Blog International datatransfers

21.06.2021 Bart Van den Brande

New SCC's are available: adjust your data export agreements

Since last summer’s Schrems II judgment, about which we have repeatedly reported on our blog, exporting personal data outside the EU has become quite cumbersome. In particular, the disappearance of the “Privacy Shield” between the EU and the US is causing a lot of complications and forces European companies to conclude Data Export Agreements on a large scale with non-European (usually American) partners containing so-called “Standard Contract Clauses”.  These SCC’s are model documents that are made available by the European Commission to be copy/pasted into Data Export Agreements and thus guarantee safe export at a contractual level.  

However, one of the major problems until now when concluding Data Export Agreements was that the European Commission’s SCC’s or Standard Contract Clauses were outdated. They dated from before the entry into force of the GDPR and were not adapted to that GDPR, nor to the current technological and economic reality.  

Those old SCC’s have now finally been replaced by new, fully up-to-date versions since June 6, 2021, and European entrepreneurs can now get started to conclude legally conclusive and secure Data Export Agreements with their partners outside the EU. We provide a summary below of what you need to know about these new and SCC’son our download page you will also find a downloadable copy of the new SCC’s, along with our Vendor Assessment Form that you can use to determine whether or not your foreign partners are do not receive personal data from you and whether they handle it correctly and in accordance with GDPR. This way you can work quickly, clearly and with a minimum of effort on GDPR compliance within your company. 

 

 

Data Export?

Data export is any exchange of data with a partner outside the EU. It could be a hosting provider from whom you rent server space, an offshore call center or customer service, a developer or online marketing agency outside of Europe, a cloud storage service, an email service provider or just about any online service or tool you can imagine. 

GDPR only allows data export to countries outside the EU if the recipient outside the EU can guarantee an appropriate level of protection.  

A handful of countries are automatically considered to offer an appropriate level to provide protection, but for most other countries data export since the end of the EU-US Privacy Shield requires a Data Export Agreement, in which written data protection guarantees are made.

 

“Appropriate additional guarantees”

Since the Schrems II judgment, we know that simply signing (the old version of) the SCC’s is not sufficient in itself to ensure safe data export. As a European entrepreneur, you have the obligation to carry out a documented assessment of the risks involved for every data export and to request, if necessary, from the recipient “appropriate additional guarantees.” We have already listed several times for you in this article about Mailchimp or in this webinar on our Youtube page.

 

New SCC’s are “Schrems proof”

The new standard contractual clauses are not only fully customized to the text and content of the GDPR, they have also been made “Schrems proof”. That is to say, they contain many clauses that meet the requirements of the European Court of Justice to make a prior risk assessment and to demand additional guarantees where necessary as set out by the Schrems II judgement.  

Please note that this does not mean that a separate risk assessment and additional separate guarantees are no longer necessary. As an entrepreneur, you still have to carry out the necessary preliminary investigations before exporting personal data outside the EU, but the new SCC’s are in any case already provided for this obligation in terms of content, which was not the case with the old ones.

 

“Modular” approach

In the past, a number of “versions” of the SCC’s coexisted. Depending on the situation, you could choose one of those versions and incorporate it into an agreement, for example for data export between a European controller and a non-European processor.

That system is now replaced by one global set of SCC’s, which you can adapt to your personal situation by copying/pasting or omitting individual clauses (modules). According to the European Commission, this should lead to more ease of use, but personally, we fear that it threatens to do exactly the opposite and seriously impede the use of these model documents by non-lawyers. 

That one global version of the SCC’s now also provides for two previously missing situations for the first time: the transfer by a processor in the EU to a controller outside the EU and the transfer from a processor in the EU to another processor outside the EU. 

 

Replace your existing SCC’s in time, with our help at Sirius Legal!

The existing SCC’s are still valid for three months for new data exports. A grace period of 15 months applies for existing data exports, but after that all existing Standard Contract Clauses must also be replaced by the new regulations. 

Since the content of the new SCC’s has changed considerably and (there are a lot of new additional guarantees and obligations for instance), this means that as a company you will have to renegotiate a lot of those existing mode contracts or that you will at least have to carefully review the new versions before signing. 

