The following questions are a compilation and consolidation of the hundreds of questions the IAPP received during the five LinkedIn Live sessions we hosted the week following the decision of the Court of Justice of the European Union in the Case C-311/18: Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems. We are publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.
The CJEU decision included two main findings. First, it found the European Commission’s adequacy determination for the EU-U.S. Privacy Shield Framework invalid due to concerns regarding the necessity and proportionality of U.S. government surveillance authorities and the availability of actionable judicial redress for EU data subjects. Second, it reaffirmed the validity of standard contractual clauses, while stating that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, provide additional safeguards to guarantee such protection or suspend transfers.
We will continue to update these FAQs as we identify additional resources and welcome the assistance of IAPP members. Please let us know at firstname.lastname@example.org if there are additional materials we should include.
• European Data Protection Board guidance — In part: “Whether or not you can transfer personal data on the basis of (binding corporate rules/SCCs) will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with (BCRs/SCCs), following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. ... It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 (EU General Data Protection Regulations) GDPR provided the conditions set forth in this Article apply. The EDPB refers to its guidelines on this provision.”
• Article by Baker McKenzie’s Brian Hengesbaugh, CIPP/US, on next steps for Privacy Shield participants — In part: “Where the organization participates in Privacy Shield as a controller, implementation of the SCCs for such controller-to-controller data transfers can help strengthen the position that the transfers are permissible. Given the reasoning of the CJEU in ‘Schrems II,’ the organization will still need to undertake due diligence to evaluate and document the risks associated with the transfers ... Where the organization acts as a data processor on behalf of customers in the EU, the organization should consider preparing and presenting to customers updated terms that include the SCCs for controller-to-processor transfers. The organization should also be prepared to answer due diligence questions from customers regarding disclosures to public authorities and related issues raised in the CJEU opinion. It will be important to have a clear understanding of whether, in practice, the organization has needed to respond to such intelligence gathering by public authorities in the past, as well as what it's policies and practices are for responding going forward. Depending on the context, some organizations may be able to adopt other strategies. For example, if the organization engages in direct to consumer online transactions, it might be able to narrow the data collections to that which is necessary to perform the transaction with the consumers.”
• U.S. Department of Commerce guidance — In part: “This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”
• U.S. Department of Commerce FAQs — In part: “[O]rganizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.”
• U.S. Federal Trade Commission guidance — In part: “We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework ....”
• Article by Baker McKenzie’s Brian Hengesbaugh, CIPP/US, on next steps for Privacy Shield participants — In part: “Even though the legal value of Privacy Shield participation has been invalidated from a GDPR perspective, the U.S. obligations to adhere to Privacy Shield promises still apply. If an organization were to decide to disregard its Privacy Shield commitments, it could still be subject to action by the U.S. Federal Trade Commission. The organization might also have obligations in agreements with customers or others to adhere to the Privacy Shield, and those commitments may not be terminated merely because of the CJEU ruling. As such, organizations need to be mindful to continue to adhere to Privacy Shield obligations even in this interim period following ‘Schrems II.’”
• Swiss Federal Data Protection and Information Commissioner statement — In part: “After closely analysing the (Swiss-U.S. Privacy Shield) regime, the FDPIC concludes in his position paper of 8 (Sept.) 2020 that, although it guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the (U.S.) pursuant to the Federal Act on Data Protection.”
• Swiss Federal Data Protection and Information Commissioner Policy paper — In part: “Because there is no guarantee of rights that would afford persons concerned in Switzerland protection comparable to that afforded by Art. 13 paras 2 and 29 ff. FC, Art. 8 ECHR and Art. 4 FADP, the FDPIC considers that data protection within the meaning of Art. 6 Para. 1 FADP is insufficient in the (U.S.), even for the processing of personal data by (U.S.) companies that are certified under the PS regime. As a result of this assessment based on Swiss law, the FDPIC concluded that the indication ‘Adequate level of protection under certain circumstances’ had to be removed for the (U.S.) in the FDPIC’s list of countries.”
• EDPB information note on BCRs with U.K. supervisory authority as lead authority — In part: “BCR holders who have the UK SA as their BCR Lead SA need to put in place all organisational arrangements to identify a new BCR Lead SA in the EEA. The change of BCR Lead SA will have to take place before the end of the Brexit transition period.” The note further states it “is without prejudice to the analysis currently undertaken by the EDPB on the consequences of the CJEU judgment DPC v. Facebook Ireland and Schrems for BCRs as transfer tools.”
• U.K. Information Commissioner’s Office statement — In part: “The (EDPB) has now issued its FAQs on the invalidation of the Privacy Shield and the implications for the (SCCs), and this guidance still applies to (U.K.) controllers and processors. Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime, you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the U.S. or elsewhere. The receiver of the data may be able to assist you with this. The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.”
