Privacy Talk with Dr. Matthias Artzt, Senior Legal Counsel at Deutsche Bank AG: What is the industrial impact of SchremsII?
This interview is talking about data transfer and blockchain law.
Kohei is having great time discussing with privacy regulation with Dr. Matthias Artzt.
This interview outline:
- Introduction
- Why did you start to work at privacy field?
- What is the industrial impact of Schrems II?
- What is the requirement of new EUSCC?
Kohei: Thank you for everybody coming to the privacy talks. I’m quite honored to be with Matthias from Germany.
He is expert and he has a very practitioner in the space of the data protections. I’m quite honnored with Dr. Matthias to be with you in this time and talked to interview this moment. Thank you come in this time.
Matthias: Thanks for having me.
Kohei: Thank you. So let me start to speak about his profile.
- Introduction
Dr. Matthias Artzt is a certified lawyer and senior legal counsel at Deutsche Bank AG since 1999. Prior to joining Deutsche Bank he worked as a lawyer at a law firm in Stuttgart, Germany.
He has been practicing data protection law for many years and was particularly involved in the implementation of the GDPR within Deutsche Bank AG. He advises internal clients globally regarding data protection issues as well as complex international outsourcing agreements involving data privacy related matters and regulations.
He is a graduate of the University of where he obtained his Doctor of Law degree. Moreover, he is a member of the International Association of Privacy Professionals (IAPP) and since January 2018 a Certified Information Privacy Professional/Europe (CIPP/E). Since January 2020 he is also a member of the European Advisory Board of the IAPP.
Again, it’s very honored to be with you Matthias to talk with this interview.
Matthias: Thank you. I am very much honored to have the privacy talk with you today and to provide some insights and background in the European regulatory realm.
Kohei: Alright, so anyway, let’s go start with the first topic. So I’m very curious of your profile, why you start to work at the privacy field. Since we were in the same panel at one conference, privacy conference, which was a very great to meet with you. And I was being inspired with your very good expertise. So why did you start to work in the data privacy field?
- Why did you start to work at privacy field?
Matthias: Well, thanks for the kind introduction. Before joining the data privacy department I was covering many legal areas, for example capital investment law, credit law and all this sort of things.
Interestingly, when acting as a Legal Risk Manager in Frankfurt and London I had to deal with some data privacy-related topics — that actually draw my attention and arouse my curiosity.
At the same point of time and by coincidence, there was a vacancy in the data protection department in Frankfurt — I took this unique opportunity to join the data protection team, a decision I have never regretted.
In the sake of the birth of the GDPR in 2018, data protection has been considered as an evolving and a growth area — as it is today.
Worth to note that data Protection Law has become a stand-alone legal area; data protection is not an appendage to IT/IP law any more as it was until 2018 — this is a fairly similar development as Blockchain Law which also has become an independent field of law as well.
In view of these new developments many law firms ramped up their teams with a clear focus on data protection. That was also an encouraging trigger for me to exclusively focus on data protection law. It goes without saying, that being a privacy professional significantly strengthens your job profile internally as well as externally.
Acting as an inhouse lawyer, I have to say, that data protection is very often an issue when it comes to assessing new business cases; data protection experts are deemed as key stakeholders and the business is demanding their advice and expertise from the outset.
In a nutshell: Data protection has stepped out from its niche; it has become an emancipated field of law of utmost importance. And this was for me the motivation to heavily focus on data protection and it’s something I will do post retirement for sure.
Kohei: Awesome. I was reading this some of your publishing the before then there was also the very informative then I was very inspired this sense. I just watched into some information regarding in Europe from Japan, it’s very hard for the Japanese people to understanding of how does it works in Europe and also they try to apply to the baseline in Europe.
So the next question is about the transitions. I think it is in a tsunami of the data privacy space right now, especially the one legal scheme this Schrems-I and Schrems-II、these almost five or six years. There was a very big impact for all the industries, especially for the banking sectors, I assume. So, what is the impact of Schrems-I and Schrems-II, especially on the banking sectors so far?
- What is the industrial impact of Schrems II?
Matthias: It’s a very good question. Schrems II does not impact the banking sector only, but also all industrial sectors which export personal data to third countries. Just to put this question in a broader context, I guess most of you may be familiar with this stuff, but it’s sometimes very beneficial to see the historical development when it comes to international transfers of personal data.
The Schrems case challenged the Irish Data protection commissioner´s refusal to investigate a complaint submitted by Max Schrems who is an Austrian data protection activist and who requested the Irish Data protection authority to suspend data transfers from Facebook Ireland to Facebook US.