Sirius Legal helps you with that. You can visit our website for our “Data Export Compliance” service, with which we help your company through the maze of old and new SCC’s and “additional appropriate measures”.

In any case, make sure you have a good overview of all your data exports in a spreadsheet, check with whom you do or do not have a current Data Export Agreement and ensure a timely invitation to adjust if one has already been concluded in the past or to close of a new Data Export Agreement if none had been concluded before.  

Do not forget to carry out an individual impact assessment and to properly document this. If one day there is a cyber attack or hacking at one of your suppliers and it turns out that you did not follow the rules before entrusting your data to him or her, you quickly risk being liable for the consequences of such a data breach… 

Be aware that data export is a point of attention for many governments, including our Belgian Data Protection Authority. The German authorities, for example, announced this week that they will carry out extensive checks on data exports by German companies. Those checks will primarily focus on the use of email service providers, hosting companies, tracking via cookies, application management and the exchange of customer data within groups of companies, for example based on Customer Data Platforms.

 

Questions about data export or GDPR in general?

We are happy to make time for you. Feel free to call or email Bart Van den Brande at bart@siriuslegal.be or +32 492 249 516 or book a free online introductory meeting with Bart via Google Meet or Zoom.

Popular article
08.04.2021 Bart Van den Brande

How The Bavarian Mailchimp decision makes the impact of the Schrems II judgment on data export painfully clear

A recent decision by the Bavarian data protection authority raises serious doubts about whether the popular email marketing platform MailChimp can be used legally under the GDPR.  

By extension, the same problem arises for almost all US software applications that process personal data of EU citizens. After all, data export to the US has been a serious legal issue ever since the European Court of Justice annulled the Privacy Shield last summer and at the same time pointed out that the use of Standard Contract Clauses as an alternative is rather difficult because it requires a case-by-case examination of the need to implement additional security measures to ensure data privacy.  

It is precisely that issue of additional measures that is now highlighted by the Bavarian Mailchimp decision.

 

Data export?

The impact of the Schrems II ruling of the European Court of Justice last summer has had an increasing impact in Europe over the past few months. Many companies have hesitated about how to react to the ECJ’s decision last summer to overturn the EU-US Privacy Shield. After all, almost all software tools that European companies use today are American and since most of them are now cloud services or online tools, there is by definition data export to the US…

The problem only got worse by the fact that in the same effort, the ECJ also added that in the event of any data export outside the EU (also to destinations other than the US), the exporting company must also immediately take into account the fact that the Standard Contract Clauses that the European Commission itself provides to guarantee secure data export between companies and organizations within and outside the EU are not sufficient.

The Schrems II judgment requires that transfers of personal data to cloud service providers in the United States be assessed on a case-by-case basis and if there is a risk to the integrity of the data in question, additional security safeguards must be provided. These additional safeguards are almost automatically imposed on exports to the US, given the very far-reaching investigative powers of the US intelligence agencies, for example under section 702 (50 USC § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).

 

Using Mailchimp not OK?

It sounds almost absurd, but the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht) earlier this month banned a European online magazine from using Mailchimp any longer to send its newsletters.

The reason? Well, by using Mailchimp to send newsletters, companies are sending personal data (e.g. email addresses and recipient names) to Mailchimp’s servers in the United States and that is potentially not OK.

The Bavarian Data Protection Authority justified its decision by noting that the company had not previously investigated whether additional safeguards were needed for the transfer of personal data to Mailchimp, in particular because Mailchimp may be subject to the Cloud Services Act. 

Note in this context the important nuance that the Bavarian Data Protection Authority did not rule that MailChimp is per se illegal. Instead, it ruled that in this particular case, the company’s use of MailChimp was illegal because the company had not previously assessed whether adequate additional measures had been taken to ensure that its personal data was protected from access by U.S. regulatory agencies. 

 

Additional guarantees?

