Organizations are closely tracking which of their vendors previously relied on Privacy Shield. Separately, they are preparing Transfer Impact Assessments (“TIAs”) to evaluate and address risks associated with personal data transfers from the European Union to the United States.

Impact of Schrems II

On July 16, 2020, the Court of Justice of the European Union ("CJEU") declared the EU-US Privacy Shield, or the framework for regulating transatlantic exchanges of personal data between the European Union and the United States, invalid (a.k.a. the Schrems II Decision). Although the CJEU ruled that international data flows under the General Data Protection Regulation (“GDPR”) can continue to be based on properly monitored EU Standard Contractual Clauses, this did little to quiet the alarm bells resounding in the privacy world in the wake of this Decision.

To put it lightly, the Schrems II Decision created chaos for organizations transferring personal data from the European Union to the United States, not only because of the precarious position it created for organizations, but because of the perception that most of this transferred personal data is monitored by US national intelligence agencies. While we doubt that US national intelligence agencies care to surveil the personal and commercial data of EU citizens, our opinion does not matter. The article below outlines a path forward…for now.

EU Regulatory Action

Regulatory action from the European Data Protection Authorities is heating up. In March 2021, the Data Protection Authority of Bavaria declared the use of Mailchimp by a fashion magazine impermissible due to non-compliance with Schrems II. The Bavarian DPA noted the fashion magazine failed to assess the privacy risks and did not implement supplementary measures for the transfer of EU personal data to Mailchimp, hosted in the United States. In April 2021, the Portuguese Data Protection Authority ordered the National Institute of Statistics to stop a transfer of personal data to the United States, citing the Schrems II ruling. EU regulators are also asking organizations to outline what additional measures data controllers take for certain transfers to the United States within the context of the CJEU's decision.

Guidance from EDPB

Following the CJEU's decision, the European Data Protection Board (“EDPB”) issued guidance which outlined the following six step plan:

1. Know your transfers
2. Verify the transfer tool your transfer relies on
3. Assess the law or practice of the third country
4. Identify and adopt supplemental measures
5. Take formal procedural steps
6. Re-Evaluate at appropriate intervals

Like most guidance from the EDBP, we need take a practical approach when implementing these steps.

1. Know your Transfers

Creating a data inventory of assets and processing activities and populating the inventory attributes through risk assessments enable organizations to identify cross-border data transfers. Organizations can pinpoint both the processing activities involved in cross-border data transfers and the location of assets which store personal data of European Union residents.

2. Verify the Transfer Tool your Transfer Relies on

Over 5,000 organizations in the United States used the Privacy Shield mechanism to comply with GDPR when transferring personal data from the European Union to the United States. Now that the Privacy Shield has been invalidated, the other legal data transfer mechanisms available in GDPR for transferring data from the European Union to the United States are Standard Data Protection Contractual Clauses (“SCCs”), Binding Corporate Rules (“BCRs”), codes of conduct, certification mechanisms, ad hoc contractual clauses, and derogations. Among these, SCCs are the most common mechanism for cross-border data transfers. Organizations must apply SCCs for both 1) intragroup transfers between the divisions and subsidiaries within an organization in Europe and the United States and 2) for data transfers to any processors or vendors.

3. Assess the Law or Practice of the Third Country

There are different federal laws which should be assessed for cross-border data transfers.

Section 702 is a key provision of the 2008 Foreign Intelligence Surveillance Act (FISA) Amendments Act. It permits the US government to conduct targeted surveillance of foreign persons located outside the United States, with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information.

Executive Order 12333 is a general directive under which a variety of US foreign intelligence activities are conducted, including certain electronic surveillance activities.

The U.S. Department of Commerce, in conjunction with the Department of Justice and the Office of the Director of National Intelligence, released a white paper which provides guidance on this topic. The white paper argues that a vast majority of US companies do not handle data that is of any interest to US intelligence and government agencies.

4. Identify and Adopt Supplemental Measures

Organizations should assess supplemental measures that are in place for the protection of personal data of European residents. These include contractual, technical, and organizational measures. The contractual measures, for example, may be identifying the legal basis for processing personal data and the type of SCCs that organizations are using. Technical measures include measures like encryption, pseudonymization, and anonymization. Some examples of organizational measures are access rights management, access control, and implementation of retention periods.

5. Take Formal Procedural Steps

The formal procedural steps thus far have been two-fold.

First, we are helping organizations without a robust vendor management program compare their list of vendors to the Privacy Shield registrant list to assess if any of their vendors are Privacy Shield certified. For vendors on the Privacy Shield list, the organization will check the contract with the vendor to see if a Standard Contractual Clause was included. If not, the organization will issue a Standard Contractual Clause to the vendor.

Second, we are helping organizations execute TIAs for certain personal data transfers from the European Union to the United States in accordance with the six-step plan outline by the EDPB. Organizations are focused on having a TIA process in place, so when customers ask how the organization is responding to Schrems II, the organization is able to respond. Additionally, if a TIA process is in place and the organizations comes under regulatory scrutiny, the organization can quickly scale the TIA process to all of its processing activities and vendors.

TIAs are simply an extension of a thoughtful data inventory or privacy impact assessment process. The TIAs we have implemented, with the help of our outside counsel partners, include the following sections:

1. Description of Processing Details
2. Transfer Data Mapping
3. Nature of the Service
4. Personal Data Categories
5. Assessment of the Safeguards
6. Third Country Legal System
7. Remedies Under Recipients Local Law
8. Recommendation and Approval Decision

Gaps and risks identified in the TIA process are then remediated.

6. Re-Evaluate at appropriate intervals

The final step is for organizations to re-evaluate personal data transfer mechanisms and TIAs on a regular basis.

Pro Tip

Defining risk in your TIA is key. Your TIA process will inevitably identify issues that do not match up with the CJEU's decision. The key to the assessment is evaluating identified issues based on risk. The French Data Protection Authority provides helpful guidance on defining risk as a function of both Severity and Likelihood. For example, if the Severity and Likelihood are both Negligible, then your risk is low.

Be sure to frame your TIA findings in the context of a risk function.