That was due to Mr. Schrems’ concern that the Snowden revelations suggested his personal data could be accessed by U.S. intelligence authorities and his privacy rights would be at risk.
At that point of time, Facebook relied on the Safe Harbor Framework which had been put in place between the European Union and the United States as the legal basis for personal data transfers under the EU Data Protection Directive. The Irish High Court referred the case to the European Court of Justice.
In 2015, the European Court of Justice ruled that the European Commission’s adequacy determination for the Safe Harbor Framework was invalid, which led to the creation of the Privacy Shield framework between the European Union and the United States.
In a separate case, often referred to as “Schrems II”, the European Court of Justice invalidated the European Commission’s adequacy determination for the Privacy Shield. That decision was launched in July 2020. Will get back to that in a little while.
So what is the impact on the banking sector on this regard? Schrems II is clearly a landmark decision and a game changer for international data transfers for all data exporting companies in the EU.
In a nutshell: Privacy shield is dead, but companies which export personal data to any third country data importers may rely upon the EU Standard Contractual Clauses since they still remain valid and can be used as a legitimate data transfer mechanism.
But here is the thing and the flipside: According to the new requirements data exporter and importer must closely cooperate aiming to assess the individual data transfer on a case-by-case basis and to safeguard personal data if the data may be exposed to mass surveillance activities carried out by third country intelligence services or authorities. That risk assessment is called Transfer Impact Assessment.
EU data exporting companies have to conduct such Transfer Impact Assessment — namely upfront to transmitting personal data to data importers located in a third country. This necessitates a case-by-case consideration and documentation.
Here the guidance of the European Data Protection Board issued in June 2021 comes into play: it is a great tool which helps data exporters to conduct a case-by-case risk assessment in relation to the data transfer concerned.
The overall impact on companies is that they have to build up their own governance models and to implement new processes from scratch in order to stand-up to scrutiny of the competent data protection authorities when carrying out Transfer Impact Assessments.
- What is the requirement of new EUSCC?
Kohei: Thank you. Yeah, it’s moving so fast. And it’s moving in a highly complexity especially for the new SCC, which is also the concerns is some of the global companies who try to take this choice with this new tools. I think the new SCC will be in the requirements, the deadline in some months later.
What are the features of the new EUSCC in this moment?
Matthias: I think the most pressing issue is to implement the new standard contractual clauses when it comes to transmitting personal data from the EU to third countries without adequacy determination.
To put it in a broader context: The EU Commission issued new Standard Contractual Clauses in June 2021. It is worth to note that the EU Commission have baked in the Schrems II requirements alongside the key terms for data protection agreements according to Art. 28 of the GDPR; with that, it is fair to say that the new EUSCC are catch-it-all templates and must be put in place for cross-border data transfers to third country data importers.
In addition, companies must repaper and remediate their service contracts with internal and external vendors by end of this year with the purpose of replacing the old EUSCC with the new ones.
What are the quirks and features of the new EUSCC?
- EUSCC have been spit up into 4 moduls: Controller to Processors and vice versa, Controller to Controller and Processor to Processor. All of them are commingled in one contract template; not easy to digest — it is much more better to split it up into 4 separate contractual templates with reflect the four data transfer scenarios.
The obligations laid out in the new Standard Contractual Clauses require data exporters to permanently monitor surveillance laws and practices in the foreign country. This will enable companies to conduct a Transfer Impact Assessment thoroughly.
So the first thing is you have to assess legal and regulatory environment, the practices how the law is being applied in practice. The next step is to assess this individual data transfer to that third country’s data importer.
The Transfer Impact Assessment entails an overload of assessment and documentation activities; any failure to do so is heavily sanctioned.
That obligation resides with data exporters based in Europe. It is worth to note that data importers in third countries which envisage to sub-delegate services and to onward transfer personal data to any other subsidiaries or sub-contractors are not required to perform a Transfer Impact Assessment.
In order to evidence that I’ve done your job rightly whenever data protection authority want to see what kind of assessment you have taken, you should definitely be ready to present the outcome of the Transfer Impact Assessment.
To rep up what is now required: Companies must design and document criteria when assessing the permissibility of international data transfers; more importantly, they have to vet and regularly monitor foreign surveillance laws and practices.
Kohei: Thank. you yeah, it’s a very I feel it’s a very complexes. Even some company has been adapted the former SCC, but the newly, the new SCC is coming right now. It’s very hard for them to adapt, not just contractual base but also the organizational or technical measures has to be requirements for the transfer impact assessment. There is a very important supplementary measures.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
