How to handle the complexity of exporting data to third countries
In July 2020, the Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield invalid. This was on account of the invasive US surveillance programmes in place, which meant the transfer of personal data on the basis of Privacy Shield Decision was declared illegal.
At the same time the Court stipulated stricter requirements for the transfer of personal data based on Standard Contractual clauses (SCCs).
It stated both Controllers and Processors must ensure the data subject is granted a level of protection equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights. If this wasn’t possible the transfer of personal data should cease.
This came as quite a shock to many organisations. In particular anyone who was using software as a service (SaaS), technology solutions had a big problem.
Many of these suppliers are US based and the entreaties from Max Schrems and co to buy from EU didn’t really cut much ice. Where were the European equivalents of the most successful SaaS suppliers? Nowhere to be found!
What are SCCs?
The ICO definition is pretty snappy:
SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR.
These need to be used when you are exporting data to any third country – such as USA. You do not need to use them if a country has an adequacy agreement with EU.
What to do after the ruling?
The initial advice was to ensure that anyone who was relying on Privacy Shield should be prepared to sign SCCs. However, signing SCCs isn’t entirely plain sailing. The court didn’t automatically rule they were invalid but, instead, ruled their use needed to be assessed on a case-by-case basis and it might be necessary to put in place “supplementary measures” to protect the data subject.
What do “supplementary measures” look like?
The main challenge with the US, where the federal government has significant power, was the fear of government surveillance.
Can data be further encrypted? Can data be stored in EU data centres and kept separate from the US data centres? Are these measures sufficient?
The CNIL in France seemed to think so when they ruled that a Covid vaccination booking site (Doctolib) based in France could host its service with the US company Amazon Web Services (AWS) in Luxembourg.
AWS were deemed to have introduced sufficient “supplementary measures” to protect personal data by creating a data silo in Europe which is separate from their service in US.
The new SCCs – what do they look like?
Soon after the court ruling, the EU published their draft version of the updated SCCs which had been in the pipeline for some time.
This was a happy co-incidence although it’s likely these were rushed out once the CJEU judgement was passed down.
The old SCCs were out of date and inflexible with no provision for Processors so everyone welcomed the fact more useful SCCs were on their way.
What are the differences?
- The SCCs are now modular meaning that they can accommodate a number of different scenarios, where you can pick the pieces that relates to your particular situation.
- The SCCs cover four different transfer scenarios and including processor scenarios:
- Controller to controller
- Controller to processor
- Processor to controller
- Processor to processor
- More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.
Once adopted the new SCCs need to be phased in within 12 months. For large organisations with many contracts, this may be difficult to complete on time.
What about “supplementary measures”?
At the heart of the Schrems II decision was the opinion that the US surveillance regime had excessive powers to access data and therefore presented a risk for data subjects. It was suggested companies need to consider the introduction of “supplementary measures” to protect data subjects:
- The definition of supplementary measures is covered in guidance provided by European Data Protection Board meaning you have to read those recommendations as well as the SCCs themselves.
- The draft SCCs include the need for the data exporter and the data subject to be notified if a legally binding request has been made to access personal data.
- The draft SCCs suggests a risk-based assessment of whether such data requests have been made in the past and the likelihood of them happening in the future. This does contradict the EDPB which does not believe any subjective assessment of risk should be included.
The bottom line is any data exporter should consider what additional security arrangements should be made when considering transferring data to a third country and that determining those arrangements will, to a large extent, depend on the data protection regime in the recipient country.
How does Brexit affect all of this?
Any country with an adequacy agreement in place with EU does not need to worry about SCCs. The fact the UK has been issued with a draft EU decision is extremely promising news and if adopted means any contract with an EU company does not need to be subject to the inclusion of SCCs.
However there remains the challenge of updating all SCCs for any transfers outside EU (notably US) within the 12-month period once the SCCs been adopted. (And UK based companies are of course still subject to international transfer rules under UK GDPR).
What could you do now?
Until the new SCCs and the UK adequacy decision are finalised, companies are in a state of limbo. Having said that, there is plenty that can be done to reduce the risk:
- Make sure you’ve mapped all the possible data transfers from UK to EU and other third countries
- Evaluate which data is exported and ask yourself whether it needs to be exported
- Consider which contracts already have SCCs in place and where they will they need to be updated
- Ensure your contract due diligence is in place with a detailed questionnaire for potential suppliers
- Pay particular attention to which jurisdiction data will be stored in and consider the level of risk – has your supplier created data silos
- Review whether it’s possible to introduce supplementary measures to protect data. For instance encrypting data to protect it from surveillance
- Investigate whether there are credible alternatives to US technology partners in EU
Julia Porter, April 2021
If you’d like some advice about handling your businesses international transfers, or any other data protection matter we can help. Please get in touch using our Contact Us enquiry form.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.