'Most Innovative Startup 2020' by RSA - Watch the pitch video

View More

 

The Court of Justice of the European Union (CJEU) released a decision invalidating the US-EU Privacy Shield arrangement for transatlantic data transfers and changing obligations of data controllers when using Standard Contractual Clauses (SCCs) as a mechanism to export data. Among other things, the court held that data controllers may use SCCs to transfer data of EU citizens to a data importer based in a jurisdiction which has been deemed to have inadequate data privacy protections only after:

1. Carrying out a review of the national legislation and regulations relating to data privacy and security of the data importer and verifying whether the existing laws and regulations ensure that the contractual promises within the SCCs can be honored by the importer;

2. If the national legislations and regulations are too weak to allow the SCCs to be enforced, then the controller along with the assistance of the data importer will have to establish supplementary measures to enforce the data importer’s obligation to protect the data under the SCCs;

3. If the data controller, the data importer or the relevant Supervisory Authority believes that the contractual protections on the data as per the SCCs cannot be honored by the data importer then the data transfer between the controller and importer should be cancelled and any data already transferred under the SCCs should be deleted by the data importer.

Risk assessments

Upon a close reading of the CJEU’s judgement, it appears that the data controllers and processors should be focusing on the following factors while conducting the obligatory risk assessments under the SCCs:

1. Identity of the data importer:

  • Is the data importer from a regulated industry?
  • Who is the data importer and in which industry do they work?
  • Does the data importer have the capability to refuse public authorities’ requests to hand over transferred data for surveillance needs?
  • Whether the data importer has received surveillance requests in the past and complied with the same for similar sets of data?

The identity of the data importer matters since some data importers might be targeted more by public authorities in comparison to others due to the industry they work in. Moreover, the data importer’s history of compliance with a regulatory regime and it’s capability to challenge requests for surveillance by public authorities can also help assess the risk of exposure to the personal data being transferred.

2. Assessment of the industry-specific regulatory regime of the data importer:

  • What are the powers, roles and performance of the relevant local regulators?
  • What safeguards and redress are available for data subjects under the relevant legal and regulatory regime?

The type of safeguards and redress available to data subjects under a regulatory regime should be analyzed and evaluated in terms of scope, efficacy and enforceability of protections.

3. The nature of the data and the data transfer:

  • What type of data is it?
  • Is it sensitive personal data?
  • For what purpose is the data being transferred?
  • What is the residual risk to the data subject if the transferred data is exposed or surveilled by the public authorities of the importing country?
  • Has the data subject provided (enhanced) informed and free consent to have his/her personal information transferred despite the risk of it being exposed or surveilled by the public authorities of the data importer’s country?

Some data and transfers are inherently more at risk than others to be the subject of surveillance by governments due to national security concerns and/or law enforcement interests in the type of data being transferred. Similarly, the type of data being transferred also matters as sensitive personal data being exposed to surveillance is more harmful to the data subject compared to other data types.

4. The categories of data subjects:

  • Who are the data subjects whose data is being transferred?
  • Do these data subjects have access to judicial/regulatory bodies in the data importer’s country to exercise their rights and challenge the surveillance of their information?

Some data subjects might be at increased risk of surveillance by a country’s public authorities due to their employment or nationality etc. Similarly, some categories of data subjects (i.e EU citizens who have dual nationality as US citizens) will have the enhanced capability to take action to stop or redress any government action which threatens to expose their data while others might not.

5. The nature and scope of surveillance and national security laws of the data importer’s country:

  • Are the surveillance laws of the data importer’s country expansive or limited in their scope?
  • Are surveillance efforts for national security requirements curtailed by the principles of necessity and proportionality?
  • What is the probability that the transferred personal data will be surveilled?

Some jurisdictions have very well structured surveillance laws and the law applies to some specified industries, people, etc. but some jurisdictions have vaguely worded and overbroad surveillance laws. The risk is less if the laws (and their limitations) are well written and understood.

6. Other supplementary measures used by the data importer to protect the data:

  • Does the data importer employ any industry-specific protections to the transferred data?
  • Does the data importer apply any technical or organizational protections to the transferred data?
  • Are there any protections to the transferred data which are in the nature of international commitments by the data importer or the country the data importer is based in?
  • What supplementary measures will be used in the SCC and how effective would they be in protecting the data?

Some data importers can be subject to additional and independent supplemental measures for the protection of the transferred data that are industry-specific or international in nature (via international treaties or obligations). These can reduce the risk of the transferred data being exposed.

Additional Safeguards

The data controller after conducting a holistic assessment of the risk can choose to enact additional safeguards within the SCCs to protect the data and mitigate risk to achieve compliance with the CJEU judgment. Such additional measures may include:

  • technical and organizational (i.e such as heavy grade encryption of the transferred data with the data importer not having access to encryption key at all times),
  • data minimization (i.e reducing data flow to a data importer if they become subject to surveillance requests or the risk of them being issued a surveillance request increases),
  • other contractual measures that can offer some form of control over data importers by data controllers (i.e the data controller exercises total control on the data importer in relation to the imported data),
  • reporting obligation (the data importer is obligated to inform the data controller of data surveillance requests received on the imported data by public authorities),
  • data protection obligation (i.e obligation upon data importer to delete the data or transfer it forward and to challenge data surveillance requests by public authorities before domestic courts).

Conclusion

"Data controllers in the EU should immediately begin to audit their data sharing practices and prepare for the eventual compliance actions by regulators. NOYB - Max Schrems’ data rights organization - has already filed 101 complaints with various Supervisory Authorities against European companies continuing to transfer data to the US after the judgement and the European Data Protection Board has formed a task force for the implementation of the ruling. Since there is no grace period for companies to adapt to the decision, even tomorrow the Supervisory Authorities can knock on EU data exporters’ doors asking for justifications for data transfers being made to US companies."

Thus adoption and enhancement of SCCs with additional measures to mitigate the risks which arise in risk assessments is the only viable step for many companies (at least in the short term) as other solutions such as Binding Corporate Rules (BCRs) are too expensive and solutions such as enhanced consent are not sustainable or viable for systematic transfers. Until further guidance comes from the authorities or the US and EU authorities can clobber together a Privacy Shield 3.0, these steps are required to ensure the billions of dollars worth of transatlantic trade does not come to a grinding halt.

Share this

Our Videos

View More
3:00

Data Mapping Automation

Simplify gathering information, dynamically update your data catalog, and automate assessments and reports

Learn More
View More
02:40

An IT Leader’s Perspective on CCPA

Meet Brian Lillie, Former CPO at Equinix as he discusses the potential challenges of CCPA and how the PrivacyOps framework can be the key to unlocking compliance.

Learn More
Most Innovative Startup 2020 SECURITI.ai View More
03:42

RSA Innovation Sandbox 2020: SECURITI.ai

Watch the 3-minute pitch presented by Rehan Jalil on SECURITI.ai in the RSAC Sandbox Competition

Learn More
CCPA View More
07:10

CCPA Compliance

CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared or sold.

Learn More
View More
2:25

Internal Assessment Automation

Audit once and comply with many regulations. Collaborate and track all internal assessments in one place.

Learn More
quinstreet privaci View More
02:44

QuinStreet Case Study

Learn how Quinstreet uses our product to simplify data mapping and automate their workflow to process and respond to CCPA requests.

Learn More

SECURITI.ai Named a Leader in Privacy Management Software by Forrester

View