The invalidation of the Privacy Shield by the Court of Justice of the European Union (CJUE) in its Schrems II decision on July 16, 2020 raised a number of questions relating to the future of transfers of personal data from the EU to the U.S. and the conditions under which companies that had previously self-certified to the now defunct Privacy Shield could continue to access EU data from the U.S. In fact, the Schrems ruling went further than simply invalidating the Shield, it brought to light the extent of the EU’s concern with the protection of EU data once in the U.S. The European Data Protection Board (EDPB), which brings together representatives of the 27 national data protection supervisory authorities, was able to give clarity and direction by publishing on November 10, 2020 a number of recommendations on measures supplementing transfer tools to ensure compliance with the EU level of personal data protection.
Following these recommendations, the European Commission issued a draft set of new standard contractual clauses (“SCC”) meant to replace the current SCCs – which were issued under the EU 95/46 Privacy Directive (the predecessor to the GDPR) – and which would align with the GDPR requirements (see my article The new SCCs – Are You Ready?
Until the new SCCs are officially released, U.S. companies have a number of tools at their disposal in order to continue importing data from the EU in accordance with the EDPB’s recommendations. In particular, they can:
- review their existing Data Processing Agreements (DPAs) with EU data exporters with a view of strengthening them by adding to their obligations beyond what is currently required from data processors under Article 28(3) of the GDPR;
- review the physical, technical and organizational measures they have implemented around personal information and consider reinforcing these, taking into account the concerns raised by the CJEU; and
- start inventorying and documenting all U.S. laws and regulations potentially mandating the communication and disclosure of EU personal information to federal and state regulators in the process of regulatory investigations, and to courts in the context of litigation, and by adopting internal processes to review and challenge any disclosure request in accordance with applicable law.
Following the release of the new version of the revised SCCs, it is indeed likely that EU data exporters will be looking for additional guarantees from U.S. data importers. The EDPB recommendations aren’t all that specific as to what those additional guarantees should be, and therefore U.S. data importers should not wait until further guidance has come from the EU but rather start taking practical improvement steps in anticipation of requests from EU data exporters.
DPAs and article 28 of the GDPR
As the existing SCCs were issued prior to the GDPR, it is common practice for parties to a third country transfer of personal data to enter into a DPA in order to address the requirements of article 28 GDPR.
The GDPR sets an obligation at article 28 for every data controller to enter into a number of data processing clauses (aka data processing agreement (or addendum)) with any party acting as a data processor on their behalf. Such obligation also applies to data processors that engage sub-processors to process EU data of their clients on their behalf the. That is to say, any person sharing personal data with a processor in order to execute a task should have such an agreement with the processor, regardless of whether it concerns an international data transfer. Though in case of an international transfer, the DPA will be supplemented by the signature between the parties of the EU Commission’s standard contractual clauses, unless the data importer can demonstrate adherence to another mechanism deemed valid by the Commission for purposes of the international transfer of data. On this account, the European Commission made it clear that the SCCs may be included in a larger contract, with additional clauses or safeguards on the condition they do not contradict the SCCs or prejudice the fundamental rights or freedoms of data subjects. Further, where a provision conflicts with the SCCs, the latter are deemed to prevail.
The DPA is a legally binding contract stating the obligations of each party in terms of personal data protection, hence profitable to both, as it protects the interests of each party. Indeed, one party using a third-party processor to collect data from the users of their website would be better off knowing that said processor handles data properly by operating in compliance with the GDPR. Besides, if the said processor came to experience a data breach, or were to break compliance or mishandle data, a data processing agreement would legally protect the controller by documenting its due diligence of the processor and its internal data controls and by attesting that the processor followed proper procedures. In the absence of a DPA, the data controller would bear responsibility for using a third-party processor without implementing adequate policies and procedures.
In terms of article 28 requirements, the EDPB sets three main guidelines on the choice of processor (article 28(1)), the data processing agreements (article 28(3)), and the written authorization for use of sub-processors (article 28(2))
Firstly, the EDPB highlights a controller’s duty to monitor its processors through a case-by-case risk assessment (article 28(1)), and to be able to prove such processors took into serious legal consideration the GDPR requirements. This usually takes the form of an exchange of documentation between the two entities, such as privacy and security questionnaires, policies and reports of external audits. This assessment should take into consideration the nature, scope, context and purposes of the processing, as well as the processors’ resources, knowledge, reliability and reputation.
Secondly, the EDPB reasserts that failure of a controller and processor to enter into a written agreement is an infringement of the GDPR, and that responsibility for ensuring the execution of such a contract rests on both of them (article 28(3)). This is where the parties can use the draft SCCs delivered by the European Commission, as a basis to include more specific, concrete information as to how the new EU requirements will be achieved, and which level of heightened security will be applied to the personal data at issue. This approach is consistent with the EDPB’s guidelines for all of article 28(3)’s requirements, which should take the form of supplementary measures to be added in Annex or in the body of the DPA.
Article 28(3)’s security supplementary measures
Article 28(3) GDPR includes an obligation for processors to assist controllers and make available all information required to demonstrate compliance with article 32 GDPR, which provides that the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Usually, standard contractual clauses meeting the requirements of article 32 of the GDPR are put in an Annex of the DPA. These security measures were often seen as insufficiently detailed, and subject to multiple interpretations concerning the level of security required. This is why the EDPB provided much needed recommendations on this topic, asserting that the data processing contract must include or reference information concerning the security measures to be adopted, an obligation resting on the processor to obtain the controller’s approval before making any changes, and a regular review of the security measures in order to ensure their appropriateness to the risks. The EDPB specifies that the level of instruction will depend on the specific circumstances at issue, and that the additional measures adopted must be specific to the situation, and not be boilerplate language.
Obligation to assess the laws of the third country
Following the Schrems II decision, data exporters must also assess whether or not the laws of the third country of destination of the data may affect the effectiveness of article 46 GDPR transfer tools’ safeguards, taking into account the specificity of the transfer. Accordingly, data importers should, where appropriate, provide data exporters with the relevant information relating to the third country’s laws
The EDPB issued European Essential Guarantees recommendations for assessing whether the third country’s laws allowing governmental access to personal data are limited to « what is necessary and proportionate in a democratic society ». Where a data exporter finds that the third country’s laws do not meet the essentially equivalent level of protection required, it must put in place effective supplementary measures such as the ones above, or not transfer personal data at all.
In conducting such an assessment, parties should focus on whether the U.S. data importer is subject to FISA 702, in which case they will have to set up appropriate technical measures, as we discussed earlier. Indeed, section 702 of the Foreign Intelligence Surveillance Amendment Act (FISA) of 2008 authorizes the Attorney General and the Director of National Intelligence to jointly authorize targeting non-U.S. individuals in order to collect foreign intelligence information. It was one of the European Commission’s main arguments to invalidate the Privacy Shield, therefore making it crucial to consider adding supplementary measures to the personal data transfer agreement.
As a consequence, even if transfers of personal data between Europe and the U.S. seemed jeopardized following the Schrems II ruling, the EDPB’s recommendations anticipate legislative changes to come. By adding supplementary measures in their current DPA and by starting to document those additional steps, processors are following the EDPB recommendations and the draft new SCCs ahead of those new clauses coming into force. This strategy will go a long way towards reassuring EU data exporters that their U.S.-based processors are proactive and aware of the seriousness of the EU concerns. By taking the steps recommended above, and not waiting until the new SCCs have officially become law, U.S. data importers will also place their EU counterparts in a better position to comply with their new obligations following the Schrems II ruling and to document their compliance with the GDPR in the area of international data transfers.
—
This article was written in collaboration with Auriane Wilhelm