The EU-US Privacy Shield Has Been Invalidated – Learn What This Means For Your Contracts
On July 16, 2020, the EU Court of Justice issued a judgment declaring the Privacy Shield as inadequate, thus invalidating it. Not surprisingly, this judgment has left many organizations scrambling to update their contracts to remove references to the Privacy Shield and replace them with Standard Contractual Clauses. What does this judgment mean for your contracts? Watch this on-demand webinar with Debbie Reynolds, founder and CEO of Debbie Reynolds Consulting to learn how:
Alex Su (00:00:40):
It looks like we've got some early people joining. Hey everyone. Welcome. Thanks for joining early. Looks like we've got a good group here. And I see Justin Kuzo. Hey Justin, how are you? Hope you're all doing well. We're going to try to make this interactive today, and we'll be repeating this throughout the web, but would love to get people to submit questions, chat, and so hope to hear from you soon. All right, thanks Justin. Appreciate the feedback. How's your week going, Justin?
Hey, for everyone who's joining, if you want, feel free to chat. The chat is open for you to introduce yourself, talk to us about what you're interested in. I'm going to be watching the chat to know what topics to cover or what questions to ask Debbie, who's on the line here with us. I see some folks are responding. If you select all panelists and all attendees and everyone can see what you're writing in the chat. But if you want to address it to only the panelists, you can do that as well. Just trying to get used to this Zoom software.
Let's see. I'm getting some feedback here. Kushbu, the feedback is that the presentation is cut off on the left hand side. It looks fine to me. I don't know if anybody else sees it, but if there's any issues with how the presentation looks, free to drop in that feedback. I don't see it, but appreciate the feedback. Other people are saying it looks good. Thank you. Thanks folks.
We're going to get started in a few minutes here, but looks like people are still trickling in. Neha, maybe while we're waiting, maybe we should launch that poll so everyone has time to fill it out. We'll let that run for maybe five or so minutes into the beginning and we'll keep it running and then that way we have a sense of who's here. So Neha, if you could just run that first poll. Folks. Looks like we've got some people trickling in right now. It's always so cool to me to see people filling in the responses-
Debbie Reynolds (00:04:01):
Yeah, [inaudible 00:04:02].
Alex Su (00:04:02):
... in real time, right Debbie? Debbie, can you see this?
Debbie Reynolds (00:04:04):
Yeah, yeah, I can see it.
Alex Su (00:04:06):
Yeah. I see more people coming in. Hey, just want a quick reminder. Welcome to Meetings of the Mind Live. We want to make this an interactive session, so feel free to drop a message in Q&A. Also in the chat, introducing yourself or describing what you want to hear about. If you select all panelists and attendees, everyone can see it. So we're hoping to make this interactive and we have some poll questions. And a lot of our conversation today will circle around a discussion as opposed to us just covering materials. Welcome everyone. We'll get started here shortly.
Debbie Reynolds (00:04:47):
Yeah, this is interesting, the poll.
Alex Su (00:04:50):
Yeah, yeah. And as people come in, they'll probably see the poll and start filling it out.
Debbie Reynolds (00:05:07):
Yeah, when I'm a panelist I always hate that I can't participate in the poll.
Alex Su (00:05:12):
Yeah, I know. I see some familiar names from our previous Meeting of the Minds Lives, so for folks who are just joining, welcome back. I see some folks here, real familiar names. We'll get started here in a second, but feel free to fill out the poll. And also, if you'd like, feel free to introduce yourself. It's always a good opportunity for people to introduce themselves and share a little bit about what they do in the chat. I know it's not like I have Zoom Meetup where you can show your face, but you can fill in some information about yourself in the chat. Feel free to drop in your LinkedIn link as well if you'd like and that way you can all connect with one another. I've mentioned this before, but our hope is that this webinar will be different in that it'll be a live conversation. It's not going to be just a speaker talking at you. We want to get your feedback and hear from you as well, which is why we designed these polls.
Debbie Reynolds (00:06:16):
Are the polls so far what you're expecting? Or no?
Alex Su (00:06:24):
That's a good question. I think so. And so for folks, I think only we can see it, Debbie.
Debbie Reynolds (00:06:31):
Alex Su (00:06:32):
Yeah. For folks, it looks like about 40% of you are corporate legal department folks. Another 33% are corporate compliance. And then the rest are a mix of law firms, service providers and other.
Debbie Reynolds (00:06:47):
A student here [inaudible 00:06:49].
Alex Su (00:06:49):
Yeah, we have one student, which is cool. Which is cool. I never did anything like this when I was a student. Never.
Debbie Reynolds (00:06:54):
No, no. Never.
Alex Su (00:06:55):
[inaudible 00:06:56] webinar. I probably should have. I probably should have, yeah.
Debbie Reynolds (00:07:01):
Right. Exactly. This is great.
Alex Su (00:07:06):
Some of us are both. Thanks Wayne. Yeah. It's funny because these polls are hard because people fall into multiple categories.
Debbie Reynolds (00:07:14):
Alex Su (00:07:14):
You do compliance and legal, right?
Debbie Reynolds (00:07:16):
Oh, totally. Yeah.
Alex Su (00:07:19):
Right, Debbie? Yeah.
Debbie Reynolds (00:07:21):
Yeah. Completely. Yeah, it's hard to divvy up the buckets, so a lot of people wear multiple hats. You're right.
