Written by Dan Goldstein, Partner and Co-Founder of Tueoris, LLC
In the aftermath of the EU Court of Justice’s Schrems II decision, multinational organizations in the US and around the world are re-evaluating their current and future strategies for transfers of personal data of EU residents to locations outside of the EU. With Privacy Shied invalidated, Standard Contractual Clauses (“SCCs”) are going to become an immediate de facto alternative for many Privacy Shield certified organizations. However, the ruling in Schrems II should alert businesses that currently use or are planning to use SCCs, that compliance with SCC terms must be taken seriously. This is particularly the case, as European Data Protection Authorities (“DPAs”) are now likely to apply a higher degree of scrutiny to transfers made under SCCs, as the court has stated that DPAs must suspend or ban data transfers if the companies exporting EU personal data fail to demonstrate that they comply with the General Data Protection Regulation (“GDPR”).
While SCCs have been widely adopted and used by organizations across industries, a large percentage of the signatories to these agreements have no real understanding of what they require. However, there is a history of little enforcement of transfers made under SCCs, even in instances in which appropriate controls are not in place. DPAs appear to favor SCCs in large part because they offer data subjects third-party beneficiary rights, but actions by data subjects to enforce SCCs are extremely rare. Of course, in the aftermath of the Schrems II decision, businesses making ex-EU transfers of EU resident personal data should expect this to change.
Understanding Obligations in Controller-to-Processor SCCs
As a data exporter (the data controller), the basic obligation under SCCs is relatively straightforward – the processing and transfer of personal data of EU residents must be done in accordance with applicable data protection law (in this case, GDPR). As such, before entering into SCCs, the data controller must be certain that a privacy program is in place that will support the obligations to which the organization is bound. This includes intuitive basic requirements, such as providing notice and obtaining data subject consent (if required), but should also include components such as evaluating processing activities subject to the SCCs to determine whether – for example – Legitimate Interest Assessments or Data Protection Impact Assessments are required, as well as whether Privacy by Design and Default principles have been considered.
While the importing organization (the data processor) is bound under the SCCs to provide adequate technical and organizational security for the EU resident personal data, the controller should take a proactive role in conducting a level of pre-contract diligence that will provide appropriate assurance that the importing organization is – in fact – able to adequately safeguard the personal data. In addition to the SCCs, the data controller will likely still want to include a Data Processing Agreement (GDPR Article 28) in its contractual arrangement with the processor in order to provide more specific contractual language that will support the transfer and processing of the EU personal data in accordance with the SCCs. Such additional clauses should include, for example, specific data security requirements, as well as responsibilities with regard to data confidentiality; personal data breaches; data subject requests; regulator inquiries; audit terms; and changes in subprocessors.
While the inclusion of an Article 28 compliant Data Processing Agreement does not replace SCCs, the European Data Protection Board (“EDPB”) has stated that the use of SCCs does not prevent the parties from adding additional safeguards provided they do not contradict the SCCs or prejudice the fundamental rights of the data subjects. At the same time, parties to SCCs must not modify the model clauses themselves, as modified clauses will not be recognized as valid by the Data Protection Authorities.
Finally, in its Schrems II decision, the EU Court of Justice indicates that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs. Where it doesn’t, companies must provide additional safeguards. While the dust is still settling in the aftermath of Schrems II, controllers and processors should consider, prior to the transfer, the risks of access to EU personal data by government institutions (such as intelligence agencies) in the country to which the data is being transferred. Where such risk is identified, reasonable steps – which may include encryption of EU personal data in transit and at rest or additional contractual provisions addressing the handling of government requests for access to EU personal data – should be implemented to further safeguard such personal data from government access. In the event that a DPA determines that there is an inadequate level of protection, it can take actions to remedy this, including shutting down the flow of personal data under the agreement.
For years, many organizations have entered into SCCs without truly understanding their obligations under such agreements. In the post-Schrems II world, controllers and processors should expect that transfer of EU resident personal data to non-adequate, non-EU countries, will be met with a higher level of regulatory scrutiny than ever before. In order to truly comply with the requirements of SCCs, both parties to the agreement must have a GDPR-compliant privacy program in place. In addition – and adding a new level of complexity to an already complicated environment – prior to transferring EU personal data to ex-EU countries, parties to SCCs must now identify and seek to limit the risks of surveillance or other government access to personal data.
Particularly if your organization has been relying on Privacy Shield for EU-US or Swiss-US transfers of personal data, it is worthwhile (prior to entering into SCCs) to truly understand your SCC obligations. In the meantime, look for additional guidance in the coming weeks and months from the EDPB.