Monday 17 August 2020

The Schrems II decision – some EU data exporters will face a huge task to work out whether SCCs are sufficient

Many privacy professionals will be shocked to learn that, in terms of safeguarding personal data flows from an EU to a non-EU country, in the absence of an adequacy decision, more is required than simply slipping the right set of SCCs into a vendor contract. 


The CEJU has clarifiedthat one of the key tasks facing data exporters, when considering whether SCCs are appropriate, is to consider whether there is a conflict between the protections afforded by the SCCs and other local laws, particularly those laws that enable public authorities to access the data. If a conflict is discovered, data exporters will need to do something about it. 


The key paragraphs in the decision are: 


Although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. That is the case, in particular, where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates. [para 126]


In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available…Those safeguards may be provided by standard data protection clauses drawn up by the Commission. However, those [GDPR] provisions do not state that all safeguards must necessarily be provided for in a Commission decision such as the SCC Decision.  [para 127]


In the absence of a Commission adequacy decision, it is for the controller or processor established in the European Union to provide, inter alia, appropriate safeguards. Recitals 108 and 114 of the GDPR confirm that, where the Commission has not adopted a decision on the adequacy of the level of data protection in a third country, the controller or, where relevant, the processor ‘should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject’ and that ‘those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies ... in the Union or in a third country’. [para 131]


The contractual mechanism provided for in … the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses. [para 134]


Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data. [para 135]


I recommend 6 steps that privacy officers should take to assure stakeholders that the CJEU’s decision is being respected:


  1. Document the data flows so it is clear what data is exported to what country.
  2. Identity the relevant laws and practices, including national security laws and practices, that permit local law enforcement authorities and other regulators to access the personal data that is processed in those countries.
  3. Consider how the GDPR rights of in-scope individuals may be adversely impacted by these laws and practices.
  4. Identify what additional contractual measures would be necessary to achieve a level of adequacy with GDPR rights.
  5. Discuss and agree the additional contractual measures with the data importer.
  6. Return to step 2 at regular intervals to check whether the laws or practices have changed.

From a practical perspective however, the problems start at step 2. It can be hard, when a large number of data importers are engaged, to maintain a list of the relevant laws and practices, including national security laws and practices, that permit local law enforcement authorities and other regulators to access the personal data that is processed in non-EU countries. Will it always be possible to rely on the explanations and assurances provided by third parties, including the data importer, who might possibly have a vested interest in ensuring the correct spin is placed on any explanations they provide about local practices?


Let’s be clear. The CEJU’s decision does not only affect EU - US data flows. Personal data flows from the EU to just about every other country on the planet. And the majority of these countries will have their own national security and other regulatory laws. Official or unofficial English translations of these laws will have to be read and understood.


Unfortunately, life doesn’t get any easier after that.


Turning to step 3, it may well be challenging to document a comprehensive statement which explains how the GDPR rights of in-scope individuals may be adversely impacted by each of these laws and practices. As many organisations may lack the capacity to complete this task themselves, perhaps it could be carried out on their behalf by their trade associations.


With step 4, it may be even more challenging to identify what additional contractual measures would be necessary to achieve a level of adequacy with GDPR rights. Given that even the European Commission’s decisions on what contractual measures are appropriate have been quashed, twice, by the CEJU in the context of the US Safe Harbor & the Privacy Shield data transfer mechanisms, what hope is there for a significantly less-well resourced data controller to successfully identify all the right measures? Is this a task that even individual members of the European Data Protection Board are capable of completing?


The difficulty is compounded by the tight timescales that apply to many commercial contract negotiations. Assessments on the impact of the relevant laws in a particular country can’t take months, or years, to compete. If an organisation’s data protection team is unable to provide their contract negotiators with appropriate information and support within a matter of days or weeks, there’s a real risk that any advice from the data protection team will be ignored. 


On the matter of reaching agreement on any additional controls that should be applied to the data importer, where do you start? Given the poor understanding by many organisations of the context within which SCCs are currently used, it would be a brave commentator to forecast that it would be easy, or even practicable, to agree any additional contractual measures. This may particularly be the case when the data importer had not yet found it necessary to accept any new clauses to supplement the SCCS in contracts that importer had signed with other EU data exporters.


Alternatively, organisations might revisit their rationale for relying on SCCs in the first place, rather than any of the other complex data transfer mechanisms that are set out in Chapter 5 of the GDPR.


However, we are where we are. European data protection standards are high – and for a good reason. European politicians demanded a gold standard and that is what exists. In theory, anyway. 


The CEJU’s decision has moved a large number of contracts into a data protection wilderness. Precisely how many are there? Which can be remediated? If so, how? By when? And how active will the supervisory authorities be in requiring organisations to address this issue?


The peak summer holiday season has started. Even so, I hope that European data protection supervisory authorities will soon reach a common agreement on what the decision means, and explain how they expect, or will help, organisations to address privacy gaps that many thought the SCCs alone existed to fill.