An Overview of Recent Developments
Concerns are mounting for companies around the world as they consider their ability to transfer data from the EU following the recent decision by the Court of Justice of the European Union in Data Protection Commissioner v. Maximillian Schrems (Schrems II) and subsequent proposed guidance on data transfer measures coming out of Europe as well as the recent post-Brexit Cooperation Agreement between the EU and the UK. The following alert distills the impact of these developments and provides practical suggestions and insight into what others are doing in response.
Invalidation of Privacy Shield. In the recent Schrems II decision, the Court overturned the EU-U.S. Privacy Shield that served as an approved adequacy program for transfers of EU personal data to the U.S under the GDPR. Overnight, thousands of companies that participated in or relied on Privacy Shield to transfer data (or vendors who relied on Privacy Shield) lost the assurance that their cross-border transfers were deemed adequate.
Standard Contractual Clauses Alone May Not Be Sufficient. The Court further indicated that standard contractual clauses (“SCCs”) alone may not be sufficient for cross-border personal data transfers and that supplementary measures may be necessary to adequately protect EU personal data when it is transferred outside of the European Economic Area (“EEA”).
- Need for Supplemental Measures to Avoid U.S. Government Surveillance. The European Data Protection Board (“EDPB”) issued further guidance on data transfer practices on November 11, 2020, which elaborated on the Schrems II decision and provided additional information about the supplementary measures that may be necessary to protect EU personal data that is transferred out of the EEA to avoid access to and surveillance from the U.S. and other foreign governments.
- FISA and Executive Order 12333 Concerns. Specifically, the EDPB was concerned that non-U.S. citizens lack adequate judicial redress against U.S. government surveillance activities under both Section 702 of the Foreign Intelligence Surveillance Act (“FISA”)1and Executive Order 12333, as both provide broad surveillance authority, that may not be limited to what is strictly necessary as required under the GDPR.
- EU Ability to Block Transfers Where Risk of Government Surveillance Exists. EU member state protection authorities are empowered to suspend or ban data transfers where factual conditions may be present that would render the SCCs ineffective, including the likelihood of government surveillance and access to the personal data of EU citizens.
- Adequate Protections. As described below and outlined in Annex 2 of the EDPB guidance, the EDPB identified a non-exhaustive list of supplemental measures that companies should consider, that could provide adequate protections to prevent surveillance (see step #2 below).
- Four New SCC Versions. In an initiative released November 11, 2020, the European Commission proposed four updated versions of the standard contractual clauses. The comment period for the new SCCs ended on December 21, 2020, and the final drafts are expected to be voted on by the EU and effective in the first quarter of 2021. Previously, the SCCs only contemplated controller-to-controller and controller-to-processor transfers of personal data. The four new modules of SCCs cover additional scenarios of data transfers, which include:
- Controller-to-controller transfers
- Controller-to-processor transfers
- Processor-to-processor transfers
- Processor-to-controller transfers
These new SCCs will require updates to many companies’ form agreements if adopted, but that still may not be enough to assure adequacy when transferring data from the EU to the U.S.
- Supplementary measures, such as pseudonymization and encryption, may still be necessary to ensure an adequate level of protection for EU personal data transfers.
Guidance on EU-UK Data Transfers Post-Brexit. The Cooperation Agreement between the EU and the UK contains a temporary solution which: (i) keeps personal data flowing between the EU and UK without the need for any additional adequacy mechanisms; and (ii) paves the way for a future UK adequacy decision.
- Under the Cooperation Agreement, there is a transition period of at least 4 (and up to 6) months where the UK is not designated as a “third country” and, as a result, personal data can flow from the EU to the UK without any adequacy mechanisms (e.g., SCCs, etc.). Accordingly, no action is required as it relates to EU – UK data transfers (for now).
- During the transition period, the European Commission will be preparing its adequacy decision for the UK. The transition period will automatically terminate if the UK adequacy decision is adopted prior to the transition period ending. However, many think this is unlikely and that we may see the transition period extended beyond 6 months.
Five Steps Companies Can Take Now to Keep Data Flowing from the EU
With the regulatory landscape still a moving target, what steps should organizations be taking now to best position themselves while waiting on the finalization of terms from the European Commission?
1. Identify Key Exposure Areas by Developing and Updating Data Inventory and Records of Processing. The key first step in complying with the EU’s data transfer requirements is to establish and maintain an inventory of the personal data that your company processes and document (e.g., through data mapping, records of processing, data inventory and other procedures) how the personal data is transferred to and from vendors and third parties in and outside of the EEA. Having a complete inventory of your data and understanding how personal data flows in and out of your organization help identify areas of risk that need to be addressed in order to comply with the EU’s new requirements and will help expedite their revision once the new SCC’s are finalized.
2. Understand Scope and Create a Risk-Based Action Plan. Companies should evaluate and update their existing form agreements and create an action plan to ensure that the new SCC’s are implemented once the drafts are approved by the European Commission. Depending on your company and regulatory risk, many companies are considering implementing an action plan using a risk-based approach.
- Short-Term Solutions for EEA, Swiss, and UK Data Transfers While New SCC Forms Are Being Finalized. Given that the new EU standard contractual clauses are expected to be finalized in early 2021, we are starting to insert into current DPAs language that allows our clients to amend the agreement as it relates to EEA, Swiss, and UK data transfers (including by reference the new SCCs when finalized) by providing the counterparty with 15 days’ notice. Hopefully this will allow our clients to easily implement the new version of the EU SCCs once they are in final form without having to agree in advance now to potentially onerous requirements that may be in the final versions.