Following the already mentioned Schrems II judgment, European companies should indeed have started a broad data export audit or “vendor assessment” within their company in order to determine if:

  • there is data exchange outside the EU / EEA
  • there is an appropriate legal basis in accordance with Chapter V GDPR (standard contract clauses, binding corporate rules or one of the other less common and obvious legal grounds)
  • the data concerned is in any way particularly sensitive and whether the data export as such can be justified
  • additional safeguards may or may not be required on the receiving end of the data flow
  • More in general, whether the receiving party can guarantee all-round GDPR compliance

This exercise should obviously and based on the accountability principle under GDPR be  documented in detail and that is precisely why we at Sirius Legal have been offering since last September a free Data Export Impact Assessment form on our website. That form has now been downloaded hundreds of times by companies all over Europe, by the way.

Incidentally, the EDPB has already listed some additional measures to be taken some time ago in its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” of 10 November 2020. In this document, various data export scenarios are proposed and each time an indication is given on a case-by-case basis about how to ensure a secure exchange of personal data or which method is certainly not sufficiently secure.  

The recurring message in that document is the need to encrypt personal data before exporting it and to make use of proprietary (preferably European) encryption techniques prior to export and separate from the platforms’ own encryption technology.  

The use of Mailchimp also falls within this context. After all, personal data is exported to the US, where Mailchimp is considered a telecom provider under FISA legislation, which means that it potentially has to provide access to its customer data to the US government. Therefor encryption is necessary. Only… the use of Mailchimp actually does not allow such encryption from a technical point of view and as a consequence it is hard to imagine how a European company can use Mailchimp in a legally compliant matter…

 

Mailchimp as a wake-up call?

Until now, it seemed that the European data protection authorities had turned a blind eye for the time being and had given some kind of unofficial grace period for European companies and organizations to adapt to the changed legal situation after the Schrems II judgment. This certainly also had to do with the fact that the aforementioned Standard Contract Clauses are being reviewed and updated by the European Commission at this very moment.

However, the actions of the Bavarian Data Protection Authority now show that things are now getting serious and that companies will eventually have to ensure a secure exchange of personal data with their non-European partners. In a press release accompanying the Mailchimp decision, the Bavarian authority noted that in its view this case is an example of how the Schrems II judgment will be enforced in practice in the future. 

 

Is your software “data export compliant”?

The painfully problematic conclusion is that no American software application currently works completely “GDPR compliant”…

We ourselves at Sirius Legal have conducted a benchmark test in recent months on 10 of the most well-known marketing tools, including Mailchimp, Sharpspring, Hubspot, Active Campaign, Salesforce and a few others. The conclusion is that most of these – all American – providers have adapted in recent months in the sense that they no longer invoke the Privacy Shield as a legal basis, but now refer to Standard Contract Clauses, but that they also all still show several essential shortcomings in the area of data export compliance:

  • In some cases, the Standard Contract Clauses are unavailable or in any event nowhere to be found on the website
  • most vendors provide either no or only very general and vague “additional safeguards”
  • most, if not all, providers rely on sub-processors, of which neither the identity nor the location is sufficiently clear and of which there is little or no guarantee of GDPR and data-export compliance with the sub-processor concerned.   

The same applies by extension to other non-European cloud services or online applications. It is almost by definition so that they are not (completely) GDPR compliant and that any use thereof requires a prior audit and possibly the provision of additional technical or organizational guarantees.

 

Can European companies no longer use American or other non-European services at all?  

Fortunately, things are not as problematic as they might seems at first sight.  Jumping to the conclusion that all non-EU software should be banned would be absurd in a globalized society and economy as weknow it today.

In the Mailchimp case, the problem was evidently clear, as the company in question apparently had not made any prior risk assessment at all to document whether additional safeguards were needed. That in itself was enough to provoke this decision.  

Future matters will probably lead to a less obvious sanction, at least if the EU companies concerned have made a well-balanced and documented prior risk analysis or even implemented additional safeguards. Which measures will be “sufficient” in which context will only become clear when there is sufficient case law available, but it is evident that the “sensitivity” of the data and the risk of access requests from abroad play a role. In that context, a mailing list for a legal weekly appears much less problematic than the membership list of a political party and in the former case a well-founded preliminary estimate may (?) be sufficient … 

However, this decision should without a doubt be seen as a warning to all companies and organizations in Europe on the importance of due diligence when transferring personal data outside the EU. As a company, it is best to get started as soon as possible with a strict and thorough internal audit exercise on the basis of which you can demonstrate that you have assessed whether or not your data can come into the hands of third parties and especially foreign governments if you use non-European applications.

