Many privacy professionals will be shocked to learn that, in terms of safeguarding personal data flows from an EU to a non-EU country, in the absence of an adequacy decision, more is required than simply slipping the right set of SCCs into a vendor contract.
The CEJU has that one of the key tasks facing data exporters, when considering whether SCCs are appropriate, is to consider whether there is a conflict between the protections afforded by the SCCs and other local laws, particularly those laws that enable public authorities to access the data. If a conflict is discovered, data exporters will need to do something about it.
The key paragraphs in the decision are:
I recommend 6 steps that privacy officers should take to assure stakeholders that the CJEU’s decision is being respected:
- Document the data flows so it is clear what data is exported to what country.
- Identity the relevant laws and practices, including national security laws and practices, that permit local law enforcement authorities and other regulators to access the personal data that is processed in those countries.
- Consider how the GDPR rights of in-scope individuals may be adversely impacted by these laws and practices.
- Identify what additional contractual measures would be necessary to achieve a level of adequacy with GDPR rights.
- Discuss and agree the additional contractual measures with the data importer.
- Return to step 2 at regular intervals to check whether the laws or practices have changed.
From a practical perspective however, the problems start at step 2. It can be hard, when a large number of data importers are engaged, to maintain a list of the relevant laws and practices, including national security laws and practices, that permit local law enforcement authorities and other regulators to access the personal data that is processed in non-EU countries. Will it always be possible to rely on the explanations and assurances provided by third parties, including the data importer, who might possibly have a vested interest in ensuring the correct spin is placed on any explanations they provide about local practices?
Let’s be clear. The CEJU’s decision does not only affect EU - US data flows. Personal data flows from the EU to just about every other country on the planet. And the majority of these countries will have their own national security and other regulatory laws. Official or unofficial English translations of these laws will have to be read and understood.
Unfortunately, life doesn’t get any easier after that.
Turning to step 3, it may well be challenging to document a comprehensive statement which explains how the GDPR rights of in-scope individuals may be adversely impacted by each of these laws and practices. As many organisations may lack the capacity to complete this task themselves, perhaps it could be carried out on their behalf by their trade associations.
With step 4, it may be even more challenging to identify what additional contractual measures would be necessary to achieve a level of adequacy with GDPR rights. Given that even the European Commission’s decisions on what contractual measures are appropriate have been quashed, twice, by the CEJU in the context of the US Safe Harbor & the Privacy Shield data transfer mechanisms, what hope is there for a significantly less-well resourced data controller to successfully identify all the right measures? Is this a task that even individual members of the European Data Protection Board are capable of completing?
The difficulty is compounded by the tight timescales that apply to many commercial contract negotiations. Assessments on the impact of the relevant laws in a particular country can’t take months, or years, to compete. If an organisation’s data protection team is unable to provide their contract negotiators with appropriate information and support within a matter of days or weeks, there’s a real risk that any advice from the data protection team will be ignored.
On the matter of reaching agreement on any additional controls that should be applied to the data importer, where do you start? Given the poor understanding by many organisations of the context within which SCCs are currently used, it would be a brave commentator to forecast that it would be easy, or even practicable, to agree any additional contractual measures. This may particularly be the case when the data importer had not yet found it necessary to accept any new clauses to supplement the SCCS in contracts that importer had signed with other EU data exporters.
Alternatively, organisations might revisit their rationale for relying on SCCs in the first place, rather than any of the other complex data transfer mechanisms that are set out in Chapter 5 of the GDPR.
However, we are where we are. European data protection standards are high – and for a good reason. European politicians demanded a gold standard and that is what exists. In theory, anyway.
The CEJU’s decision has moved a large number of contracts into a data protection wilderness. Precisely how many are there? Which can be remediated? If so, how? By when? And how active will the supervisory authorities be in requiring organisations to address this issue?
The peak summer holiday season has started. Even so, I hope that European data protection supervisory authorities will soon reach a common agreement on what the decision means, and explain how they expect, or will help, organisations to address privacy gaps that many thought the SCCs alone existed to fill.