SCCs and Privacy Shield

SCCs and Privacy Shield replacement updates, what can we expect?

SCCs and Privacy Shield replacement are both of paramount importance to trans-Atlantic data flows, however, right now the focus may be more on new SCCs. 

 

 Almost one year since the CJEU “Schrems II” decision, a new EU-US privacy shield may still be far off. However, with Standard Contractual Clauses being upheld and used quite frequently to facilitate cross border data flows, new SCCs can be expected soon. According to this IAPP article, new SCCs may be here within a matter of weeks. Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission said “We are about to because it’s a question of weeks, adopt modernized SCCs that do things that are aligned with the (EU General Data Protection Regulation) that are much better adapted to the reality of today’s digital economy”.

 

The new Standard Contractual Clauses are expected to be here in short order, and the Commission considers the feedback received on the draft SCCs. 

 

Since the Schrems II decision, SCCs have been upheld, but with a few caveats. They have been put to use to facilitate data flows between the EU and the US, however this has not been without incidence. While privacy professionals wait for conclusive information regarding data flows across the Atlantic, there have been some recent developments. Bruno Gencarelli, during IAPP’s Global Privacy Summit Online, said that the new Standard Contractual Clauses will soon be adopted. Gencarelli, based on the feedback the European Commission received, called the draft SCCs an “enormous success”, with the Commission taking this feedback very seriously. The ongoing process is intended to modernize the SCCs to better suit the current digital climate’s size and complexity. 

 

“This is a much awaited step forward which once in place will help to unify the dissimilar criterion that EU Supervisory Authorities have been applying since Schrems II when it comes to international data transfers, as we have recently seen with the Bavarian and French DPAs decisions” comments Cristina Contero Almagro, Aphaia’s Partner.

 

Privacy Shield replacement negotiation is intensifying, but a privacy shield replacement may still be far off. 

 

While there is a willingness on each side to make a deal on a replacement for Privacy Shield, it is a balancing act between privacy and national security, making this a delicate, and complex situation. As we have seen since Schrems II, SCCs, while very useful, may not always be enough. As each side seeks to create a durable replacement for Privacy Shield, one that can stand up to legal challenges and political scrutiny, talks are underway for a solution that will meet the needs of both parties with regards to both privacy and national security.  

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Standard Contractual Clauses

Standard Contractual Clauses may not be enough, as suggested by recent decision by BayLDA

BayLDA, the Bavarian DPA has recently ordered a German company to cease from using Mailchimp, despite the use of Standard Contractual Clauses.

 

In the aftermath of the Schrems II ruling, we have seen some examples of the practical implications of this judgment. In the most recent case, the Bavarian DPA has ordered a German publishing company to cease from using Mailchimp, the popular US email marketing platform. While the transfer of data to Mailchimp, and by extension to the US, a third country, was based on Standard Contractual Clauses, it was still unlawful. It was found that the company did not do its due diligence in ensuring that this data was adequately protected from access requests by US surveillance authorities. 

 

While the data transfers by the German company were based on Standard Contractual Clauses, BayLDA suggested that additional due diligence needed to be done. 

 

A complaint was filed against the German publishing company with the Bavarian DPA, BayLDA, regarding the company’s occasional use of Mailchimp for their newsletter. The data transfers to Mailchimp by the German publishing company were based on Standard Contractual Clauses. However, under US surveillance law FISA 702, Mailchimp qualifies as an “electronic communication service provider”, rendering the transferred email addresses in danger of being accessed by US intelligence services. BayLDA suggested that there were additional steps needed to be taken by the publishing company, as far as due diligence is concerned, to determine whether any additional measures needed to be put in place to ensure that data transferred to Mailchimp was protected from US surveillance. 

 

Based on the decision by BayLDA, the company has ceased from using Mailchimp with immediate effect, avoiding possible fines.

 

The respondent in this case had argued that its use of Mailchimp was lawful according to GDPR Article 44. Recital 102, in part states that “Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.” In this case, it was ultimately found that this German company was not able to adequately protect the fundamental rights of the data subjects affected, as it had not ensured that this data was sufficiently protected from access by US surveillance. The German publishing company immediately ceased from using Mailchimp for its newsletters, avoiding a possible fine from BayLDA. 

 

This decision by BayLDA provides further clarity on the practical application of Schrems II.

 

This decision by the Bavarian DPA provides further clarity to companies who may be transferring data based on Standard Contractual Clauses, that at times this may not be enough. There is still necessary due diligence to be done on transfers of data outside the EU or UK. Due to third country surveillance laws, which may not be compatible with EU or UK laws, supplementary measures may need to be carried out to adequately protect the data being transferred to service providers in those third countries. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

French court ruling provides greater context to the application of “Schrems II” under the GDPR

French court ruling provides further guidance as to the application of “Schrems II”, as data hosted by subsidiary of US company is found to be protected. 

 

France’s highest administrative court ruled earlier this month that the hosting of a booking platform for COVID-19 vaccinations on Amazon Web Service, also known as AWS, was indeed sufficiently protected under the EU GDPR. Initially there was some question as to whether using Amazon Web services as a hosting platform was compatible with the GDPR under the “Schrems II” ruling, due to the fact that the processor was a company bound by US law. The final ruling in this case was based on the fact that the court believes that enough legal and technical safeguards are in place in the event that US authorities ever request data access. This gives quite a bit of context and has big implications for many companies, underscoring the need for supplementary legal safeguards when data is entrusted to a subsidiary of a non-EU company. 

 

Health data hosted by a company bound by US law, while a cause of concern for many, was found to be sufficiently protected under the GDPR. 