If necessary, feel free to use our free Data Export Impact Assessment form to collect the necessary information from your non-European partners. 

Also, take into account that if a supplier cannot or does not want to provide information to help you properly assess the potential risks, you will have to consider whether you can continue to work together and that in the worst case you will indeed have to look out for another alternative (preferably European) partner …

 

Would you like to know more about the practical impact of Schrems II?

Those who want to know more can contact bart@siriuslegal.be or book an online meeting directly via Google Meet.

Or better yet, register for the Schrems II webinar of our international contact network Consulegis The Practical Impact of Schrems II on International Data Flows  on April 14th. Speakers from the EU (including Bart Van den Brande for Sirius Legal), the UK, the US and India will discuss all legal and practical sensitivities of international data flows and make time for all your questions and concerns. 

14.09.2020 Bart Van den Brande

Schrems-II, what now? Data export to the US in 7 steps

Schrems-II is not a look-alike of the Austrian privacy activist Max Schrems and it’s also not the name of his child. It’s the name of his second victory early this summer at the European Court of Justice. We already wrote an article about it because the consequences of this judgment are enormous for data exports abroad. No grace period was granted so each company that exports data to a third country immediately had to put its affairs in order. Schrems also did not allow himself a resting period, but immediately filed 101 complaints with various data protection authorities in the EU. Belgian companies have not been spared either: a complaint has already been lodged against bpost.be, neckermann.be, logic-immo.be and flair.be. So this is not something that doesn’t concern you, you’re exporting data to the US before you know it. Numerous frequently used tools such as Google Analytics, Hubspot, Sharpspring, Facebook and Twitter export data to the US, so almost every Belgian company is affected.

Recently a German data protection authority (from Baden-Württemberg) was the first to issue more concrete guidelines on how life continues after the Schrems-II judgment. We have studied these guidelines thoroughly and summarised the main findings in a number of concrete steps. 

 

Step 1: Make an inventory of all data that you export to third countries

If you already have a data register, this is an easy step for you and you can immediately go to the next step. If you are not familiar with the word ‘data register’, we will gladly provide some further explanation.

The General Data Protection Regulation (GDPR) imposes an obligation on every controller to record all processing activities that take place under its responsibility. In concrete terms you map out a number of things in a data register for all the data you collect: the purposes, the means, the legal bases, the risks to the privacy of those involved, the access to that data, the transfer to third parties,… This provides an overview of all data flows within the company. It considerably simplifies possible inspections and audits.

You can use a number of qualitative questionnaires or evaluation tools for this, but of course Sirius Legal can offer you specialized assistance. 

 

Step 2: Contact your service provider / contracting parties in the third country

We recommend you to inform all your contracting parties, service providers, etc about the Schrems-II judgment and its consequences. Sirius Legal has created a standard letter template for this with a Data Export Impact Assessment. You can download this template for free at the bottom of this blog post.

The term ‘third country’ doesn’t mean every country other than your own, but rather every country outside the European Economic Area, which is the EU expanded with Norway, Iceland and Liechtenstein.

 

Step 3: Check whether there is a decision on an adequate level of protection in the third country 

For some third countries, the European Commission has decided that this country offers an adequate level of protection (‘an adequacy decision’), so you can export data to those countries based on that decision. The full list of those countries can be found on the website of the European Commission. Currently negotiations are ongoing with South Korea. We will of course follow this closely and keep you continuously informed about any changes through our blog and social media.

 

Step 4: Assess the legal situation of the third country 

In the case of data export to a third country where there is no decision on an adequate level of protection, we arrive at the next step. In that case, the data protection authority of Baden-Württemberg recommends a thorough investigation of the legal situation of that third country. In this context, it is particularly interesting to check whether national safety authorities can gain access to the exported data.

You can consult your national data protection authority for this (in Belgium this is the GBA, in the Netherlands the AP, in France the CNIL and in England the ICO), the European Commission, the EDPB, your national ministry of foreign affairs, … 

We understand that this is a complicated and time consuming job. Sirius Legal has an extensive network of foreign lawyers specialized in these matters. This allows us to make our own ‘adequacy assessment’ for almost every third country.

