First things first: don't panic!
Excellent advice from Renzo Marchini, Partner in the Privacy, Security and Information Law group at law firm Fieldfisher as the dust begins to settle following the demise of the Privacy Shied EU/US data transfer mechanism at the hands of the Court of Justice of the European Union (CJEU).
As noted in a previous article, attention will now shift to whether political self-interests can be put to one side on both sides of the Atlantic in order to have another stab at coming up with a more robust agreement to ensure the safe movement of data critical to the transatlantic digital economy. Both Brussels and Washington have made the correct noises about urgency and recognizing the importance of the task ahead, but there are equally a number of barriers in the way.
All of which leaves organizations wondering what their own immediate course of action - or inaction - ought to be. The party line is that Standard Contractual Clauses (SCCs) will suffice for the moment to keep data moving and digital services providers, such as Microsoft and Salesforce, moved quickly to reassure their customers that it is business as usual. Marchini concurs, noting:
Data flows will continue, and can continue, for the time being. It will take time for regulators and organisations to reflect on what is a very complicated judgment (misleadingly simple in its headline of "Privacy Shield invalid; Standard Contractual Clauses valid”).
But there are some considerations to take into account, he advises:
If you have relied on Privacy Shield, prepare to sign SCCs with your counterparts on the relevant data flows. Think about how you may consider and document the risk of the particular transfer. Are there any additional "supplementary measures" that could be put in place? Is there scope to change the data you send – e.g. by encryption if the transfer is only for storage purposes?
And he adds:
Remember that the SCCs have not changed. To the extent that the SCC do not offer the appropriate protection, this has always been the case since your transfer began.
Caitlin Fennessy is Research Director at the International Association of Privacy Professionals and prior to this was the Privacy Shield Director at the US International Trade Administration. She also flags up SCCs with some caveats, noting that EU Data Protection Authorities are tasked with suspending transfers on a case-by-case basis if the destination of data is not deemed compliant with EU data laws:
This is where it gets tricky, particularly in the US context. The CJEU itself assessed the sufficiency of protections with regard to US government access to data and found them lacking. The question regulators and companies now face is whether the concerns raised by the court are applicable in the context of particular transfers and can be remedied through additional protections — again, not only in the US, but also in all countries without an adequacy determination.
For privacy professionals within organizations, there’s now a responsibility to evaluate their own firm’s transatlantic and global data flows, she adds:
This is no small task. Companies relying on Privacy Shield will need to look for an alternative legal basis to enable transfers under GDPR. In doing so, they should recall that existing commitments to the Privacy Shield remain enforceable by the US Federal Trade Commission.
SCCs are one option, she agrees as are consent and other derogations outlined under Article 49 of the GDPR, so long as attention is paid to guidance from the European Data Protection Board (EDPB) on which instances are appropriate for their use:
Companies relying on SCCs will have to begin the case-by-case assessments of their transfers to determine whether the protections in the U.S. or any country without an adequacy determination meet EU standards in the context of the specific transfer.
The new reality of SCCs is that the burden on data exporting organizations is heavy, according to Ruth Boardman and Ariane Mole, Co-Heads of Data Protection at law firm Bird & Bird:
Organizations have been used to assuming that standard contractual clause can always be used – without more – as a means to provide adequate protection for personal data. The CJEU makes clear that this is not the case. If an organization wishes to transfer personal data to a third country, where an adequacy decision is not in place, then GDPR places the responsibility for ensuring appropriate safeguards on that organization; this includes an obligation to "take measures to compensate for the lack of data protection in a third country"; there must be "safeguards" and "enforceable data subject rights and.. effective remedies.."
SCCs are one way of achieving this, but they may not be effective by themselves: in particular, if a third country allows public authorities to access data, then more will be required.In this situation, a party wanting to rely on the SCCs must consider relevant aspects of the third country's legal system – including the factors which are relevant in an adequacy decision.
A to-do list for organizations includes:
Assess what data is being transferred outside the EU and on what basis. Look out for:
- Data transfers to organisations which participate in Privacy Shield
- Data transfers which rely on Standard Contractual Clauses – note any data transfers to US importers relying on SCCs in particular
- Data transfers which rely on Binding Corporate Rules and which involve data transfers to the US. The CJEU doesn’t mention BCRs – but they are a form of "appropriate safeguard”… so the general comments about the need to assess the law of the importing country could also be applicable here.
Subject to guidance from supervisory authorities, develop an approach for due diligence when data transfers take place – either within the organization, or with suppliers. This should check:
- To which country personal data is transferred.
- Whether public authorities in that country could be entitled to access the data.
- On what basis is this authorised?
- Is it set out in law?
- Does the law limit the ability to access data?
- Is it no more than is necessary and proportionate, in a democratic society, to safeguard national security, defence, public security or the prevention and detection of criminal offences and execution of criminal penalties?
- Does the law provide effective judicial remedies for data subjects?
- Is the data encrypted or tokenised in transit (see below).Organzations transferring data to suppliers may need help from suppliers to answer these questions.
Organizations transferring data to the US on the basis of the Privacy Shield, SCCs or BCRs should keep an eye out for additional guidance from supervisory authorities and may wish to consider additional safeguards, such as encryption or tokenization. Bird & Bird’s reading of the situation points out:
The [CJEU] decision also concludes that all data transfers to the US made by way of undersea cable are susceptible to access by US intelligence services – and that the law and practice surrounding this access falls short of EU legal requirements. Given this conclusion, the judgment has implications for transfers of personal data to the US more widely.
Fellow law firm Linklaters adds its own recommendations for review of data transfer arrangements as part of a Transfer Impact Assessment:
While SCCs remain valid, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected (e.g. because of potential access by law enforcement or national security agencies). This is, in effect, a Transfer Impact Assessment. This will be burdensome for small organisations but also large ones making hundreds, if not thousands, of transfers.
A briefing note compiled by various Linklaters partners, the firm explains:
[Transfer Impact Assessments] will allow a more comprehensive and flexible risk assessment rather than narrowly focusing on the third country’s laws. For example, there is a significant difference between storing your organisation’s internal telephone directory in a third country and transferring your customer’s sensitive financial or banking records.
Such assessments may include asking:
- What personal data is being transferred? How sensitive is it? How much is in the public domain?
- Where did that personal data originate from?
- What technical measures are used to protect that data? For example, where customer managed encryption keys are used, the ability of third country authorities to access that data will necessarily be limited.
- What national laws apply in that jurisdiction? How are they exercised in practice? How likely are they to be exercised in relation to the particular personal data transfer?
It’s early days and the devil will be in the detail.
The above digest of comments and suggestions is presented as a starting point for discussion and consideration of the issues. It is not intended to be used - and should not be used - to take strategic decisions. Please take your own legal advice and consult with your suppliers.
There’s a huge emphasis from all sides on case-by-case assessments particular to an organization’s specific circumstances and needs. This is an evolving situation - keep a close eye on how quickly further developments occur and adapt strategy accordingly.
And to reiterate the first piece of advice - don’t panic!