 

The plaintiffs in this case worried that the hosting of health data by a company which is bound by US law presented various risks including not just the transfer of data to the US, but also access to that data being granted to US authorities if requested from the processor. Due to the level of perceived risk, the plaintiff deemed this a sensitive and urgent matter. However, what was thought to be a violation of the provisions of the GDPR under “Schrems II”, under further investigation and reflection, turned out to be sufficiently protected under the GDPR, due to the several legal and technical safeguards put in place by the defendant, Doctolib. The judge in this case ruled against the claim filed to have this service suspended. 

 

This French court ruling was the result of careful assessment of the technical and legal safeguards provided for in this agreement.

 

The French court ruling came after careful consideration and assessment of the legal and technical safeguards and other guarantees provided for between Doctolib and Amazon Web Services. The assessment found that distinct provisions had been made within the contract between the two, for a specific procedure in the event of access requests by a foreign authority. The legal guarantee in this case is that access requests from public authorities to the processor   will be challenged. The judge also noted that the data would be encrypted with the key being held by a trusted third-party within funds and not by Amazon Web Services. Furthermore, it was found that data transmitted to Doctolib through the vaccination campaign contained no sensitive health data specifying, for example, that a user is a priority candidate for vaccination due to a certain pre-existing condition. As an additional step any data entered by users for the purpose of identification for scheduling a vaccination appointment, is deleted at most within three months of their vaccination appointment. 

 

“The ruling signals that there is room for the rule of reason in the application of Schrems II, and should generally be seem as good news for the online industry,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

“It is paramount that companies carry out an assessment covering their data flows, the countries involved and the safeguards that should be applied based on the risk identified, what is known as ‘Data Transfer Impact Assessment’”, states Cristina Contero Almagro, Aphaia’s Partner.

This telling highlights the need for legal and technical safeguards, which are recommended even when data is not being transferred outside the EU.

 

A key part of complying with “Schrems II” rests on technical measures like pseudonymization and encryption, and ensuring that the processor has no way of accessing the re-identification key, particularly when the key may possibly be accessed by a public authority. Legal safeguards, like those taken by Doctolib are also essential. While the new draft standard contractual clauses recently published by the European Commission do make similar provisions, it is recommended, in anticipation of these new SCCs, that companies make provisions for this type of guarantee in a specific addendum, even in cases where there is no transfer of data outside the EU.

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Standard Contractual Clauses

Draft of new Standard Contractual Clauses published by the European Commission

On 12 November 2020, the European Commission published a draft Implementing Decision on new Standard Contractual Clauses for the transfer of personal data to third countries.

The CJEU judgement in the Schrems II case has brought to light some deficiencies in the current guarantees applied to international data transfers. Apart from invalidating the Privacy Shield, the Court stipulated that additional measures are required when using Standard Contractual Clauses (SCCs) in order to ensure that the data subjects are granted a level of protection essentially equivalent to the one guaranteed by the GDPR and the EU Charter of Fundamental Rights.

You can learn more about the business implications of Schrems II decision in our blog.

What’s new?

In response to the caveats pointed out by the CJEU with regard to the use of SCCs for making international transfers, the European Commission published a draft implementing decision containing a draft new set of SCCs for transfers of personal data to third countries, which includes five main changes in relation to the current clauses (approved under the Directive 95/46/EC):

  • Modular approach to cover various transfer scenarios, including processor-controller and processor-sub-processor international data transfers.
  • More than two parties could adhere to the SCCs and additional controllers and processors should be allowed to accede to them throughout the life cycle of the contract.
  • Additional safeguards should be provided to ensure a level of protection of the personal data essentially equivalent to the one granted by the GDPR.
  • Data subjects should be provided with a copy of the SCCs upon request and they should be informed of any change of purpose and of the identity of any third party to which the personal data is disclosed.
  • The data importer should inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints or requests.

Modular approach and territorial scope

The draft of new SCCs aims to address some gaps of the current SCCs, such as the limitation of the type of data transfers that can be made under their provisions. While the current SCCs are designed for international data transfers from EU controllers to non-EU/EEA controllers and international data transfers from EU controllers to non-EU/EEA processors, the proposed new ones combine general clauses with a modular approach which would allow controllers and processors to select the module applicable to their situation and tailor their obligations to their corresponding role and responsibilities. In terms of territorial restrictions, the new SCCs do not require the data exporter to be established in the EEA, which also increases the number of scenarios that may be covered by this safeguard.

 

Additional safeguards

The new SCCs stipulates some obligations that the parties should meet for the purpose of ensuring an adequate level of data protection. The additional measures imposed by the new SCC include, inter alia, the following:

  • Application of additional requirements to address how to deal with binding requests from public authorities in the third country for disclosure of personal data. 
  • Risk assessment undertaken by the data exporter to determine whether there are any reasons to believe that the laws applicable to the data importer are not in line with the requirements laid down in the SCCs. To this end, some key elements should be taken into account, namely:
    • Duration of the contract.
    • Nature of the data transferred.
    • Type of recipient.
    • Purpose of the processing.
    • Any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.
    • Laws of the third country of destination relevant in light of the circumstances of the transfer.
    • Technical and organisational measures applied during transmission and to the processing of the personal data.
  • Obligation of the data importer to notify the data exporter and the data subject about any legally binding request issued by a public authority under the law of the country of destination for disclosure of personal data or about any direct access by public authorities to the personal data.

Grace period

Once these SCCs have been approved, they will replace the current ones. A one year grace period will be granted for parties to put the new clauses in place. During this period, transfers can continue to be made on the basis of current SCCs, unless those contracts are changed. If the contracts are changed, then the parties lose the benefit of the grace provision and must move to the new clauses. If parties change existing contracts in order to introduce additional safeguards, as required by Schrems II, then they can still benefit from the grace period provision.

 

The draft is open for feedback until 10 December 2020.

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.