Alex Su (00:07:28):
Yeah, for sure. We're at the top of the hour. We're going to get started soon here. I'm going to drop a message to everyone in the chat. And it looks like Isabelle, welcome. Also, for everyone who's joining, just keep in mind that when you're chatting, it defaults to sending messages to only panelists. So if you flip over that setting to all panelists and attendees and everyone else can see, because Isabelle, I know you just introduced yourself, but I'm hoping that everyone else can see as well. We've got a good size group here and we're going to get started shortly. Make sure we have enough time to cover all the topics. We have so much to talk about today with Debbie.
I'm going to get kicked off here. I'm going to start it off here. We'll run the poll for another few minutes, but Neha, if you could turn off the screen share so that we can see the videos. Thank you. Welcome everyone to the Meeting of the Minds. We're excited to have Debbie Reynolds on the webinar today and on the Meeting of the Minds Live today because Debbie is a data privacy expert. And I know that there's many of you on the live session today who have been following her, who's who are familiar with her work. But for those of you who don't know, Debbie essentially predicted the invalidation of Privacy Shield. And today's topic is obviously Privacy Shield, its invalidation, what it means to you all. So I thought we could start first by having Debbie first introduce yourself to you all. And Debbie, share a little bit about your background, tell us what you do and you know what you'll be talking about today.
Debbie Reynolds (00:09:17):
Sure. I'm Debbie Reynolds. I'm the head of Debbie Reynolds Consulting. I have to really think about that. I am a geek technologist. I've been in technology for over 25 years. My technology life started in library science, back in the days where young people like Alex don't remember, libraries had card catalogs. I was helping them through digital transformation projects to create databases of documents and other media things. I moved on to working with evidence for multinational corporations. But early on I really developed, in the '90s, a passion for finding out about privacy, just being curious about what my own privacy rights were. And so I've followed the trends and everything that's been happening over more than 20 years. When nobody was interested in privacy, I was, so it's interesting to see that people are interested. So I'm happy to share anything that I can with the audience.
Alex Su (00:10:30):
And I know that all of us are very excited to hear from you. I'll tell you that it's funny that I'm hosting this Meeting of the Minds Live. There is so much about privacy law that I don't know, which is great because I'm going to rely on you, Debbie, to share about your knowledge. And before we jump into it, I wanted to point out, we've got folks in the chat, it looks like a lot of folks are sharing with the panelists only, but we've got people who are saying hello from Los Angeles, New York, Cleveland, all over the country. So we've got a good group here. And for those of you who are just joining, we've got basically 43% of you corporate legal departments, a quarter of you are corporate compliance, about 16% are service providers, vendors, and the remainder are law firms, students and others. So we're going to try to stay topical here. We're going try to keep things relevant for you.
And as I mentioned, if you'd like, feel free to submit questions in the Q&A part of Zoom. There's a section that lets you submit questions. Please do submit questions about things you want to hear about because we don't want to just talk at you. We want to address any questions you may have. And I'll help guide the conversation by posing them to Debbie and Debbie will be sharing her expertise. But let's go ahead and get started. And Debbie, Privacy Shield is a big topic these days. It was invalidated recently, which had a lot of impact. Could you share a little bit about what Privacy Shield is, for those of us who might be new to this space, and why it matters?
Debbie Reynolds (00:12:05):
Yeah. Privacy Shield is or was a transatlantic agreement about how companies needed to handle data if it was shared from the EU to the US. This was a specific agreement between the EU and the US because the EU has known for a long time that the US laws and the EU laws about personal privacy and also things like surveillance, very different in each country. So the purpose of this agreement was to make sure that companies could do transatlantic data transfers for business purposes as long as they followed through the mechanisms that were put in place by the State Department and agreed upon by the EU.
The Privacy Shield, like the Safe Harbor before it, which was also invalidated, created an office within the Commerce Department, which had ombudsman. It was supposed to be a place where US citizens could make complaints or get some level of redress if they felt like their privacy rights were being mishandled by a US company or due to a data transfer. So it really was supposed to be an easier data transfer mechanism for companies that did transfers all the time. I call it more like it was a fire hose of data approach. So if you agreed to the Privacy Shield and you did everything that the Commerce Department said that you needed to do, then you could transfer data however you wanted.
Alex Su (00:14:00):
It sounds like the Privacy Shield was there to govern how data's transferred between and among companies. And so I think one question that I remember I had, and I would love to hear from you on this, is who does it impact? Is it impacting only companies that are multinational? Is it impacting companies in certain countries? Who does Privacy Shield impact and who does the invalidation of Privacy Shield impact as well? And before you answer, Neha, if you could put up the next poll so we can see where everyone's from. This will be helpful for us in addressing this question. But go ahead, Debbie.
Debbie Reynolds (00:14:37):
There are other Privacy Shields. Basically the Privacy Shield was a way for the US to have adequacy, but because the US is so different from other countries, we had our own Privacy Shield. So this invalidation impacts companies that were under the Privacy Shield certification scheme. So there were a little over 5,000 companies that were signed up under the Privacy Shield to do these transatlantic data transfers, that's data from the EU to the US. That's what got invalidated.
Alex Su (00:15:19):
Now, I'm curious because this is an area that I'm kind of fuzzy on, which is, does that mean that Privacy Shield was just something that was referenced in agreements between companies and outside parties? Is it something that's mentioned in your contracts? Or is Privacy Shield something else? How do people know if Privacy Shield applies to them? And how do they know if they need to make any changes?