• Article by University College London’s Oliver Patel discussing impact of “Schrems II” on the U.K. — In part: “Although the U.K. formally left the EU Jan. 31, nearly all EU law continues to apply in the U.K., including CJEU jurisdiction, until the end of the transition period Dec. 31. This means that companies transferring data from the U.K. to the U.S. were able to rely on the EU-U.S. Privacy Shield until the end of this year. This is no longer the case following Privacy Shield's invalidation. The ‘Schrems II’ judgment immediately disrupts U.K.-U.S. data flows, and organizations will have to use alternative safeguards, like SCCs or (BCRs) to remain compliant.”
On November 12, 2020, the European Commission issued its draft implementing decision on standard contractual clauses for the transfer of personal data to third countries. Once finalized, the new SCCs will impact the answers to each of the questions below in particular, as well as others covered on this page. These should be read in conjunction with the draft EDPB recommendations on supplementary measures cited in the relevant section below.”
• EDPB guidance — In part: “The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.”
• U.S. Government Letter and White Paper — In part, “[I]n an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the (CJEU's) ruling, the U.S. government has prepared the attached white paper, which outlines the robust limits and safeguards in the United States pertaining to government access to data.”
• Irish Data Protection Commission statement on “Schrems II” — In part: “[W]hile in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”
• Article by Senior Westin Research Fellow Müge Fazlıoğlu, CIPP/E, CIPP/US, on early DPA guidance concerning the use of SCCs — In part: “(Data protection authorities) across the continent have offered strikingly disparate assessments of what the ruling means for EU-U.S. data transfers that rely on (standard contractual clauses). While several DPAs — notably in Berlin, Hamburg and the Netherlands — seemed to have declared them to be mostly invalid and advised companies to cease such transfers and/or switch to local providers, others, such as those in the U.K., France and Spain, seemed to have not explicitly deemed them invalid. Another group of DPAs, which includes Ireland’s (Data Protection Commission) and Germany’s (Federal Commissioner for Data Protection and Freedom of Information), have taken what could be described as an intermediary position between these two points, advising companies that they may continue to rely on SCCs but must heed the risks inherent in the mechanism and undertake additional assessments to determine if these transfer are lawful.”
• Article by IAPP Associate Editor Ryan Chiavetta, CIPP/US, discussing comments by Hogan Lovells Partner Eduardo Ustaran, CIPP/E — In part: “Ustaran said it's important to note that while the court said SCCs work in principle, they also have to work in practice. ‘For a mechanism to work in practice, one has to assess effectively if they can comply with the obligations in the clauses. The reality is the (SCCs) were almost too good to be true in the sense that it was a very easy-to-use mechanism,’ Ustaran said. ‘You can just search for it, print it, sign it, put it in the drawer and forget about it. What the court is reminding us is that this (is) a mechanism that creates legal obligations, and if the parties can not comply with those obligations, the mechanism doesn’t work, and therefore the data transfers are not valid.’”
• EDPB guidance — In part: “The Court has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the U.S. applies for any third country. The same goes for BCRs. The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness. ... Should you or the data importer in the third country determine that the data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EEA, you should immediately suspend the transfers.”
• Article by Baker McKenzie’s Francesca Gaudino and Michael Egan on controller-to-processor SCCs — In part: “The decision by the Court of Justice of the European Union in ‘Schrems II’ provides that the controller-to-processor (SCCs) are a viable mechanism for data transfers from the EU to third countries but identified further conditions that need to be considered when implementing them to address the requirement to provide ‘adequate protection’ to such transfers.”
• Article by Baker McKenzie’s Harry Valetk and Julia Kaufmann on controller-to-controller SCCs – In part: “Considering the CJEU’s reasoning in ‘Schrems II,’ it also seems unavoidable to apply the additional conditions for transfers under C2P SCCs to transfers under C2C SCCs. While Articles 46(1) and (2)(c) of the EU General Data Protection Regulation were analyzed by the CJEU only for C2P SCCs, they represent the same legal basis for transfers under C2C SCCs. Article 46(1) of the GDPR, moreover, specifically says that data transfers to a third country may only occur on the condition that data subjects have enforceable rights and legal remedies.”
• EDPB guidance — Footnote 3 references all three sets of SCCs in discussing the court’s ruling: “See in particular recital 145 of the Court’s judgment, and Clause 4(g) Commission decision 2010/87/EU, as well as Clause 5(a) Commission Decision 2001/497/EC and Annex Set II (c) of Commission Decision 2004/915/EC.”
• Article by Baker McKenzie’s Harry Valetk and Julia Kaufmann on controller-to-controller SCCs — In part: “[T]he Court of Justice of the European Union did not reach any findings on the EU Commission's decisions 2001/497/EC or 2004/915/EC, i.e., the (SCCs) for the transfer of personal data to controllers. However, the rationale behind the CJEU’s ruling on the controller-to-processor SCCs, as well as on the EU-U.S. Privacy Shield, suggests two things with respect to controller-to-controller SCCs:
- The additional measures for transfers under C2P SCCs also apply to transfers under C2C SCCs.
