On July 16, 2020 the court of justice of the European Union (CJEU) declared the EU-US and Swiss privacy shield mechanism invalid for the transfer of personal data to the United States (US). This meant the US is no longer an ‘adequate’ country in the eyes of the European general data protection regulation (GDPR). As a result, standard data protection agreements are no longer valid, and organizations have to scramble to find other transfer grounds in the GDPR. Often this results in using standard contractual clauses (SCC’s) or explicit consent from the data subject. Some large organizations have binding corporate rules (BCR’s) in place, but these are not often used since they can take a long time to be approved by the competent supervisory authority.
For example, when there is an American controller (read: data importer) and an EU processor (read: data exporter), there are no applicable SCC’s that can be used. When there are also no BCR’s that can be used, explicit consent from the data subject can be a solution.
New SCC’s are now expected, but what was exactly missing from the original SCC’s? Firstly, the SCC’s that are currently still valid under the GDPR were made before the GDPR (2018) came into effect all the way back in 2001, 2004 and 2010. While still valid for now, they are not ideal. Secondly sometimes there is no fitting SCC, like with the previously mentioned American controller, or with two processors (one American and one European). Lastly, the SCC’s do not fully incorporate the required language under art. 28 of the GDPR, this often needs to be added in an addendum by the parties, making something that should be standard, more complicated.
On November 12, 2020 the European Commission announced the publication of new SCC’s to facilitate the transfer of personal data from the EU to third or inadequate countries. These new SCC’s were also made in light of the current Schrems II judgement, so they should be suited to be used immediately. In this article we will look at the Schrems II judgement, these new SCC’s and whether these new SCC’s can provide a solution to the current situation.
The Schrems II Judgement invalidated the framework upon which almost 5.000 US companies relied to transfer personal data across the Atlantic. The CJEU found that despite the agreements and rules that are made in the privacy shield framework, there cannot be an effective protection of the rights and freedoms of European individuals when their data is located in the US. The reason for this is that EU citizens have no effective judicial redress in light of the ongoing US surveillance. It is a public secret that the US is engaged in mass surveillance and is actively eavesdropping on EU-US internet traffic. Personal data that is stored on the servers of US organizations can in some cases be seized by intelligence authorities without any notification to the EU citizen. In those cases the EU citizens have no legal remedy for the situation, meaning there is no court to go to. To summarize, far reaching intelligence gathering practices by the US make any agreements between parties in the EU and the US regarding the transfer of personal data, null and void.
Because existing SCC’s were not fit-for-purpose anymore in light of the Schrems II judgement, the European Commission has published new SCC’s that are now in draft. These new SCC’s aim to address the issues that have risen and to be applicable to more use cases.
These new SCC’s sure sound great, but how do they tackle the problems that have been identified in the Schrems II judgement?
First of all, clause 2a of the SCC states that parties to the agreement must warrant that they have no reason to believe that the laws in the third or non-adequate country prevent the data importer from fulfilling its obligations under these clauses. [2] In order to fulfill this requirement parties must look at the specific circumstances of the transfer by carrying out an assessment, which will have to include the following:
Effectively, this means that a data transfer impact assessment (TIA) will have to be completed before the transfer of personal data. This results of this TIA have to be made available to the competent supervisory authority upon request.
Secondly, the new SCC’s state that the data importer in the third country will need to notify the data exporter in the EU about any government requests that it receives, for example from a law enforcement agency. If the data importer is prohibited to notify the data exporter for any reason, it must engage in best efforts to obtain a waiver in order to notify anyway. When notifying, the data importer has to provide the greatest possible amount of information about the request to the data exporter without infringing on the law in the country of the data importer. If the data importer has to comply with a request and there is no way to escape this, the following actions must be taken:
Thirdly, the new SCC’s provide for increased security measures that must be included in annex II of the document. A key measure that needs to be taken is encryption in order to prevent authorities from accessing the data. However, it does not indicate what kind of encryption needs to be used. Next to that, anonymization or pseudonymization play an important role in increasing the overall security of the processing activity. Persons authorized to process the personal data (working for the data importer) must sign confidentiality agreements. These measures must be used, but not in a way that renders the data unreadable or inaccessible to the transfer recipient, meaning the data processing goal must still be achievable.
The new SCC’s are now available in all flavors that an organization would want to have. Something not supported by the old SCC’s. They strive to establish a working relationship between European and American counterparts, while still acknowledging the reality of the Schrems II judgement. They rightly so demand increased technical and organizational measures to be taken before personal data can be processed. A TIA before the transfer of personal data is mandatory and needs to be produced upon request by supervisory authorities. The question then is, is this a true solution? This remains to be seen. From a legal perspective the TIA requirement is a solid commitment to the identification and mitigation of privacy risks, but it’s a big task to fulfill for smaller organizations. The same can be said about the commitment to the GDPR and the new SCC’s that an organization has to display when pressured to comply with governmental organizations in its own home country. Lastly the new SCC’s require a thorough understanding of the law in the inadequate country for the organization that resides in it. To challenge governmental orders and if push comes to shove, only do the minimum that is required sounds a lot easier, than it is in practice. Smaller organizations will struggle to cope with this reality.
The new SCC’s are still in draft form. While the public consultation period has ended (10th of December 2020) there are no final versions yet. These draft SCC’s do provide us with insight into what will come as they are unlikely to change substantially. When the new SCC’s are final, they will need to replace the old SCC’s. It is not permissible to keep using the old SCC’s. This will require some work from privacy professionals as these SCC’s do require an assessment to be carried out.
Additionally, there needs to be firm commitment from organizations in third countries to put their foot down when it comes to interaction with their own government and its organizations. It remains to be seen how this will play out in practice.
[1] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries
[2] Clause 2a, page 13, COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council