Debbie Reynolds (00:15:50):
Well, the Privacy Shield, because it had a certification scheme, the companies that had achieved the certification would post on their website that we are Privacy Shield compliant. It would probably be in contracts. I've seen them in terms of service where companies say, "Oh, we follow Privacy Shield." And that just meant that these companies were following along with what the Commerce Department decided was the criteria for them to be able to actually do those data transfers. That's really where you would see it. And then also these companies and also the State Department will make clear what you, person's redress rights would be under the Privacy Shield framework.
Alex Su (00:16:41):
Got it. In the time we've been talking, we've some questions. So I wanted to pose one for you since I think these are super relevant. We've got a question, "If you're a small US company and have Privacy Shield, what's going to happen in January?"
Debbie Reynolds (00:17:00):
Well the Privacy Shields are validated in July, so there's nothing that's going to happen in January.
Alex Su (00:17:11):
So it's right now, it's already happened?
Debbie Reynolds (00:17:12):
Yeah, yeah. It was invalidated immediately. Immediately they wanted companies to find alternate ways to move data. Some of those alternate ways would be repatriate the data, not send it to the US, be able to create, use standard contract clauses, which are contract clauses that are approved by the EU that have to be put into a contract as is. And then it's incumbent upon the company that's doing the contract, the controller and the data processor, to work out the terms of that agreement. And then also the data controller would have to make a judgment as to whether this data transfer or the third party they're transferring the data to has adequate protection to determine whether they should use this vendor or use someone else, maybe someone in the EU or another country that has adequacy from the EU.
Alex Su (00:18:17):
I do want to talk about the standard contract clauses that essentially is going to replace the language for Privacy Shield. But we have a couple of questions from a couple of different attendees that I wanted to pose, be very clear. We've got one question, "Is the Privacy Shield effectively defunct and useless?" And second, "A company can still certify for Privacy Shield, why is that possible?" And I thought maybe you can answer those questions?
Debbie Reynolds (00:18:45):
Yeah, this goes back to Safe Harbor really. The Safe Harbor framework was very similar to the Privacy Shield, but it was its predecessor. And the Safe Harbor framework, at the time it was invalidated, they had over 10,000 companies that were registered with it. When the Safe Harbor got invalidated, the whole program just went bye-ye. That meant that the companies that were signed up for Safe Harbor had to start over. So they didn't grandfather them into whatever the next thing was going to be. I think a lot of companies were really upset about that, and as a matter of fact, only less than half of the companies that were on Safe Harbor went to Privacy Shield. I think this time, once it got invalidated, they didn't want those people to get thrown out, tossed out of the program again and have to start over. I think that they want people to continue to do Privacy Shield because they are hopeful that there'll be a deal where they don't have to start over again.
Alex Su (00:19:50):
That's very interesting. You mentioned about Safe Harbor, we got a question, "When was Safe Harbor invalidated?"
Debbie Reynolds (00:19:59):
Safe Harbor was invalidated in October of 2015. And then the Privacy Shield came on board in early 2016. That was before the US election. I think that's one reason why they did it, because the Privacy Shield and the Safe Harbor, in my mind, weren't significantly different. But I think because a new administration was coming in, it was a way to keep businesses involved in these frameworks and also keep that conversation open, the dialogue open between the EU and the US in terms of what they wanted to see. But I think that Privacy Shield really was a placeholder, in hopes that in the last four years that they would've changed it or improved upon it at some point. That really didn't happen.
Alex Su (00:20:54):
And you mentioned, it sounds like there was a Safe Harbor which then got invalidated, then it was replaced by Privacy Shield, which then got invalidated very recently. And you've predicted that this was going to happen. Maybe you could share a little bit, based on your experience in this space, what was your thinking? How did predict that this would happen and what are some lessons that you can probably draw from all that to make some predictions about the future?
Debbie Reynolds (00:21:23):
The Privacy Shield is just one data sharing agreement that the US and the EU have. There are other agreements, and I talked about this on a video before, there are agreements called mutual litigation agreements. It's actually treaties about how evidence gets changed or it gets transferred from one country to the next. I'm sorry, mutual assistance treaties basically. Mutual legal assistance treaties, that's what it is, I always forget. Basically these treaties are very much like Privacy Shield where the two countries are agreeing to transfer data for some other purpose. But at the time that I knew that this Schrems case was coming up, and in January of 2020 there was a non-binding opinion about standard contract clauses, because that's really what the Schrems II case was about.
But during that time there was a case out of the EU and there was a pushback, which is very unusual, about evidence transfer from the EU to the US. These agreements are pretty stable. They go on for many years. Some of them are so old that they're written, paper documents get exchanged, they're not even electronic. So typically you don't see a lot of changes or a lot of pushback on these agreements because they've been in place for so long. But this particular case, it was a terror suspect that the US wanted evidence from the EU. They actually fulfilled the request and then I think the mother of one of the terrorists took it to court and she said the transfer was illegal because it infringed upon the privacy right of one of the people. And the judge agreed actually that this was the case and that was very eye opening. Once I saw that, I'm like, this is not good. These are more stable agreements, in my opinion, than the Privacy Shield. So if they're pushing back on these agreements, I think Privacy Shields going to go bye-bye soon. And that's what happened.
