Cross-Border Standard Contractual Clauses after Schrems II

In 2013, Maximillian Schrems, an Austrian privacy rights activist and lawyer, filed a lawsuit against Facebook with the Irish Data Protection Commissioner.  For more details, see our article on Schrems.  TLDR – The Schrems II decision resulted in the invalidation of the EU-US Privacy Shield Framework which had been functioning as a means of permitting data transfers from the EU to the US through an approved certification mechanism.  At the culmination of the Schrems II decision, the Court of Justice of the European Union (CJEU) determined that the Privacy Shield Framework was invalid, but did indicate that Standard Contractual Clauses (SCCs) could still be a valid means of transferring data outside of the EU.

What exactly was Privacy Shield and why was it invalidated?

The EU-US Privacy Shield allowed data transfers from the EU to the US.  It required organizations to certify that they would adhere to a number of principles in order to become eligible to receive data transfers from the EU to the US.  This consisted of seven privacy principles as well as sixteen binding supplementary principles to preserve data privacy.  Privacy Shield went into effect on July 12, 2016 and provided an invaluable means of transferring data from the EU to the US all the way up until July 16, 2020, when it was invalidated by the CJEU.

The CJEU invalidated the Privacy Shield framework on the grounds that US intelligence agencies could potentially violate the privacy of data subjects in such a way that the data subjects would be without redress.  Therefore, an organization’s commitment to the principles was insufficient to provide data subjects with the data privacy protections to which they are fundamentally entitled. While Privacy Shield was valid, it was a very common means of transferring data from the EU to the US.  At the same time, there were other methods by which organizations could be eligible to receive data from the EU, including Standard Contractual Clauses (SCCs).

What are SCCs?

SCCs are a mechanism that controllers can use to transfer personal data out of the European Union (EU).  They are standardized contracts that both the data importing and data exporting parties enter into.    The SCCs currently in place address transfers from EU controllers to third country controllers and from EU controllers to third country processors.  On June 4, 2021, the EU adopted new Cross-Border SCCs to include additional privacy and legal safeguards.  The new SCCs which will be effective on June 27, 2021, update the previous SCCs and will also include modules for transfers from EU processors to third country processors and from EU processors to third country controllers.

SCCs require that the controller provide data privacy protections to ensure that residents of the EU do not suffer significantly diminished data privacy as a result of their data being transferred to a foreign country (that may not have data privacy protections on par with the EU).  For more information about SCCs, please see what is commonly known as the SCC decision: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087.

Privacy Shield vs. SCCs Basics

Privacy Shield and SCCs have the same basic purpose of allowing data transfers out of the EU.  The essential difference between the two is the level of specificity of the requirements that each place upon adherent organizations.

Privacy Shield requires adherence to certain principles.  Principles, by definition, are inherently generalized. They are starting points. They are main ideas that ultimately lead to specific rules and behaviors, but in and of themselves they are closer to abstract ideas and further from concrete directives.

The new SCCs represent more well-developed rules.  They are the evolution of the generalized principles into more specific rules.  They consist of a number of clauses delving into more specific obligations and limitations that the signatory parties agree to.

The annexes to the new SCCs also require completing what amounts to a transfer impact assessment (Data Protection Impact Assessment taking into account the specific circumstances of cross-border data flows.)  The transfer impact assessment requires organizations to list the parties involved, describe the details of the transfer, identify the competent supervisory authority, provide the technical and organizational measures to ensure the security of the data, and to list the sub-processors.

Even if SCCs are More Specific, Won’t US Organizations Still Have the Problem of Transferred Data being Intercepted by US Intelligence Agencies?

Yes.  They will.  But there will be significantly more defense against such occurrences. First and foremost, compare how public authorities are treated in Privacy Shield vs. the new SCCs.

The first privacy principle (from Privacy Shield), ‘Notice’, requires that “an organization must inform individuals about: the [organization’s] requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements …”  Privacy Shield’s sixteenth binding supplementary principle, relates to access requests by public authorities, and declares that “organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law.”  To recap, organizations must inform data subjects that there is a potential that they will need to share data due to lawful requests by public authorities.  Then, if they do receive such requests, it is optional for the organization to provide transparency reports about how many requests they receive.

The new Cross-Border SCCs (adopted 6/4/2021), on the other hand, more comprehensively address the specific issues related to access by public authorities.  Clause 14 relates to local laws and practices affecting compliance with the Clauses.  By adhering to the new SCCs, organizations

warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these clauses.

The objectives referred to in Article 23(1) of the GDPR are national security, defense, public security, criminal justice and prevention, the enforcement of ethics for regulated professions, the monitoring, inspection, or regulatory function of the preceding objectives, protection of judicial independence and proceedings, the protection of the data subject or the rights and freedoms of others, and the enforcement of civil law claims.

The organizations also declare that in providing the above warranty, they have taken into account, “the laws and practices of the third country of destination- including those requiring the disclosure of data to public authorities or authorizing access by such authorities …”

The new SCCs then acknowledge a balance between issues such as national security and strict compliance with data privacy laws.  The SCCs are permissive of transfers when the destination country’s laws and practices respect the essence of the fundamental rights and freedoms without exceeding what is necessary and proportionate in a democratic society to safeguard objectives, such as national security.

Another change is that the new SCCs require organizations to be more proactive with regard to requests from public authorities. To adhere to the new SCCs, organizations must abide by Clause 15, titled Obligations of the data importer in case of access by public authorities.   Under Clause 15, the “data importer agrees to notify the data exporter and, where possible, the data subject … if it: receives a legally binding request from a public authority … or becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses …”  The data importer also must review the legality of the request and to challenge the request if there are reasonable grounds to do so.

In sum, Privacy Shield provided a minimum level of protection related to public authorities accessing transferred data.  It obligated organizations to notify data subjects of the risk of access to their data by public authorities. The new SCCs obligate the signatory parties to review the laws and customs of the destination country, complete a transfer impact assessment, notify data subjects (when possible) if their data has been accessed, and to contest (when possible) the requests from public authorities for the transferred data.  This requires the signatory parties to actually address the issue of access to data by public authorities rather than merely include a generic disclaimer.

Using the new SCCs

In order to succeed through SCCs, organizations will need to be capable of performing transfer impact assessments.  Data importers will need to be transparent about the access requests they receive from public authorities.  Organizations will need to be able to provide specific details about their technical and organizational measures to ensure data security.

It is a lot of work, but Clarip can help.  We are a versatile company that adapts quickly to changes in laws and customs.  We can assist with transfer impact assessments.  We specialize in custom solutions.  If the new SCCs are going to make your life difficult, reach out to us for help.  Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.