Monday 17 August 2020

Privacy Shield shafted – but do SCCs really deliver better privacy protections?

Here we go again.


The compulsory Sunday morning church services for all Anglicans at my boarding school served as an opportunity for The Reverend James Culross, (or Druid, as we boys affectionately called him), to churn out stuff from the Book of Common Prayer. It was stuff designed to cleanse our souls and provide us with helpful words of comfort, to prepare us for the horrors that would be inflicted upon each and every one of us during the school week ahead. 


Was I, or were my school tormentors, better Christians at the end of each service? 


I think not. But we had all heard and we had all recited the required words, and that was evidently what mattered.


A couple of years into my boarding school experience, Druid updated the format of the Sunday service. The language was slightly more modern, and (most importantly) the Sunday sermon was shortened to 10 minutes.

 

But was I, or were my school tormentors, better Christians as a result of the revised format? 


I think not. But, again, we had all heard and we had all recited the required words, and that was evidently what mattered.


So, with that in mind, what are we to do with the CEJU’s decision, published today?


Presumably, most of the companies that have used the Privacy Shield will decide to adopt the SCC approach. Then, they can wait nervously for the European Commission to tweak the texts of the SCCs, and embark on another repapering exercise. Also, they can wait, perhaps less nervously, for some European organisations (or European data protection supervisory authorities) to decide that, in data protection terms, transfers to the USA is a lost cause because the recipients can’t offer sufficient guarantees. 


But will these companies, when religiously adopting the new SCC language, really deliver better data protection protections for the individuals whose data is in scope? I think not. But they will be using all the right words in their contracts, and that, to many people, is evidently what matters.


I doubt whether a shift from the Privacy Shield to the SCCs will fundamentally change the protections that are afforded to the relevant individuals. To be honest, I’ve not dealt with many companies that have relied on the Privacy Shield. But my experience of using SCCs to address the privacy risks associated with transborder data flows over the past two decades is that, in practical terms, they do little to protect privacy standards. I’ve found that:

  1. Few organisations have staff who have much (if any) experience in knowing what SCCs are and when they should be used. 
  2. It can be challenging to reach agreement with the other party on the role they play when they use “my organisation’s” personal data. To what extent are they a processor, a controller, or are they a combination of the two? Answering this question incorrectly leads to the wrong set of SCCs being used. 
  3.  It can be challenging to determine whether there is a meaningful transfer of personal data in the first place (i.e. one that would require SCCs). The other organisation may be collecting personal data in a manner that would not trigger the requirement to use SCCs.
  4. Different views exist on whether enough personal data is in scope to trigger the requirement to use SCCs in particular cases.
  5. It can be unclear as to who is accountable should a risk-based decision be taken not to use the relevant set of SCCs.  It could be a range of people, including the person who owns the relationship with the third party, the contracts manager, the lawyer, the head of compliance or the privacy officer. 
  6.  Once the contracts have been signed and stored in a safe place, accessible to just a few key staff, most people don’t actually realise that they contain SCCs.

The outcome of today’s decision is that lots of privacy professionals will have lots to think about in the months ahead. Battalions of consultants will help organisations find the right contracts and change the words. Legal and privacy budgets will either soar or be stretched to deprioritise other privacy work. 


However, as I’ve asked before, and might well ask again, will a shift from the Privacy Shield to the SCCs result in organisations delivering better data protection protections for anyone? 


I think not. 


But, these organisations will be using all the right words in their contracts, and that, to many people, is evidently what matters.