Data protection Digital MeetUp
Digital, March 18th, 12:00 to 13:00
Data protection - Compliance and its impact on the sector
Thanks to our experts, you will have the legal side by understanding the Schrems II and its impact on the financial sector. On the other hand, you will get an overview of the compliance with data protection laws thanks to 3 examples of our RegTech' solutions.
Programme:
12:00: Introduction by Toon Vanagt
12:05: Legal presentation by Joan Carette from Simont Braun: Schrems II and its impact on the financial sector: what does it say, where are things now and what are the potential consequences on the financial sector?
12:15: Data Transfer assessment : what do we do with this law, how do we put this in practice by Laurie-Anne Bourdain from Isabel Group
12:25: Compliance with data protection laws and the role of regtechs – presentation of solution with Trevor Graham from Ampliphae , Frederic Lebeau from Datavillage and Magali Feys from Anonos
12:45: Q&A
13:00: Networking
Kindly hosted by
SPEAKERS
INPUTS
Joan Carette, Simont Braun
1. What is this Schrems II decision? How does it impact the fintech sector?
The Schrems II decision is a decision taken by the Court of Justice of the European Union in July 2020 regarding international data transfers. It directly impacts data transfers from the EU to the US but also and more generally transfers to all other non-EU countries.
2. Which transfers are concerned?
The decision concerns all situations where an EU-based entity processing personal data communicates personal data to a non-EU entity, but also to some extent grants access to those data to the same entity. It potentially covers a lot of different situations, such as, cloud services offered by US companies, IT services from non-EU entities, call centers located outside the EU, etc.
3. Under which conditions are those transfers in principle possible?
In the EU, under the GPDR, international transfers are only possible if the transferred data will, after the transfer, benefit from an equivalent protection as under the GDPR. There are derogations to this principle, such as transfers based on the consent of the data subject, but those are very restrictive cases. The GDPR provides two ways to ensure that that protection is granted:
o The European Commission officially confirms that the law of the third country concerned provides an adequate level of protection of personal data. This decision from the EC is called an ‘adequacy decision’, which the EC has taken for several non-EU countries, such as Switzerland, Israel, Japan, etc., and should, if all goes well, take also for the UK. In that case, the transfer is subject to the same conditions as any data transfer inside the EU.
o In the absence of an adequacy decision, the transfer must be accompanied with specific safeguarding measures to compensate the inadequate level of protection of the laws of the country concerned. Those measures are defined by the GDPR. The most commonly used of those measures is the conclusion of a specific data transfer contract between the transferring entity and the recipient of the data, whereby the recipient of the data basically commits to comply with the requirements of the GDPR (the standard contractual clauses). There are other types of measures, but they are less common.
4. How does Schrems II impact the data transfers to the US?
The Schrems II decision affects International transfers in two ways:
o First – and this is for the US only: before the Schrems II decision, data transfers between the UE and the US were facilitated under an adequacy decision taken by the European Commission in 2016, based on the ‘privacy shield’ adopted between the US and the EU. In its Schrems II decision, the ECJ considered that the US laws do not provide sufficient protection to the EY data subject and invalidated that adequacy decision. As a consequence, entities transferring data to US companies relying on the adequacy decision must implement one of the additional safeguarding measures provided in the GDPR. This is already, as such, an important burden as it implies negotiating new contracts with their US provider.
o Secondly – and this concerns all International data transfers, not only to the US: data transfers besides invalidating the adequacy decision for the US, the ECJ also stated that the mere adoption of standard contractual clauses may as such not be sufficient to allow the transfer, and that the transferring entity must also verify that, in practice, the laws of the third country concerns provides legal effectiveness to the commitments taken by the recipient in the data transfer agreement. If, for instance, the law to which the recipient is subject does not give a binding effect to those commitments, or allows authorities to overrule them in some cases, the transferring entity must either adopt supplementary measures to compensate this or, if not possible, cease the transfer.
Frédéric Lebeau, Datavillage
1 : Who is Datavillage and why did you start it?
