It’s been almost a year since the Court of Justice of the European Union (“CJEU”) issued its decision in Data Protection Commissioner v. Facebook Ireland Ltd. (Schrems II) in July 2020, invalidating the EU-U.S. Privacy Shield Framework established in 2016. The Court found that US surveillance laws did not afford adequate protection under the European Union’s Charter of Fundamental Rights and the 2018 General Data Protection Regulation (“GDPR”). Accordingly, the Privacy Shield did not provide sufficient security for data transfers from the EU to the US.
The Schrems I and II decisions are named after Maximilian Schrems, who aimed to prohibit Facebook Ireland from transferring his personal data to the US first under the Safe Harbor Framework in a claim filed in 2013 and then under the Privacy Shield Framework in a follow-up claim filed in 2015.
Following the Schrems I decision, Facebook Ireland transferred data to Facebook Inc. in the US using standard contractual clauses (“SCCs”) — model contract clauses “pre-approved” by the European Commission — as permitted under the GDPR. However, the Irish Data Protection Commission took the position in Schrems II that SCCs did not prevent the US government from accessing transferred data in a way that might violate EU law.
The European Commission and the US developed the Privacy Shield Framework to alleviate these concerns. Nonetheless, given that the CJEU invalidated the framework, businesses seeking to transfer data from the EU to the US must adapt again to an evolving set of standards.
The European Commission Has Published New SCCs
On June 4, 2021, the European Commission finalized an updated version of the SCCs. The old version will be repealed within three months after the new version’s publication, after which organizations can no longer rely on the old version for new data transfers. At least one prominent commentator has indicated that we will see an increase in enforcement going forward, so businesses transferring sensitive customer data out of the European Economic Area (“EEA,” consisting of the EU, Iceland, Liechtenstein, and Norway) have a clear imperative: learn and implement the new standards ASAP.
SCCs are modular, with certain core modules applicable to all data transfers, and others that must be included based on the status of the parties involved under the GDPR. Each party is either a controller or a processor, depending on whether it decides why and how to process the data.
The CJEU has ruled that SCCs continue to be valid mechanisms for data transfers, but organizations transferring data outside the EU must monitor enforcement of GDPR standards by recipients in other regions so that the transferred data continues to receive an equivalent level of protection. That requirement raises questions regarding the content of the GDPR and some of the more ambiguous parts of the law.
Gray Areas to Watch Regarding the Use of SCCs
Earlier this year, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the European Commission’s Implementing Decision on SCCs. The opinion took a detailed look at several clauses in the draft SCCs and made targeted recommendations to the European Commission to provide clarification and guidance. Organizations subject to the GDPR will likely want to pay close attention to these areas of ambiguity in order to remain abreast of new guidelines as they emerge. Here are just a few of the issues the EDPB and EDPS raised.
Module 1 (Controller to Controller), Clause 8.7: Onward Transfers
The opinion noted that this clause doesn’t uniformly require data importers to notify data exporters if they transfer the data to a third party, unlike the 2004 SCCs for a transfer from one controller to another controller. However, if the exporter does not know that another party has received the data, then it can’t monitor the third party’s handling of that data to ensure compliance. The joint opinion calls on the European Commission to amend this clause, but in the meantime, businesses exporting data will likely want to secure contractual promises from data importers to notify them of any onward transfers in advance.
Module 1, Clause 10(f): Data Subject Rights
This clause indicates that a data importer may refuse a data subject’s request for information regarding their personal data if the destination country’s laws permit it to refuse, and that refusal is “necessary and proportionate in a democratic society” to protect one of the objectives listed in Article 23(1) of the GDPR, ranging from national security to the enforcement of civil law claims.
The joint opinion argued that the SCCs should defer only to those local laws that “respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard” the objectives in question. Without any language to this effect added to the finalized SCCs, however, it appears that it will be up to data exporters to retain legal counsel who can help them understand how these exceptions might affect their compliance with the laws to which they are subject in other jurisdictions, including the GDPR, the California Consumer Privacy Act (“CCPA”), and any other applicable data protection regulations.
Module 2 (Controller to Processor), Clause 8.5: Duration of Processing and Erasure or Return of Data
The draft version of this clause provided that if a data importer couldn’t delete or return the data to the exporter due to local regulatory requirements, it would instead guarantee the level of protection required by the SCCs “to the extent possible.” The EDPB and the EDPS argued in response that the protections entailed by the SCCs needed to be guaranteed without exception, and the problematic phrase appears to have been deleted in the finalized SCCs. However, data exporters will presumably benefit from engaging local legal counsel that understands contradictory regulatory requirements in non-EU jurisdictions.
Are you ready to incorporate the new SCCs into your data privacy agreements?
This is far from an exhaustive list of the issues that the EDPB and EDPS raised in their joint opinion, but this sampling illustrates how much room for error remains as businesses attempt to learn and comply with the ever-changing regulations in the data privacy space.Want to learn how Evisort can help you review your contractual data privacy obligations and quickly draft new language to ensure compliance in your future business deals? Schedule a demo today!