People in meeting with data background

EU data transfers: transitioning to standard contractual clauses in 2021

Privacy regulations for countries operating in the EU can quickly become complex. This article is the first part in a series that will examine how your business can prepare for these changes, for more information - read part two.

Standard contractual clauses (SCCs) have been the preferred mechanism governing personal data transfers for many organizations since the General Data Protection Regulation (GDPR) became enforceable in 2018. The GDPR, which sought to harmonize data privacy laws across Europe and set the standard for data privacy regulations around the world, required that all transfers of personal data rely upon a valid transfer mechanism. For data transfers resulting in personal data leaving the EU, these mechanisms include: an adequacy decision from the European Commission (EC), appropriate safeguards (including SCCs), binding corporate rules (BCR’s) or derogations (set forth in Article 49). Privacy Shield, a framework for regulating and protecting personal data transferred from the EU to the U.S., was an acceptable transfer mechanism through adequacy decision until the Schrems II ruling in summer 2020, which, due to concerns about U.S. government access to EU personal data residing in the U.S., was abruptly invalidated.

The Schrems II ruling, and the immediate invalidation of Privacy Shield, created an uncertain future for many EU organizations that relied upon U.S. based data processors (including cloud and other remote computing service providers). The ruling also stated that SCCs, while still a valid mechanism for transfer, would need to be revisited and that organizations could not solely rely upon them to fill the gap left by the invalidation of Privacy Shield. Organizations would not only need to formally implement SCCs with their data importers (i.e., through contracts, within records of processing documentation and privacy notices) but they would also need to determine if the SCCs could, in fact, “guarantee equivalent safeguards, as those provided to EU citizens and residents in the EU under GDPR, considering the laws and practices of the third country…. “. If organizations cannot guarantee these safeguards, then the data transfer would require “additional safeguards” be put in place to adhere to these guidelines or risk the transfer being deemed illegal.

What is meant by “additional safeguards” and how can organizations determine if “equivalent safeguards” can be provided?

After several months of speculation following the Schrems II ruling, the EC and the European Data Protection Board (EDPB) released formal guidance in November 2020 by way of newly drafted SCCs and recommendations on supplementary measures, respectively. The newly drafted SCCs, currently in final draft after the public comment period closed mid-December, included some important conceptual changes. First, they expand and formalize the need for which parties should have SCCs in place. Where the existing SCCs focused on transfers from the EU controllers to non-EU processors, the new SCCs include all interactions between controllers, processors and sub processors. This change comes with an expanded Annex I, identifying all parties involved in the transfer and onward transfer. Second, to address the lingering question of what is meant by additional safeguards, the EC has expanded Annex II, providing examples of what might constitute additional safeguards. It must be noted that what is provided are only examples. Ultimately, organizations must work together to evaluate the personal data transfers associated with each specific contract and, where necessary, document and put in place appropriate additional safeguards. The guidance to date necessitates safeguards that guarantee equivalent protection, as those provided to EU citizens and residents in the EU under GDPR, and ensure the personal data is protected in accordance with the negative impact to the individuals if the data were to be exposed.

The EDPB’s guidance recommends a six-step process to assist data exporters with assessing risks associated with transfers to third countries and, where necessary, identifying appropriate “supplementary measures”. Let’s note that while these recommendations are aimed at data exporters, organizations transferring data out of the EU, a prudent data importer might get ahead of the process by following these steps and documenting their findings as preparation for the inevitable questions that EU exporters are going to have to ask of all their U.S. importers. The EDPB’s process is as follows:

Step 1: Know your data transfers

Exporters must know with whom they share personal data and where those entities are located. They must also know the extent of the data that is transferred and verify that it is appropriate based upon the processing activity, only the minimum amount of data necessary for the activity should be shared. This should be done through data mapping and recorded in the Records or Processing Activities (RoPA) documentation.

Step 2: Identify your transfer mechanism

As previously mentioned, all personal data transferred outside of the EU must use one of the approved transfer mechanisms and that mechanism needs to be identified in the RoPA. If the transfer relies upon an adequacy decision, the exporter can stop here and simply monitor the adequacy decision to ensure it remains valid. However, if the transfer relies upon appropriate safeguards and utilizes SCCs, the exporter must proceed to the next step.

Step 3: Assess the laws of the third country

The exporter should specially focus on the laws of the country where the data is transferred to and determine if those laws could undermine the confidentiality of the data based upon potential government surveillance. Considerations should include an evaluation of the laws to determination if they are ambiguous or not publically available as well as which authorities or agencies might gain access to the data. As with all GDPR compliance efforts, this assessment and reasoning should be documented as exporters may be held accountable for their decisions.

Step 4: Identify and adopt supplementary measures

If the findings in Step 3 reveal that the laws of the importer country impinge on the identified transfer mechanism from Step 2, supplementary measures or additional safeguards may be required to bring the protections up to EU standards. This is where the data exporter and the data importer can utilize the examples in Annex 2 of the EDPB’s guidance to determine what measures are appropriate regarding the transfer. If no measures can be identified and implemented to ensure the equivalent safeguards, the transfer cannot proceed.

Step 5: Formalize procedural steps

Based upon the transfer mechanism identified and the associated supplementary measures, an organization must evaluate if formal steps need to be taken, such as consulting with their supervisory authority. While simply putting in place supplementary measures in addition to the standard clauses should not require formal consultation, modification of the standard clauses does require authorization from a supervisory authority. Further information on formalities associated with transfer mechanisms can be found within the EDPB’s guidance.

Step 6: Monitor and adjust

It is important to document this process and its outcomes, along with all GDPR compliance assumptions and reasoning. This documentation can be used to look back at the reasoning and logic for accepting or mitigating risks associated with personal data transfers, assist with the principle of accountability and could be requested by a supervisory authority, as noted in Step 3.

Start evaluating your EU personal data transfers

The new SCCs will not solve all the problems that arose from Schrems II. However, used in conjunction with the recommended EDPB assessment framework and a solid understanding of the goals of the GDPR and its approach to data privacy, U.S. based data importers should start evaluating their EU personal data transfers. The process of identifying and determining appropriate safeguards and potential implementation will be time consuming. While it is expected that a one-year grace period will be provided to organizations that need to implement the new SCCs, consider the evaluation and implementation of safeguards as well as the time associated with negotiating and signing new contracts with all controllers and processors – a year will pass before you know it.

As U.S. based organizations await the publishing of the new SCCs from the EC, navigating the protections and documentation needed to demonstrate to EU data exporters our willingness to meet their data privacy standards is a complex and continually evolving issue. We are here to help. For more information or help with data privacy at your organization, contact our team.

Read part two of this series

Mike Vanderbilt
Closeup of column capital on a government building
Next up

Additional PPP guidance, forgiveness applications released