The Court of Justice of the European Union (CJEU) released a decision invalidating the US-EU Privacy Shield arrangement for transatlantic data transfers and changing obligations of data controllers when using Standard Contractual Clauses (SCCs) as a mechanism to export data. Among other things, the court held that data controllers may use SCCs to transfer data of EU citizens to a data importer based in a jurisdiction which has been deemed to have inadequate data privacy protections only after:
1. Carrying out a review of the national legislation and regulations relating to data privacy and security of the data importer and verifying whether the existing laws and regulations ensure that the contractual promises within the SCCs can be honored by the importer;
2. If the national legislations and regulations are too weak to allow the SCCs to be enforced, then the controller along with the assistance of the data importer will have to establish supplementary measures to enforce the data importer’s obligation to protect the data under the SCCs;
3. If the data controller, the data importer or the relevant Supervisory Authority believes that the contractual protections on the data as per the SCCs cannot be honored by the data importer then the data transfer between the controller and importer should be cancelled and any data already transferred under the SCCs should be deleted by the data importer.
Risk assessments
Upon a close reading of the CJEU’s judgement, it appears that the data controllers and processors should be focusing on the following factors while conducting the obligatory risk assessments under the SCCs:
1. Identity of the data importer:
- Is the data importer from a regulated industry?
- Who is the data importer and in which industry do they work?
- Does the data importer have the capability to refuse public authorities’ requests to hand over transferred data for surveillance needs?
- Whether the data importer has received surveillance requests in the past and complied with the same for similar sets of data?
The identity of the data importer matters since some data importers might be targeted more by public authorities in comparison to others due to the industry they work in. Moreover, the data importer’s history of compliance with a regulatory regime and it’s capability to challenge requests for surveillance by public authorities can also help assess the risk of exposure to the personal data being transferred.
2. Assessment of the industry-specific regulatory regime of the data importer:
- What are the powers, roles and performance of the relevant local regulators?
- What safeguards and redress are available for data subjects under the relevant legal and regulatory regime?
The type of safeguards and redress available to data subjects under a regulatory regime should be analyzed and evaluated in terms of scope, efficacy and enforceability of protections.
3. The nature of the data and the data transfer:
- What type of data is it?
- Is it sensitive personal data?
- For what purpose is the data being transferred?
- What is the residual risk to the data subject if the transferred data is exposed or surveilled by the public authorities of the importing country?
- Has the data subject provided (enhanced) informed and free consent to have his/her personal information transferred despite the risk of it being exposed or surveilled by the public authorities of the data importer’s country?
Some data and transfers are inherently more at risk than others to be the subject of surveillance by governments due to national security concerns and/or law enforcement interests in the type of data being transferred. Similarly, the type of data being transferred also matters as sensitive personal data being exposed to surveillance is more harmful to the data subject compared to other data types.
4. The categories of data subjects:
- Who are the data subjects whose data is being transferred?
- Do these data subjects have access to judicial/regulatory bodies in the data importer’s country to exercise their rights and challenge the surveillance of their information?
Some data subjects might be at increased risk of surveillance by a country’s public authorities due to their employment or nationality etc. Similarly, some categories of data subjects (i.e EU citizens who have dual nationality as US citizens) will have the enhanced capability to take action to stop or redress any government action which threatens to expose their data while others might not.
5. The nature and scope of surveillance and national security laws of the data importer’s country:
- Are the surveillance laws of the data importer’s country expansive or limited in their scope?
- Are surveillance efforts for national security requirements curtailed by the principles of necessity and proportionality?
- What is the probability that the transferred personal data will be surveilled?
Some jurisdictions have very well structured surveillance laws and the law applies to some specified industries, people, etc. but some jurisdictions have vaguely worded and overbroad surveillance laws. The risk is less if the laws (and their limitations) are well written and understood.
6. Other supplementary measures used by the data importer to protect the data:
- Does the data importer employ any industry-specific protections to the transferred data?
- Does the data importer apply any technical or organizational protections to the transferred data?
- Are there any protections to the transferred data which are in the nature of international commitments by the data importer or the country the data importer is based in?
- What supplementary measures will be used in the SCC and how effective would they be in protecting the data?
Some data importers can be subject to additional and independent supplemental measures for the protection of the transferred data that are industry-specific or international in nature (via international treaties or obligations). These can reduce the risk of the transferred data being exposed.
Additional Safeguards
The data controller after conducting a holistic assessment of the risk can choose to enact additional safeguards within the SCCs to protect the data and mitigate risk to achieve compliance with the CJEU judgment. Such additional measures may include:
- technical and organizational (i.e such as heavy grade encryption of the transferred data with the data importer not having access to encryption key at all times),
- data minimization (i.e reducing data flow to a data importer if they become subject to surveillance requests or the risk of them being issued a surveillance request increases),
- other contractual measures that can offer some form of control over data importers by data controllers (i.e the data controller exercises total control on the data importer in relation to the imported data),
- reporting obligation (the data importer is obligated to inform the data controller of data surveillance requests received on the imported data by public authorities),
- data protection obligation (i.e obligation upon data importer to delete the data or transfer it forward and to challenge data surveillance requests by public authorities before domestic courts).
Conclusion
"Data controllers in the EU should immediately begin to audit their data sharing practices and prepare for the eventual compliance actions by regulators. NOYB - Max Schrems’ data rights organization - has already filed 101 complaints with various Supervisory Authorities against European companies continuing to transfer data to the US after the judgement and the European Data Protection Board has formed a task force for the implementation of the ruling. Since there is no grace period for companies to adapt to the decision, even tomorrow the Supervisory Authorities can knock on EU data exporters’ doors asking for justifications for data transfers being made to US companies."
Thus adoption and enhancement of SCCs with additional measures to mitigate the risks which arise in risk assessments is the only viable step for many companies (at least in the short term) as other solutions such as Binding Corporate Rules (BCRs) are too expensive and solutions such as enhanced consent are not sustainable or viable for systematic transfers. Until further guidance comes from the authorities or the US and EU authorities can clobber together a Privacy Shield 3.0, these steps are required to ensure the billions of dollars worth of transatlantic trade does not come to a grinding halt.