Alex Su (00:24:00):
Let me see if I can make sure I understand. It sounds like when you took a look at the Privacy Shield provisions, there were not that restrictive. It looked like just something that was put in place temporarily. And then you looked at these other agreements and protocols and you found that they were increasingly being invalidated because there was more stricter privacy regulations that were causing them to be rolled back. And so you were thinking if Privacy Shield is relatively weak, it's only a matter of time before it's going to get invalidated. And so this brings us to our next topic of discussion, which I'm seeing a lot of questions in the chat and the Q&A on, which is about, okay, Privacy Shield now is invalidated, we're going to move to standard contract clauses now. What is that and what do companies need to do with that?
Debbie Reynolds (00:24:50):
Okay. Standard contract clauses are clauses that have been pre-approved by the EU and any company that's doing a data transfer can actually use it. The point of having those clauses is to have language in there and have information in those standard contract clauses to let companies know what they have to do with data. So they're very basic and you can just copy and paste them right into a contract. But you can't edit them, you have to put them in as is.
But some companies, they've never used Privacy Shield, so they've always used standard contract clauses. But as with any contract, you have to put other stuff in the contract. But some of the additional things you need to put in the contracts need to be very specific to that data transfer and really explain everyone's responsibilities and their roles. The two standard contract clauses you can pull down are a controller to controller data transfer or controller to processor for data transfer. So you want to make sure that all parties in those agreements understand what their responsibilities are as they relate to data privacy. And then you want it to be very specific as to who's going to do what. The Privacy Shield invalidation happened during a time where they were trying to get more clarification on standard contract clause. So it's almost like, okay, let's get you a clarification on standard contract clause. And oh by the way, let's invalidate Privacy Shield. That's what happened.
Alex Su (00:26:39):
I think there's a lot of questions around how standard contract clauses can be used, especially... Here's another question, which is, you've got these standard contract clauses that have specific language to be entered into your agreements that protect you from a privacy perspective, but is there any situation where you can add or change them? And I've got a couple of questions about language like this does not preclude parties from adding clauses on business related issues as long as they don't contradict the clauses. Is it okay to have the standard contract clauses and then have other language that you insert in that complement them? Is that okay?
Debbie Reynolds (00:27:19):
Oh sure, yeah. You don't want anything to capture that contradicts those clauses. But yeah, I mean people should be, and I hope that people, especially companies that were using standard contract clauses before, I hope that this was something they were already doing. So they were already putting more meat on the bones about the details of those data transfers so that it was very clear what the roles and responsibilities to those transfers were.
Alex Su (00:27:48):
Yeah, and what I'd like to do now is, given that we've touched upon this information, Neha, if you can run the next poll about what data transfer mechanisms folks are using in their agreements. There's going to be three options. We've talked about standard contract clauses and Privacy Shield, but what's binding corporate rules, Debbie? What is that?
Debbie Reynolds (00:28:13):
Binding corporate rules, one of my favorite topics. Binding corporate rules is an approved plan. So a company has to adhere to the details the EU asks for from a company to be able to apply to the EU to use binding corporate rules. And when they're approved, it's basically a way for multinational companies to transfer data within their company and with their affiliates and different parts of their company. But it's not for third party transfer and it's not for data transfer, it's not internal. People talk about binding corporate rules a lot, but there are very few companies that have approved binding corporate rules. There are less than 100 companies that have approved binding corporate rules. eBay is one. What am I looking for? I can't remember. I just looked at the list recently because I had an interview with someone who had one of those. So we were talking about that.
Let's say you need to transfer data today and you don't have binding corporate rules, that's not going to help you. This is something that you get approved, it's something that you subscribe to, it gets reviewed on a periodic basis as well. And some companies have started down that road and withdrew because maybe something about their company changed and they couldn't uphold their part of the bargain in terms of being able to act according to the binding corporate rules. But very few companies do it.
Alex Su (00:30:03):
Yeah, and I think that that's a great explanation. So for folks, fill out the polls. And by the way, as Debbie is answering the questions, everyone, I'm trying to go through all the chat and the Q&A. There's somebody here who's saying that not all questions are being answered. And we're trying. There's just a lot of questions here and it seems like we're trying to prioritize those questions that are very common among the entire group rather than each individual person's question. And by the way, Debbie, are you available to answer any specific questions afterwards? Keep a log of all the questions?
Debbie Reynolds (00:30:38):
Oh sure. Yeah, absolutely.
Alex Su (00:30:41):
I know again, sorry if we can't address your specific question, but we're going to download out all of the questions and chat and take a look at them and try to respond to those that we can. But obviously, given the constraints we have, sorry that we can't answer every single question. Now, one of the areas of priority does seem is a lot of people are asking about the standard contract clauses. We've had a question here, "Are standard contract clauses being revised currently?
Debbie Reynolds (00:31:09):
Alex Su (00:31:10):
"And what should we do if you're updating to these SCCs, the new language is valid and the old language invalidated?" What should people do?
Debbie Reynolds (00:31:25):
There are new standard contract clauses that are being reviewed. They've been posted for review and revision from people. But really, until those new clauses are approved, you should use the current one. The new ones that are coming out are just for review and they have not yet been fully approved.
Alex Su (00:31:52):
I think there's also a question about what's your view on these draft SCCs or these newer SCCs? Do you have any perspective on them?
