"if a data subject can withdraw explicit consent for cross-border transfer"
This very question became a matter of vital and very real concern for me today. I'm long-term unemployed and finding it very difficult to re-enter the workplace because of a gap in my employment history brought about through a nervous breakdown and my previous employer not wanting to give me a reference. As you may know, parts of the social welfare (notably, what is called "activation" for long-term unemployed) have become privatised in recent years both in the UK and in Ireland.
I received a letter last week "inviting" me to sign up with a company called "Turas Nua", with the threat that if I did not, my jobseeker's allowance would be cut. I attended the meeting today and discovered three very disturbing points:
- there is zero privacy, since all "one-on-one" sessions are conducted in an open plan office
- this private company already had all my personal details, as supplied by the relevant government department, though I had never consented to this
- they are using the Salesforce cloud platform, a US company
At the end of the session, after I had pointed out these things, I was asked to sign a declaration and consent form. It asks me after the fact whether my details can be processed by them. These are three massive breaches of the privacy of people being sent on these schemes. If I sign, I am effectively surrendering my rights to privacy and probably subjecting myself to a year of hell, while if I refuse, I will either lose benefits or find myself in a different kind of hell: that of fighting against the civil service to assert my right to privacy, a right that they don't seem to hold in very high regard.
Before anyone complains and calls me a malingerer or whatever, I do want to get back into the workplace and I am doing what I can to make it happen. Short of lying about the period I've been unemployed or being shoved into a miserable job that I'm not suited to (both of which I've been advised to do in the past, and will no doubt be "advised" to me again by Turas Nua), I despair of being able to get back to meaningful employment.
To bring it back to the topic of "Standard Contract Clauses" (the current fig-leaf used to justify data sharing with the US), I have two things to say:
- Data shared across non-EU/non-GDPR boundaries needs to be protected to the same high level as the data subject's home country; and
- States have a massive vested interest (thanks, in my case, for example) in these protections being weakened or removed to keep the wheels of globalisation and privatisation working.
Corporate privatisation of our personal data is shaping up to be the next thing that's "too big to fail". We need many more people like Schrems if there's to be any chance of stopping this.