It feels slightly early in the morning to quote Queen, but due to the frenzy of people panicking about transfers outside the EU, I feel I must. So put on your best singing voice and repeat with me loud and clear: The show must go on (not to Freddie Mercury standards, I'm sure, but hey we are a different kind of rock stars).
Now that we are in a better state of mind, let's discuss what we do about this new plot twist: the unloved Privacy Shield has been shot down and the SCCs have survived judicial scrutiny.
1. If you were relying on the Privacy Shield, you have to move to another transfer mechanism (for example, Model Clauses): The bright side is that many companies did this when Safe Harbour fell, so there should be no great shock to the system in doing this.
2. Nothing has changed when you use Model Clauses/SCCs (not really no): The fact of the matter is that the CJEU has pointed out something that was always the case - the controller needs to be satisfied that the terms of the Model Clauses can and will be complied with, i.e. make sure you know who you are transferring data to and what can happen to it.
What this means in practice: Don't just add Model Clauses to an appendix in the agreement, do your homework, make sure you're happy that the importer can process the data in that specific location and have the paperwork to prove it (i.e. Accountability). Carry out a DPIA if it makes sense to do so.
3. Know your people: Make sure you know who is in the processing chain (yes, that means finding out who all the sub-processors of the sub-processors are) and their disclosure legal requirements and policies. Surveillance laws are (in many countries) not a blank cheque. In most cases there are grey areas and judgement calls must be made by the company. Understand what those requirements are and what the players in the chain criteria is to make judgement calls when it comes to disclosure.
4. Have a plan: Make sure you have a clear internal policy on disclosure.
5. Be transparent: Remind your users that in certain cases you may be required to disclose and that you have clear criteria to do this (this is not always a bad thing, you may need to disclose data to find a missing person. If the data you disclosed helps the police find someone who may have ended up as a dead body in a ditch it is good karma and positive PR).
6. Remember - Pay peanuts and you'll get monkeys: Sometimes you have to make a judgement call and not send data to a jurisdiction that is not safe enough. It's good for your users, which means it's good for your clients and therefore good for your business. Cheaper is not always better. Invest in quality, after all privacy is all about trust.
7. Don't panic: Keep an eye on what DPAs say and be prepared to adapt.
On with the show!
You may also be interested in this related article: EDPB releases an international transfers FAQ document in response to Schrems II