Debbie Reynolds (00:32:02):
Well, the ones that people have been using now that are currently approved, they've been around for many, many years. So it doesn't hurt to do a tuneup because things do change over the years. So I think it's a welcome update to a lot of people because it may give them more clarification than they need. But when I saw the draft, we were all excited. We were like, "Oh wow, this new standard contract clause." You were like, "Oh, this is just a draft, it's not approved yet." So try not to get too excited about it until it's finally approved.
Alex Su (00:32:36):
Right. And so it looks we have a couple more questions. SCCs seem applicable in businesses operating, agreeing with other businesses. Do they also need to be used if you're having agreements or terms of service with customers?
Debbie Reynolds (00:32:54):
Alex Su (00:33:24):
Yeah. Yeah, and while we're talking about SCCs, it looks like the poll results... Neha, you can end the poll now. It looks like most people are using standard contract clauses, some are still using Privacy Shield. Very few are using binding corporate rules, which makes sense, because they're only for internal transfers and for perhaps a small group of larger multinational companies. But in case anyone was curious, 78% of you are using SCCs, 45% of you still have Privacy Shield and 6% on binding corporate rules, BCRs. One question that keeps coming up, and I want to go back and try to cover this, is there's some folks asking, what does Privacy Shield being invalidated really mean? How is it invalidated? And this may be a very basic question but it has been coming up. Is there any advantage to renewing Privacy Shield certifications now? Do you have any perspective on that, Debbie?
Debbie Reynolds (00:34:21):
Well, if you're already in the Privacy Shield program, the Department of Commerce says you have to stay in it, so they're not going to let you back out. But let's say if you weren't ever in Privacy Shield... I'll give you an example. When the Safe Harbor was invalidated, I did not even consider going to Privacy Shields. Because there are several months that it was invalidated. Because of the fragility of it, even though it did give you the option of having more of a fire hose approach to data, I was always concerned that it would be invalidated, which it was. So I think a lot of companies, more than half didn't sign up for Privacy Shield. So I think that those companies found alternate ways to handle data.
But I think we're not sure whether it's going to be a second Privacy Shield. Or a third try. There's seems to be an indication, I haven't heard or saw the news where someone was asking about, "Since we have this new Biden administration, are you guys going to try again for Privacy Shield?" And the response wasn't a hot one. So I think it's going to be a while. I don't think just the changing of administration is going to warm anybody up too much because I think the issue that got the Safe Harbor invalidated was pretty much the same issue as the Privacy Shields. So those issues still are there, so we have to figure out how we navigate that. Did I answer your question
Alex Su (00:36:12):
Yeah. For folks who are still asking, feel free to drop in the chat if you have any follow-ups. It sounds to me, Debbie, this is just a highly dynamic situation. There's obviously some privacy mechanisms and protocols that are being invalidated and we're in this limbo period. There's a question here and I think this general question with a lot of people, and I'll broaden the question to make sure we answer all of them, but the question seems to be surrounding, I'll use this one question as an example. "What's the legality of transferring data from the EU to the US? I mean, is it currently illegal? Do we need to stop providing paid for services in our SaaS offering?" And so I think the broader question is also, during this limbo period, what do you do in the absence of having these SCCs?
Debbie Reynolds (00:37:01):
Yeah. Under the GDPR, I think there are six legal mechanisms for transferring data. So if you can't find one of those mechanisms to transfer data or if you can't find a way to use a standard contract clause to transfer data, the advice is that you stop transferring data. Obviously companies have to manage their own risk and figure out how they want to do that. Because some companies are still transferring data, maybe they're waiting for more guidance or something like that. So I think if you have a legitimate reason or a legal basis to transfer data that does not rely on the Privacy Shield, companies, that's basically what they're doing. I see some companies and they don't have a legitimate basis, they're stopping.
What I do see is some companies, you want to have as many legitimate basis as possible, so one would be the performance of a contract. So you have a person, they sign up for your service, they want you to service them. That is a legal basis for a data transfer. So you just have to drill down on that list to see if there are legitimate reasons that you can use that make sure that your data transfer is legal and then definitely make sure you're working with third parties and you have contracts with them about data transfer, that you definitely use standard contract clauses and not use Privacy Shield if you don't have to.
Alex Su (00:38:49):
Yeah. And I think it also raises the question of if standard contract clauses are the way to go right now and we go and we repaper all of our agreements and then some other change happens. What have you seen, given your experience in this space, if these regulations keep shifting, what can a compliance or legal department do to stay ahead of those changes? Are you just locked into constantly grabbing all of your contracts and just always amending them? What approaches have you seen work well in the past?
Debbie Reynolds (00:39:25):
Well standard contract clauses, as we saw from the polls, very popular. Keep in mind that these are used by other countries or other companies. It is not just the EU to US. Standard contract clauses can be used by any company that's transferring data out of the EU. Some companies have an easier time where they don't have to go to a standard contract clause or go using a Privacy Shield type framework because they may already have adequate, or the EU has deemed that their privacy laws or their laws are more congruent with the EU, so then they don't have to have a Privacy Shield. Does that make sense?
Alex Su (00:40:15):
Yeah, and I think, and this is probably a quick plug for Evisort, that there's ways that you can keep track of your contracts and provisions. Neha, can you share the next poll? Because we're always curious to hear how people are dealing with their existing agreements. This is not the first regulatory change in contracts and we're always curious to hear how people are addressing this challenge. While people are filling that out, I would love to spend all this time talking about SCCs and it's very popular, there's a lot of questions on this, but I did want to also cover a couple of other topics that we'd like to talk about, which is with Brexit coming up, what broader impact do you see happening in the EU with Brexit? Can you share a little bit about your thoughts on what's happening there?
