Privacy Shield Vs Standard Contractual Clauses

The Privacy Shield framework, a transfer mechanism that organisations could use to protect data transfers between the EU and the U.S. became invalid in July 2020 when the EU deemed that it was no longer fit for purpose - Schrems II.[1]

 

Why is Privacy Shield no longer valid?

The reason that Privacy Shield was invalidated was due to the domestic laws governing national security - EO 13768 meant that personal data belonging to EU citizens transferred out of the EU was excluded from the US Privacy Act[2] and therefore did not receive the same protection in the US as it did in the EU.

i.e. US agencies had access to the personal data transferred out of the EU, but EU citizens had no rights of access or correction and this does not align with GDPR standards. When Privacy Shield was invalidated it was on the grounds that privacy and surveillance laws in the US did not satisfy the requirements, equivalent to those under EU law nor did it allow the individuals rights over their personal data.

However, it was ruled that Standards Contractual Clauses (SCCs) are still allowed, but organisations who are looking to switch to SCCs as their transfer mechanism may find it a little more difficult than simply self-certifying with Privacy Shield.

What are the EU requirements?

Under EU laws personal data can only be transferred to a country outside the European Economic Area (EEA) if that country provides an adequate level of data protection – an adequacy decision.

Where a country has an adequacy decision then that country is deemed ‘safe’ to transfer personal data to. If the country does not have an adequacy decision, then other means to transfer must be in place.

Privacy Shield offered a framework that ensured compliance with data protection requirements for US and EU organisations when transferring personal data from the EU and Switzerland to the US.

Companies could self-certify with Privacy Shield through the Dept of Commerce, they would then publicly commit to the requirements set out in the framework. 

Can SCCs fill the void?

The question to ask is - could organisations start using SCCs as the transfer mechanism?

What are SCCs?

SCCs are a set of non-negotiable pre written contractual clauses and conditions that must be adhered to by both the sender and receiver of the personal data. The clauses have been passed by the European Commission and they offer data protection safeguards for the safe international transfer of personal data.

It should be noted that the clauses must not be amended from the EC wording, though the parties can include additional business-related clauses.

Can I use them to replace Privacy Shield?

If your organisation has decided to use SCCs then there are considerations that should be made. The CJEU’s decision highlighted that parties that transfer personal data using SCCs must verify the level of protection in the third country before making any transfer.

Therefore, the onus to ensure that the safeguards can be met lies with the data controller or the exporter. As the controller or exporter of the personal data you must be sure and satisfied that the level of protection that SCCs are designed to mandate are in place. There will have to be adequate due diligence and clear processes and procedures implemented to ensure the desired level of protection is afforded. It could mean that there will be times when data exporters must consult with their supervisory authority.

 

What does this mean in practice?

In practice this means a need for International Transfer Assessments to be completed to assess vendor compliance and risk. The transfer tool must ensure that the level of protection guaranteed by the GDPR is not undermined by the transfer. In other words, your transfer tool must be effective in practice.

If SCCs are being used then you must be able to prove that the vendor can put into practice what is required under those SCCs, this needs to be done within the context of the legal framework of the country i.e. if the public authority can override the vendor and can survey the data then the transfer mechanism needs to be in place with supplementary measures.

Supplementary Measures

If the transfer tool is not going to be completely effective and offer total safety of the data, then supplementary measures need to be put in place. These should be adopted on a case by case basis.

Supplementary measures fall under:

  • Organisational
  • Technical
  • Contractual

 

Organisational – internal policies, organisation methods, standards applied by controllers and processors, codes of conduct, Training procedures, adoption of best practice and standards. Internal policies explaining how government requests for data will be dealt with.

Technical – these are probably the most important and examples are  encryption and pseudonymisation and anonymisation ( but this is very difficult to obtain)

Contractual – stating that technical measures must be put in place, that certain data must be encrypted, it could refer to data when in transit or storage.

Clearly there is a necessity for data transfers to continue to the US. An alternative method of transfer will need to be implemented and, in most cases, SCCs will be the obvious choice.

Next steps

  • Review of all contracts that include the transfer of personal data, where Privacy Shield was the transfer mechanism used.
  • Carry out a Data Transfer Assessment, know your data flows and implement any additional safeguards where necessary
  • Carry out due diligence Vendor Assessments – ensure that the processors and any sub-processors can put into practice the necessary to adhere to the SCCs they are being asked to sign up to.
  • Clear document all assessments that involve transfers to a third country where there is no adequacy decision in place.

Data transfers will continue but until the necessary processes are in place it could be a more complex, than simply self-certification. It does however mean that organisations will be more aware of the data they hold and how it is being used, which in turn will lead to greater accountability and transparency which for those that do it properly can mean increased reputation and customer loyalty.

 


[1] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/?utm_source=facebook

[2] https://www.justice.gov/opcl/overview-privacy-act-1974-2020-edition