 

Step 5: Assess whether SCCs are sufficient 

Now that you are aware of the legal situation in the third country, it is time to assess whether the Standard Contractual Clauses (SCCs) are sufficient. The SCCs have been created by the European Commission for data export to third countries. These are contracts that you can conclude with the controller or processor in that third country. If no problems were found in the step discussed above, you can use these SCCs without any problem. Keep in mind that the European Commission is reviewing the SCCs. If the SCCs do not suffice, go to the next step.

 

Step 6: Create additional guaranties and use customised SCCs 

The Baden-Württemberg data protection authority proposes a number of additional safeguards. First, the encryption of the data on your end. In that case, make sure that you as an exporter are the only one with the ‘key’ to decrypt the data and that the encryption cannot simply be unlocked. We invite you to read the article ‘Is encryption mandatory under GDPR’ (only available in Dutch for the moment) if you want to know more about encryption.

Second, the anonymization or pseudonymization of the data on your end. This ensures that the recipient of the data cannot simply know who the datasubject really is. Keep in mind that this process often starts before you even enter the data or upload it somewhere.

Subsequently, the Baden-Württemberg data protection authority proposes a number of concrete adjustments and additions to the SCCs:

  • An obligation for the data exporter to inform the data subject that his or her data is exported to a third country that does not provide an adequate level of protection;
  • An obligation for the data importer to inform both the exporter and the data subject of any request for access to the data. If this is not possible, the obligation to notify the exporter’s national data protection authority;
  • An obligation for the data importer to take legal action against any request for access and exhaust these legal measures;
  • The granting of more rights to the data subject in a dispute with the data importer and the addition of a compensation clause.

 

Step 7: And if none of that helps …

It is possible that all of the above measures are either not possible or still do not provide sufficient guarantees. In that case, the Baden-Württemberg data protection authority states that an alternative option exists, but it emphasises that this alternative is interpreted very strictly and is therefore little accepted as a reason for exporting data to a third country. This includes, for example, the possibility to request the consent of the data subject for the data export. However this consent must meet all the requirements of the GDPR. In other words the consent must be free, specific, informed and unambiguous.

If all of the above did not help, it is probably safer to stop the cooperation with the partner.

 

A warned company counts for two

Our previous blog post about the Schrems-II judgment and this blog post should provide you with a running start. A number of recommendations and guidelines will surely be provided by other data protection authorities in the near future which will hopefully provide more clarity. We will of course continue our investigations and inform you about it on our blog and social media. For now you can already start with the following steps:

Step 1: consult your data register / set up a data register

Step 2: inform your service providers / contracting parties

Step 3: check whether a decision has been made about the appropriate level of protection

Step 4: assess the legal situation

Step 5: check whether SCCs are sufficient

Step 6: if not, create additional guaranties and close custom SCCs

Step 7: stop the data export / find an alternative

 

Do you have questions about data export under GDPR or need help with an audit of your current contracts?

Feel free to call or email us. Our team will be happy to help you. You can call or email us on +32 2 721 13 00 or at bart@siriuslegal.be or matthias@siriuslegal.be.

 

Request a template letter and Data Export Impact Assessment

Here you can download the template of a letter with a Data Export Impact Assessment which you can use in your communication to third parties in countries outside the EEA.

 

22.07.2020 okappi

Transferring personal data to the US after the Schrems-II judgment? Everything you need to know to avoid legal risks

The Austrian Max Schrems has once again been succesful in one of the many privacy lawsuits that he has regularly conducted over the past years. The consequences are significant this time. After the “Safe Harbor” system had already been brought down, the “Privacy Shield” has now also been brought to an end by Schrems (on perfectly logical grounds, by the way). 

The “Privacy Shield” between the EU and the US ensured that personal data could be exported securely and in compliance with GDPR to the United States by European companies. Many US cloud services, apps and software tools have relied on the Privacy Shield to offer their services to European customers in a legally compliant manner.

But as it now shows, Privacy Shield itself is not compliant with European data protection laws and the ECJ has now put a ban on the whole system.  

What does this mean for your company? Read all about it in this article.  

 

Transfer of personal data outside the EU?