Debbie Reynolds (00:41:06):
Yeah. Brexit is tough. They're caught in the middle. The timing is crazy right now because I know that no one thought, a lot of people didn't think that the privacy issue was going to be invalidated, but it creates another problem or issue because a lot of these data transfer issues are around indiscriminate data collection and surveillance. So I guess the question is people are watching to see if the UK gets adequacy from the EU. The UK has given the EU adequacy, so people in the EU can move data to the UK, fine. Okay. From the UK to the EU, there is inadequacy. So they'll be treated like a third country or possibly an inadequate third country, almost like the US or India. So they would also need some other mechanism like a standard contract clause for certain data transfers.
But then, I mean the other question comes up, let's say the UK can give the US adequacy, that would mean that companies can move data from the UK to the US. I don't know, it's tough. So it's almost like picking sides, you have to pick one side or another. So either you're going to be on the more stringent privacy law side or you're going to be on the less stringent or the much different privacy law side of things. I think the UK is very much in the middle on this. I'm hoping that there could be some consensus there. I don't know.
One thing I want to mention is that, even though we're talking... the standard contract clauses predated obviously GDPR or some other things, but when it was invalidated, part of what they were doing was saying, "Okay, now that we have a GDPR, we need to connect all the stuff into the GDPR," and things like that. But the GDPR doesn't deal with surveillance or things like that. The surveillance and indiscriminate data collection by law enforcement or intelligence agencies, that is not in the GDPR. This Privacy Shield invalidation like a company using the Privacy Shield, they can't really do anything, they can't change the national laws in any country. So I think companies are very much in the middle. But I feel like, in a way, that this needs to be at a higher conversation, because again, the GDPR doesn't really address surveillance and national security in that way.
Alex Su (00:44:33):
Yeah. It sounds like just because of Brexit you're going to have one country not be able to seamlessly transfer data throughout the EU, but at the same time it could make things easier with them in the US. What do you think's driving a lot of these trends? I mean it seems like there's a trend of increasing strictness when it comes to privacy and the regulations that govern it. And a lot of it does seem to come from the EU. What's your take on your crystal ball when you're looking in the next, I was going to say five years, but probably one to two years?
Debbie Reynolds (00:45:08):
Yeah. I would say in the next four years there's going to be significantly more regulation around privacy. And I think that, just to back up, so the EU before the GDPR had a pretty good privacy directive before. But then the thing that the GDPR did that is the reason why all of us are talking about it is because they added these severe fines and penalties. So because of that, it raised privacy to more of a C-suite issue. And because of that, a lot of other countries are looking and watching what the EU is doing. And I know some of my friends in the EU, obviously they like certain parts of the GDPR, but they're concerned about things like enforcement.
But the GDPR has been extraordinarily influential throughout the world. So we're seeing a lot of people cherry picking things out of GDPR to put into their own laws. We're seeing the language from the GDPR go into different regulations, even here in the US, like terms of data subjects, data processor, data controller, the right to be forgotten in some way, shape or form. All those things seem to be pollinating around the world.
And I think it's only going to continue, especially as people see it as being a business advantage. For example, let's say Canada is a country that has adequacy to a certain extent with the EU. So that means that if, let's say if you needed to transfer data to North America, you could possibly do it to Canada with a lot less trouble than you did with the US. But I think countries that have adequacy, and I've talked to a friend of mine in Israel because they also have EU advocacy, they're seeing a bit of uptick in their business or their relations with people wanting to use more of their services because it makes it easier for them to do those transfers from the EU to their countries.
Alex Su (00:47:24):
Got it. Yeah, it's an evolving and changing situation. And so I know that there's also a lot of questions here that I want to get to. And so what I was thinking of doing, just for our conversation today, maybe give you a chance to share some final advice or words for folks who are dealing with Privacy Shield, whether they have it in their contracts or not, or how to incorporate standard contract clauses. Any advice you'd have for a legal or corporate compliance department. We'll hear from you Debbie, and then we're going to open it up for questions. I'll start going through some of these questions so we can answer them specifically so we have time for that. But any advice for legal departments or compliance folks who are dealing with this challenge right now?
Debbie Reynolds (00:48:07):
Yeah, I think you want to be able to have as many legal basis as possible to transfer data. Let's say one of them doesn't work, you can use another one. Also, even people who had not previously used standard contract clauses, they need to get really familiar with it because we're not sure if there's going to be a Privacy Shield part two. I think just keeping ahead of the way the regulations are going and making sure that you can write these things into your contracts would be fine. For example, I have written contracts, I don't know, five or six years ago and I used standard contract clauses and I don't think there's anything I would've done differently today than I did back then. We use the clauses, we put in the information about what we thought was adequate safeguards or made sure that the data transfer was... we put all our ducks in a row, I would say.
And I think one thing that's the bane of the existence of a lot of companies is dealing with these third party contracts. But I mean, it's not going to stop, because most companies aren't self sustaining in a way that they can't use third parties, so third parties are not going to go away. So you need to figure out what's the best way to move forward with these third parties and come up with a process and a procedure that helps you not pull your hair out when you have to do these agreements, so we have to collaborate with a third party on delivering your services.
