are there specific privacy laws? How do those laws measure up?
Does surveillance go beyond what is necessary to safeguard national security, defence.
Thanks for those resources, I am aware of the DLA Piper resource already but good to know it is recommended by others as well.
My main concern is that how can an organisation that does not have a legal department or funds to engage one properly answer questions such as what laws are in other countries and how they are enacted and also enforced? It seems a very high bar that could take a significantly long time to just google and then rely on the various public information being right.
It seems like this is a no-win situation for smaller organisations as we have to go through it but the chances of getting it right are so low that you are penalised in spending significant resource to do it and it offers little protection as if ever challenged it will likely be picked apart quite easily.
It can seem overwhelming, knowing where to start or deciding how much resource to bake into the privacy framework. I think the feedback that Simon has provided is valuable, and if you’re able to use free resources like DLA Piper or other Privacy focussed lawyers, then that is a useful resource.
I’m not sure whether you’ve seen the resource that Max Shrems and noyb have made available, but there are steps to follow and model assessments that you can use to determine if there are appropriate safeguards in place within a Third Country. Here is the link to the steps and the downloadable model assessments: https://noyb.eu/en/next-steps-eu-companies-faqs