- Priority Contracts. First, develop an immediate action plan for updating existing higher risk contracts and contracts that rely exclusively on Privacy Shield for data transfers. For example, companies should initiate amending contracts relying on Privacy Shield now.
- Contracts that Need New SCC Form. Second, if using SCCs as the transfer mechanism going forward, analyze the new versions of the SCCs and ensure that the appropriate version of the new SCCs is implemented in all applicable contracts and form agreements once the drafts are approved by the European Commission.
- Lower Risk Contracts at Renewal or Opportunistically. Third, create an action plan that prioritizes the remaining amendments on a risk basis in order to mitigate the risk that data transfers from the EU are not sufficiently protected.
- Activities to Conduct Simultaneously. Your action plan should take into account the following activities:
- Conducting Adequacy Assessments. The EDPB’s guidance recommends verifying that the transfer tools used for cross-border personal data transfers (e.g., standard contractual clauses, binding corporate rules) include performing an adequacy assessment to identify whether the law in the country to which personal data is being sent could infringe on the rights of EU citizens if an adequacy decision has not been issued by the European Commission for that jurisdiction.
- Determining Whether the Receiving Jurisdiction Offers Adequate Protection. Companies should consider factors such as:
- Whether the receiving jurisdiction has laws in place that offer the same or similar protections and guarantees as the EDPB European Essential Guarantees (see discussion above regarding FISA and Executive Order 12333);
- The nature of the personal data involved in the transfer and the level of risk associated with such personal data;
- The purposes for which the personal data are being processed; and
- The security measures taken to protect the data in the receiving jurisdiction (e.g., encryption or adherence to information security frameworks such as ISO27001).
- Identifying When Supplementary Measures Apply. Supplementary measures will need to be utilized for any personal data that is being imported to a jurisdiction where transfer mechanisms, such as SCCs, may not be sufficient to protect EU personal data (e.g., transfers of EU personal data to the U.S.).
- Identifying Types of Supplementary Measures. If the receiving jurisdiction does not have an adequate level of protection for personal data transfers, the transfer mechanism being used for the data transfer will be deemed inadequate, and will require on a case-by-case basis analysis of whether supplementary measures will be needed to provide a level of protection that is equivalent to the level of protection in the EU. Such supplementary measures may include:
- Pseudonymization of the personal data prior to the transfer;
- Strong encryption controls that ensure that the personal data cannot be accessed when transferred outside of the EEA;
- Additional contractual measures, such as requirements to use certain types of encryption or other technical measures to protect personal data or contractual obligations to challenge the legality of any order to disclose personal data by the receiving jurisdiction; and/or
- Considering whether derogations under Article 29 of the GDPR may be utilized in conjunction with SCCs and other measures to achieve an adequacy determination. However, the situations where derogations may have applicability will, in all likelihood, be limited to specific cases.
3. Develop Approach and Pre-Prepared Answers for Responding to Third-Party Questionnaires. Companies should prepare for an increase in the number of third-party questionnaires they receive from customers, particularly if the company is exporting EU personal data to the U.S. or to other jurisdictions that do not offer an adequate level of protection. Companies may consider preparing a statement that can be issued to customers and data exporters describing the company’s approach to protecting EU personal data and dealing with law enforcement requests.
4. Train Sales Force and Other Internal Stakeholders. Internal employees and contractors who may be impacted by the changes to personal data transfer practices and contractual obligations (e.g., procurement, sales, legal) should be trained on the company’s updated approach, the implications of the EDPB’s guidance and the supplementary measures that may be utilized in cross-border data transfers. Relevant employees should also be trained on the company’s approach in responding to law enforcement requests to access personal data.
5. Streamline a Global Approach and Update Documents for Multiple Law Changes Simultaneously. For a more streamlined and consistent approach for cross-border transfers of EU personal data, companies should consider adopting a global approach for implementing supplementary measures and additional contractual obligations. For example, consider whether the scope of such supplementary measures and contractual obligations can be defined in the underlying contract to broadly apply to all data flows without creating undue EU-specific obligations on the organizations. While updating form agreements and existing contracts, consider whether there are other updates that should be incorporated to comply with the California Consumer Privacy Act (CCPA) and/or other pending, new or updated privacy laws (e.g., UK pos-Brexit, Thailand, Brazil, New Zealand, Singapore, South Africa or other jurisdictions).
Privacy Shield Note. In addition, companies should continue to adhere to the Privacy Shield obligations while still part of the program. While invalidated in the EU, Privacy Shield is still law in the U.S., and the FTC has indicated that it will enforce it. The data protection promises made still have applicability to vendor contracts and their terms of service which could still be part of a mix of arguments demonstrating adequacy. In addition, the U.S. Department of Commerce has indicated that it is working on a revision to the Privacy Shield that may address the EU’s concerns and provide a way for companies to recertify and obtain an adequacy determination from the European Commission in the future.
To Learn More. To learn more about the impact on your company and how to implement an effective approach to supplementary measures and the new standard contractual clauses, please contact Tyler Newby or Kenia Rincon.
1. It should be noted that Section 702 of FISA is only applicable to “electronic communication service providers (i.e., a telecommunications carrier, a provider of electronic communication service, a provider of a remote computing service, any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored or an officer, employee, or agent of such a company, as defined in 50 USC § 1881(b)(4)). ↩
*Marc Loewenthal, Sr. Advisor, Privacy & Cybersecurity contributed to this article.