Alex Su (00:49:53):
Yeah. That's such great advice. I think having multiple fallbacks. In a changing environment, it's always good to have backup options and having multiple grounds to transfer data, that's a prudent way of going about things. And before we go to the specific questions, I just want to make also a quick plug for Evisort in that our technology does help you identify areas in your contract, not just keywords, but key clauses. And so that's why we also are putting on this webinar because in your contracts, obviously there is commercial and other business implications to managing your contracts, but certainly privacy as well.
And so what I'd like to do now is go through these questions that we have from people. I feel like there's so much to cover and we won't be able to cover everything, but if you do have questions, we will be taking a look at this after the call to see if there's any question we can reach out to you and to help answer. But Debbie, I'm going to start going through these and maybe get your quick answer on them. Some of these we've already addressed and so I'll choose them. Let's see. "What safeguards need to be provided in addition to standard contractual clauses? In other words, what do we need to take into account when assessing whether the law in the recipient country, e.g. the US, ensures adequate protection?"
Debbie Reynolds (00:51:17):
Yeah, that's a good question. That's a hard question. Basically the invalidation said that that needs to be a consideration. So the controller needs to consider, if they have to do a data transfer to the US, how likely is it that it's something that will be caught up into some surveillance, some national security, some law enforcement thing. And so some of the safeguards that I'm seeing people do is maybe reducing the amount of data that they send or encrypting data in a way that, let's say that the key to the data only stays in the EU, even though the data's moved to the US. I'm not sure. I don't know. Even though people think of encryption as an additional safeguard, it's a thin one because encryption can be broken. So I don't think that is a great one. I mean obviously I think if you're transmitting data you should be protecting it in some way. But I don't think just saying, "Oh, well it's encrypted. Then, okay, it's fine." I don't know that will fly. I don't know if I'll be comfortable with that.
But yeah, moving less data, minimizing data, data pseudonymization and anonymizing data, those are all on the table. Because if the data is anonymized or you pseudonyms and you meet the legal requirement for doing that, then some of these things won't even apply to you because it's all about personally identifiable information. So if a person isn't personally identifiable and you're taking out data that is personally identifiable, you can do almost any transfer if you're able to do that. But the issue is that's not as easy to do as people say. So it's easier to say that, "Oh, we'll just make everything anonymous." But in terms of just the data, the technology that you need to be able to do that, it's a lot harder to do. I'm hoping that companies, as they're going forward, they're thinking about things like privacy by design, so that there are definitely ways that you can collect data or collect less data or minimize what you send or do it in a different way that actually reduces your risk and reduces your exposure and you could still do business.
Alex Su (00:53:48):
For sure. For sure. Another question here related to standard contract clauses. "Given your experience, how do you respond when suppliers want to make some tweaks to that language?"
Debbie Reynolds (00:54:02):
Oh my god, I get that question all the time. Actually I like to have someone download it and then say they want to change it. I'm like, "No, you can't change it." You have to go back to the website and show them why you can't change it and why it's really important that it stay that way. They really did it so that it would be a pain if you have to go back to the EU every time we had a contract. That's the reason why they created it. They're like, "Look, you want to do this contract, we can't get involved in millions of people's businesses. Use this standard contract clause, follow what it says, don't try to contradict it and then you'll be better off." But I swear that's the first thing that a lot of people do. They download it and start trying to change it.
Alex Su (00:54:52):
Yeah. Yeah. Which, as you've shared, that's a no-go situation. And relatedly, here's another question, and this is something that I would love clarity on because I think I've always wondered about this. The question is, "When should you use standard contract clauses versus when you should use a data processing agreement, a DPA?" And so if you could share maybe some background on how those two interact and how to understand when to use SCCs or when to use DPAs?
Debbie Reynolds (00:55:22):
Well, data processing agreement can include a standard contract clause. So I don't see them as being different. I see them as being complimentary to one another. And that's what I was saying about you need to have details about how you're going to handle the data, especially because if you're doing a controller to controller or a controller or processor agreement, you both have responsibilities, especially under the GDPR. Just because you're a controller... Let's say I'm a third party, so you transfer data to me using a contract, they have a standard contract clause, this a data processing agreement. I'm not off the hook, the EU's not going to let me off the hook if I do something wrong and they're not going to let you off the hook either.
But I think traditionally in contracts like this with third parties, a lot of it has been so much more onus on the controller, and it is still, but the processor has skin in the game too and they're also responsible. So the part that's really important is that the division of labor need to be very detailed. You also need to make sure any step of the process where you're handling data needs to be very clear what's happening to the data. And then again, you need to be transparent with the consumer or the user about how you're handling their data in those transactions.
Alex Su (00:56:56):
Yeah. And you mentioned this and I just remembered that somebody asked the question about this, which is going to be helpful. If you could share also a brief outline or description on what exactly a controller to controller transfer is and what a controller to processor transfer is. And maybe from a basic perspective, what are the differences? I think that would be helpful to some folks.
Debbie Reynolds (00:57:21):
Yeah. Okay. A controller is the person that asks for something to be done and a processor is the person that does it. Okay. Basically that's how the controller to processor. Let's say I'm ABC Corporation and I need this third party person to do widgets for me or something. We do a contract together, I'm a controller because I'm the person deciding what needs to happen, or who's asking the question or asking for the service and the processor's the one actually handles the data and does the work. A controller to controller transfer is where both parties are making decisions about what happens to the data. I'll give you an example. The Facebook and Cambridge Analytica situation. Facebook was the data controller and then when the data went to Cambridge Analytica, they decided to do something different with it. So that made them a controller as well. Facebook was the controller initially, and then once Cambridge Analytica got the data and they did something totally different with it than Facebook would've wanted or had known about, they became a controller and a processor.