Transferring personal data to persons or companies outside the European Union is in principle not allowed under GDPR. The European legislator assumes that countries outside the EU (or rather the EEA, which is the EU, expanded with Norway, Iceland and Liechtenstein) cannot necessarily offer the same level of data protection as the level that exists in Europe under GDPR. Therefore, personal data may only be transferred outside the EEA under very specific conditions.   

First, there is a (very short) list of “safe” countries, which are expected to provide a similar level of protection based on their own legislation. This list includes a number of British Commonwealth countries, as well as Japan, Canada, Argentina and Israel.  

In order to transfer data to a recipient in a country that is not on this list, one can do so on the basis of two systems. 

When it comes to transfers within a group of companies, so-called “Binding Corporate Rules” can be drawn up internally. BCR’s are internal regulations that must be approved by the competent Data Protection Authority and that have to guarantee the safety of data exchanges within the group. 

If one wants to transfer data to a company that does not belong to the same group, such as a cloud provider, an external software developer, an offshore call center, etc … on the other hand, one must ensure that an agreement is signed with the recipient in which a whole series of guarantees is explicitly provided. The European Commission has created Standard Contractual Clauses for this purpose that can be copied one-to-one in such an agreement.

Anyone who transfers personal data and cannot fall back on one of these legal constructions, is at risk of incurring very high fines.

 

Privacy Shield?

Many technology companies are located in the United States and there is therefore a lot of personal data export from the EU to the US. However.  Since data protection laws in the US do not offer the same “adequate” level of protection as the stringent requirements set by GDPR in the EU, the US has never been shortlisted by the EU as a “safe country”.  

In order to ensure that American companies could continue to trade with partners in the EU, a different and specific system for data exchange between Europe and the United States was set up many years ago. That system was successively called the Safe Harbor system and later the Privacy Shield and prevented US companies from having to enter into Standard Contractual Clauses with their customers in the EU whenever data had to be passed on to them, for example because they were stored or processed on their servers. Safe Harbor and Privacy Shield ensured that US companies provided an adequate level of security for personal data if they met a number of strict conditions and were certified in the US. It was in other words not the American legislation itself, but the safety level offered by American companies that was considered “adequate”.      

The first version of this system, Safe Harbor, was successfully attacked in 2015 by Max Schrems, who believed that US companies could never guarantee an “adequate” level of security for personal data because US law grants far-reaching rights to US intelligence services that allows them to monitor and analyze personal data. This complaint ultimately resulted in the Safe Harbor system being declared invalid and replaced by a similar system called the Privacy Shield.

With regard to the validity of that Privacy Shield, the European Court now quite rightly says that this regulation in its turns still cannot provide a level of protection equivalent to the level of protection that exists within the EU. Again, this is due to the extensive interference of US intelligence services, which systematically and widely monitor data from emails and cloud storage services based on, amongst others, the Foreign Intelligence Surveillance Act or Executive Order 12333 or the Presidential Policy Directive. The Court of Justice therefore now declares the Privacy Shield to be invalid.

 

What does this mean for you?

This decision has far-reaching consequences. After all, a lot of online service providers from the US rely on the Privacy Shield to legally process personal data of their European customers. The whole system is now shattered with one stroke of a pen and thousands of American companies no longer meet the minimum conditions to store or process personal data of European citizens. This concerns, for example, cloud storage services, hosting services, all kinds of online tools for online marketing, CRM, accounting packages, ERP, but also, for example, local software developers, consultants, call centers, etc …  

Strictly speaking, all of a sudden and overnight, European companies are no longer allowed to exchange personal data with their American partners. If they do so anyway, they will expose themselves to immense fines and if any data breach should occur at such a non-compliant partner in the US, the European companies involved may also be held liable for all damages following from such a data breach, in addition to the aforementioned fines. 

 

An additional problem: Brexit

Not only data export to the US under the Privacy Shield is problematic, by the way. By the end of 2020, an equally serious legal problem will arise for European companies that export data to the United Kingdom. After all, if there is no Brexit deal by the end of 2020, the UK will from then on become a “third” country, which for the time being does not have an adequacy decision by the European Commission and to which personal data can therefore no longer be automatically exported.

