Importers of EU data will need to analyze each data transfer for compliance with the new Standard Contractual Clauses; solely relying on data subjects’ consents may not be sufficient.
Since the European Court of Justice invalidated the EU-US Privacy Shield last year in its landmark Schrems II decision, importers of EU data have increasingly relied on Standard Contractual Clauses (SCCs) for international data transfers between the European Economic Area and countries without adequate data protection according to the European standard. The SCCs are important in the edata/ediscovery world, where relying on the so-called derogations (EU General Data Protection Regulation (GDPR) Article 49) is often not an option or is insufficient to ensure that European data can be securely transferred to the United States for litigation and investigation purposes.
The SCCs adopted by an Implementing Decision by the European Commission (EC) dated June 4, 2021 (New SCCs) offer a modular, flexible approach for a variety of data transfer scenarios. But the very detailed New SCCs, at 34 pages, also incorporate numerous Schrems II obligations, which makes their use burdensome. In particular, a detailed data transfer impact assessment (also called a risk analysis) will be required. Just signing and shelfing the New SCCs, which are available immediately, is not an option.
NEW SCCS APPROACH
The previous SCCs, adopted long before the GDPR, only accounted for transfers between one controller and another controller or processor. In contrast, the New SCCs have four modules:
- Controller to controller
- Controller to processor
- Processor to processor
- Processor to controller
SCHREMS II OBLIGATIONS
The New SCCs require data exporters to use “reasonable efforts” to confirm that a data importer can satisfy its obligations under the clauses.
- Both parties warrant to conduct and document an assessment of whether the laws and practices in the data importer’s country would prevent them from fulfilling their obligations, considering the specific circumstances of the transfer.
- Following this assessment, the data importer must notify the data exporter promptly if it believes it is (or will become) subject to laws that affect this assessment and additional safeguards are required. The data exporter must also notify the competent supervisory authority of the circumstances of the transfer and the new measures in place.
- On receipt of a government access request, the data importer must notify the data exporter promptly (and where possible, the data subject) and challenge such requests if it “concludes that there are reasonable grounds to consider that the request is unlawful.”
- For all four modules, the data importer must provide data subjects with a point of contact to whom they can submit requests and complaints.
DATA TRANSFER IMPACT ASSESSMENT
The mentioned data transfer impact assessment must be thoroughly performed and documented. The data exporter must make the full documentation available to the data protection agency when requested. The assessment must cover the laws of the data importer’s country (especially its provisions on surveillance and data access) and practices that would prevent an EU-equivalent level of protection. In particular, the following elements must be considered according to Annex II to the Commission Implementing Decision on SCCs:
- The specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred.
- The laws and practices of the third country of destination–including those requiring the disclosure of data to public authorities or authorizing access by such authorities—relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards.
- Any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under these clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
Recital 20 of the EC’s Implementing Decision also states that, regarding the impact of local laws on compliance with the SCCs, different elements must be considered as part of an overall assessment, including the following:
- Reliable information on the application of the law in practice (i.e., case law and reports by independent oversight bodies).
- The existence or absence of requests in the same sector.
- Under strict conditions, the documented practical experience of the data exporter and/or data importer. If the parties wish to rely on their “practical experience” of public authority access to data, this “needs to be supported by other relevant, objective elements.”
Probably in all relevant cases, the SCCs alone will not guarantee an adequate level of protection and supplementary safeguards will need to be implemented. There are three categories of safeguards:
Some examples from Annex II include measures for the following:
- Pseudonymization and encryption
- Ensuring the ability to restore availability and access to personal data in a timely manner
- User identification and authorization
- Protection of data during transmission and during storage
- Ensuring physical security of personal data processing locations
- Events logging
- Ensuring system configuration, including default configuration
- Internal IT and IT security governance and management
- Certification/assurance of processes and products
The New SCCs are very significant for data importers in the European Economic Area. Under Article 49(1)(e) of the GDPR, data transfers may take place when “the transfer is necessary for the establishment, exercise or defense of legal claims,” but this exemption (derogation) is limited. In a litigation or investigation scenario, relying (solely) on consents of the data subjects may not work. Every scenario will require an individual compliance analysis.
While the New SCCs provide guidance for lawfully transferring data to third countries, it is the parties’ obligation to ensure compliance with the GDPR and to document the relevant US law and practices. The EC does not provide a template for such an assessment. An incomplete or incorrect implementation of the SCCs opens them to litigation risks in Europe and potential fines under the GDPR.