You could be joint controllers, you could be joint processors, because there could be many third parties within a particular project. So you could be a joint processor, be a joint controller, controller controller. Yeah, that's how it goes.
Alex Su (00:59:07):
Great. I'm sure a lot of folks appreciate that clarification. I've got another question here flipping around the perspective, not from, it sounds like a compliance or a corporate legal department, but from a vendor perspective. If a vendor agrees to execute a standard contract clause with the customer, is there any risk to them, the vendor or the supplier, in agreeing to those SCCs?
Debbie Reynolds (00:59:35):
Yes. Are you saying that the contract is from the third party with the controller? Is that what you're saying?
Alex Su (00:59:45):
Yeah. It sounds like the question is if you're a vendor and you're a supplier to somebody who's operating different jurisdictions and it turns out that your counterpart, I should say your buyer is asking you to agree to SCCs, are there any risks to you as a vendor who services that buyer and agree to those SCCs, are there any risks to you as a vendor?
Debbie Reynolds (01:00:12):
Basically the way that the controller and process relationship works is that both have skin in the game. Let's say for instance something happens with the controller, you aren't going to be blamed for something that the controller is responsible for, but you are responsible for your part. So you aren't going to be off the hook for your portion of the contract. Basically you're saying the controller and the processor will come together and they form a relationship and they produce this product or they make sure that they're working together. So even though the controller has more skin in the game because they're the one who asks for it and they have a responsibility, for example, if there's like a data breach or something, the controller is the one that's responsible for making sure that the user gets the information, even if they have to leverage the processor to assist. So let's say there's a data breach situation, the controller gave the processor the data, the controller has contact or they're the ones responsible for contacting those individuals. But they may say to the processor, "I need you to give me information about how you handle this data so that I can pass that information over to a supervisory authority or to the user that was breached."
Alex Su (01:01:38):
Okay. We've got another question, and maybe this is a good one to end on given we have only a few minutes left here. The question is about where can you find the standard contract clauses? And I think I want to broaden that question to what resources would you advise folks to take advantage of when it comes to standard contract clauses, Privacy Shield, anything privacy related?
Debbie Reynolds (01:02:03):
Well I highly recommend that people use the European resources, like the ICO has really good links to the standard contract clauses. The EU has a variety of government websites, they have really good links. I like it because a lot of the things are written for a consumer in some way, so they want to make sure the individuals will understand those rights. But if you type in standard contract clauses EU, you should be able to pull them up pretty easily and download them and put them in your contract. ICO definitely has information. The European Union websites have good information. The Department of Commerce has information as well. They have stuff just to let you know about Privacy Shield and where it stands right now. That's definitely a good one that people need to take advantage of. And then just watch the news. This is going to be crazy just to see how things play out.
Alex Su (01:03:05):
For sure, for sure. I think there's going to be a lot of changes coming, new administration, it sounds like a lot of things happening. So I know you're an expert in this space, and so for folks who aren't familiar, how can they get in touch with you if they have any follow-up questions?
Debbie Reynolds (01:03:20):
Sure. Definitely you can send me a question on LinkedIn, so connect with me on LinkedIn, shoot me your question, I'll try to get to them as much as I can. Also, people can go to my website, DebbieReynoldsConsulting.com. I have a contact page, if you want to type something there. But I'm always happy to hear from people, always happy if I can to answer questions and discuss it. I'm a nerd so this is one of my favorite topics. This is crazy.
Alex Su (01:03:50):
Yeah, I love it and you're obviously a big expert in this space. And for those who are wondering who are still on, Neha, and you can correct me if I'm wrong, but this recording will be sent out I think a day or two after today so that you can review this and hear some of Debbie's insights at your own leisure. But I appreciate also you taking the time, Debbie, out of your schedule to speak with everyone today. And I appreciate everyone here who joined. I know we didn't get it to every single question here, but if it's an urgent question, I encourage you to reach out to Debbie to get that question answered. Some of these questions are very specific, so I didn't want to have everyone... they're very specific, we just have limited time. But thanks again for everyone and really hope to see you on the next webinar. But anything you want to share, any final words you want to share, Debbie or Neha?
Debbie Reynolds (01:04:50):
Let's see. Well, I mean keep an eye out. I'm thinking 2020 is going to be an interesting year. I know that probably Joe Biden was not expecting that this Privacy Shield thing would come up that you would have to deal with, but something has to happen, it can't go unchecked or un whatever. This is a really big deal for companies, especially we're so much more connected than we ever were, so I don't know how we're going to get to some resolution because the US-Swiss Privacy Shield was also invalidated. So those things will get some attention next year I think, because they have to.
Alex Su (01:05:34):
Yeah. All right, well, again, thank you for your time. And for everyone joining, really appreciate your time and you expect to see some information or a recording of this webinar. And thanks again and hope you have a great rest of the day.
Debbie Reynolds (01:05:53):
Alex Su (01:05:53):
Find out how
can help your team
Volutpat, id dignissim ornare rutrum. Amet urna diam sit praesent posuere netus. Non.