In other words, British companies will be in the same situation as American companies by the end of this year: they will have to conclude data export agreements with their European customers on the basis of the Standard Contractual Clauses of the European Commission, failing which European companies will no longer be allowed to cooperate with them. 

 

The solution

Fortunately, the Court ruled that the system of Standard Contractual Clauses is not invalid. The solution is therefore clear: European companies must ensure that all cooperation with US partners, which were based on the Privacy Shield as soon as possible to be replaced by an agreement based on the Standard Contractual Clauses of the European Commission … 

The Commission has worked on modernizing those standard clauses, which go back to 2010 and are no longer GDPR-compliant. It has been waiting for the Schrems-II case to be resolved before releasing them officially, but we can now expect the updated clauses to be made public soon. Anyone who relied on the old clauses in the past may also have to update their agreements in the near future …

 

What exactly should you do?

  1. Look out for new guidelines from your local Data Protection Authority, the EDPB and the European Commission.
  2. In the meantime, do an internal audit of your pending agreements and watch out for:
    • Data transfer to US partners previously covered by the Privacy Shield
    • Data transfer to UK partners previously located within the EU
    • Data transfer to any other country based on the old Standard Contractual Clauses 
    • Data transfer that is subject to binding corporate rules and that involves data transfer to the US. The ECJ does not mention Binding Corporate Rules, but they are a form of “appropriate protection” under Article 46, so the general comments on the need to review the law of the importing country may also apply here. Guidance from supervisory authorities on this point would be particularly welcome.
  3. Assess for each partner whether the existing framework is still sufficient
  4. Provide a new data export agreement where necessary based on the soon to be announced Standard Contractual Clauses.
  5. Keep in mind that transfer of data outside the EU is only possible if necessary and choose preference for European partners 
  6. Take into account the need that the European Court of Justice also imposes to assess the “appropriate” nature of local legislation, even if Standard Contractual Clauses (or Binding Corporate Rules within a group of companies) are used.  
  7. So -ideally based on a Vendor Assessment List- check the following points:
    • Which country personal data is transferred to?
    • Whether government authorities in that country could be entitled to access the data?
    • Is the data encrypted or tokenized during transport?
    • Whether, as GDPR requires, in addition to Standard Contractual Clauses or Binding Corporate Rules, sufficient safeguards have been taken by the recipient to make up for the lack of data protection in his or her country. The data exporter has a duty to ensure “appropriate safeguards”, especially as regards access by public authorities to data. If the (European) data importer may be required to submit data for inspection to his or her government, he cannot meet the requirement of an “adequate level of protection and must notify the data exporter in advance. This is a huge problem for the US in particular because of the previously cited intelligence legislation… In that case, the data exporter must immediately stop any transfer.
  8. If necessary, stop working with partners who are unable or unwilling to meet the required conditions. The potential impact on your business is far too great to take risks …  

 

Are all data transfer to the US illegal from now on?

This judgment places a time bomb under just about every data transfer to the US, by the way.  After all, almost all European data is transferred to the US via underwater fiber optic cables at the bottom of the ocean. The EHJ notes that the American NSA has systematic access to these cables and can collect and analyze data even before it arrives in the U.S. 

The ECJ rightly says that this de facto means that personal data is never “secure” in the US and can never be “processed with the minimum safeguards … and as a result, the surveillance programs based on these provisions cannot be considered as limited to what is strictly necessary“. The ECJ further notes that: “In those circumstances, the restrictions on the protection of personal data that arise from United States national law regarding the access to and use by the United States government of such data transferred from the European Union to the United States States are transferred States, which the Commission has assessed in the Privacy Shield Decision, are not defined to meet requirements that are substantially equivalent to those required by EU law … “.

In other words, this means that US law itself is incompatible with the EU’s minimum data protection requirements. Since all data sent to the US via a submarine cable appears to be sensitive to access by the NSA, it is difficult to see how a data exporter could conclude that his data is sufficiently protected by the recipient in the US. It remains to be seen how the various Data Protection Authorities and the EDPB react to this … 

 

Questions about data export under GDPR or need help with an audit of your current contracts?

Feel free to call or email us. Our team is happy to assist you. You can reach Bart Van den Brande at +32 486 901 931 or at bart@siriuslegal.be