Datavillage is a Belgian-based startup founded in 2019. We work on personal data. We help organizations unlock the value of personal data through their consumers. With user control, confidentiality and transparency. We started the business 2 years ago because we were convinced that there was something to be done on the one hand to give people back control of their personal data and privacy on the other hand, to let organizations and especially local actors use this personal data intelligently.
Much like the giants do in the way they use personal data but in a completely different approach meaning transparency with their consumers and in what we call an open morket. Pushing the organizations not in the race to collect more and more pppersonal data but to focus on their products and services.
2: Few months ago, the Flemish region announced collaboration with Solid? What is Solid and why is it different?
Solid is what we call a personal data store. It's a kind of personal data lake that gives you the opportunity to manage your data and especially access to it. It's not the single personal data store on the market but it's different because it's based on standard web protocols and especially the way data are organised. It relies on linked data making it possible to link your personal data together.
3: What is your product and what does it bring?
Datavillage is a personal data platform that allows organizations to combine and share consumer's data in order to hyper-personalise user experiences. We put user in control and ensure privacy limiting complexity and costs of regulation while improving reputation and transparency. Common use case in financial industry is about scores and checks. Let me give an example in insurance. About calculating your driver profile. This is based on multiple set of personal data like your location data. Why should an insurer collect your location data or even get access to it? I would say no way. If I agree or consent, I can share my driver profile but I would prefer not to share my personal data. This is what we called combining data as processing and get a derived data. In our solution, your personal data are in your personal data lake and only the derived data will be shared with the insurer. In regards to GDPR, these 2 types of data are managed differently and from a privacy perspective it's clearly different.
4: How does it work?
From a more technical point of view, we have what we called a consent driven governance. The service provider integrate a data passport into their experience, select the data they would like to use and get a consent token. By using this consent token, they can load data from your personal data store into a data cage. The data cage is a confidential computing environement (privacy preserving with encryption in process). Data are processed and only derived data comes out of the cage.
5: What's your next steps and what are you looking for?
So we just finished our seed round and we are accelerating with the team. Our platform is there and we do PoV and PoC with companies that want to explore these new opportunities.
Laurie-Anne Bourdain, Isabel Group
Standard Contractual Clauses cannot be used blindly anymore, companies first need to perform a Transfer Impact Assessment (TIA) for new and existing transfers towards countries that do not have an adequacy decision.
The EDPB published recommendations in November 2020 (01/2020) to perform such TIAs. Their recommendations foresees a 6 step plan that includes:
· Identifying and mapping personal data transfers, including what they call onward transfers: transfers performed by processors and sub-processors; and identifying the transfer tool used (adequacy decision, SCC, BCR…)
· Assessing whether the transfer tool is effective, taking into account the law and general practices of the third country (data protection, surveillances, respect of individuals rights…), the possibility for data subjects to exercise, efficiently and effectively, their rights and to obtain judicial redress, and the presence and activities of independent supervisory authorities
· Implementing supplementary measures or stopping the transfers when they cannot offer the same level of protection as in the EU.
The performance of such assessment is particularly difficult for companies, even with a well staffed legal department, as this requires extensive and up-to-date knowledge of the laws and practices of each countries personal data may be transferred to. Only for the USA is this assessment simple (it was done by the CJEU): any company subject to the Foreign Intelligence Surveillance Act (FISA) section 702 and / or to the Executive Order 12333 are at risk. This represent a big chunk of the providers we might use.
The supplementary measures mentioned by the EDPB are possible to implement to legitimate data transfers to the USA, but in practice they are extremely impractical (except for a limited set of case study described in the EDPB recommendations):
· Strong end-to-end encryption of personal data, without the provider having access to the decryption key.
· Anonymisation or pseudonymisation (the provider should receive data that is anonymised for them) of the personal data being processed, with the certainty that the provider cannot re-identify any data subjects
Using a risk-based approach is possible; but not in the sense meant by the GDPR: the risk based decision to transfer data to the US (or another country) is linked to accepting the risk that the company might be fined (and/or requested to stop the processing). This is not accepting a risk for data subjects or selecting the least worst solution.
VIDEO
We are sorry, we met a problem during the recording and have only the networking part. Sorry for the inconvenience.
PICTS