- Those additional measures for C2C transfers may be even more burdensome than those for C2P transfers because the level of protection afforded to data subjects under C2C SCCs seems to be lower than under C2P SCCs.
Companies will, therefore, need to evaluate each data flow under C2C SCCs, in particular with respect to the legal system of the third country, types of data transferred, type of recipient and types of data subjects.”
• EDPB guidance — In part: “Whether or not you can transfer personal data on the basis of BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.”
• Article by Baker McKenzie’s Lukas Feiler, CIPP/E, and Wouter Seinen regarding BCRs — In part: “[T]he Court of Justice of the European Union has not in any way touched upon the validity of existing BCRs. That said, BCRs are essentially another ‘adequacy instrument,’ just like the (SCCs) and EU-U.S. Privacy Shield. ... In practice, the main difference is that the burden on assessing the adequacy of the safeguards rests with the supervisory authorities if a company uses BCRs, while the user of SCCs must, according to the CJEU, make its own adequacy assessment and is accountable if wrong.”
• EDPB guidance — In part: “The Court has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the U.S. applies for any third country. The same goes for BCRs. The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.”
• EDPB guidance — In part: “It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 GDPR provided the conditions set forth in this Article apply. The EDPB refers to its guidelines on this provision.” The guidance cites footnote 5, “EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018, p.3.”
• Blog post by BBB National Programs on use of derogations for data transfers post "Schrems II" — In part: “[T]he Court states that its decision to invalidate Privacy Shield won’t create a ‘legal vacuum’ for data transfers because organizations can still turn to Art. 49 derogations. Similarly, in its guidance on the decision, the European Data Protection Board (EDPB) points to derogations as an available mechanism for continuing to transfer data to the U.S. ‘provided the conditions set forth in [Art. 49] apply.’ The EDPB refers businesses that wish to rely on derogations to its 2018 guidelines on Art. 49 derogations. To use any of these derogations, a business must be mindful of the details and document its decision. Each derogation comes with its own set of administrative and technical requirements. Read on for our summary of the EDPB’s guidelines on a few of the derogations relevant to commercial transfers: consent, contract, and compelling legitimate interests.”
• Article by Baker McKenzie’s Brandon Moseberry and Florian Tannen on derogations — In part: “The receiving country's legal system and adequacy of its data protection level do not generally play a role in determining the applicability of the derogations. Thus, companies that can currently rely on the derogations should be able to continue to do so (although this may be different for the ‘compelling legitimate interest’ derogation, …) … The title of Article 49 alone, ‘Derogations in specific situations,’ suggests derogations have a limited scope of applicability. Further, the European Data Protection Board made it clear in its 2018 guidance that derogations only apply where there are no other transfer mechanisms available, and companies have considered other solutions. Therefore, the derogations only serve as an exception to the requirements for cross-border transfers and should not be a standard, everyday solution to cover such transfers.”
On November 11, 2020, the EDPB issued Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, effective immediately, but subject to public consultations, alongside Recommendations on the European Essential Guarantees for surveillance measures. These documents impact the answers to each of the questions below in particular, as well as others covered on this page.”
• Article by Mills Oakley's Alec Christie and Andrea Mitchel on using ISO/IEC 27701 certification to facilitate case-by-case assessments — In part: “One way an organization could seek to do this more efficiently (and reduce some of its burden) is to use independent certification against a global standard such as ISO/IEC 27701 standard to determine if there is an equivalent level of protection in those organizations/countries it wishes to transfer personal data to. This will be especially so, if ISO 27701 is recognized as a ‘certification mechanism’ under the GDPR.”
• White paper by DLA Piper's Andrew Serwin, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT offering an overview of U.S. surveillance — In part: “The purpose of this white paper is not to argue for the validity or invalidity of any particular surveillance mechanism, but rather to provide a neutral, unclassified summary of the law and authorities in this area…. [T]he ‘Schrems II’ decision focuses more attention on the surveillance activities of the U.S. government, and as companies assess the adequacy of data transfers to the U.S., they should try to understand the law of surveillance, which was an important consideration in the case.”
• Client alert by Bird & Bird on what happens following the "Schrems II" judgement — In part: “Subject to guidance from supervisory authorities, develop an approach for due diligence when data transfers take place – either within the organisation, or with suppliers. This should check:
- To which country personal data is transferred
- Whether public authorities in that country could be entitled to access the data
- On what basis is this authorised?
- Is it set out in law
- Does the law limit the ability to access data
- iii. Is it no more than is necessary and proportionate, in a democratic society, to safeguard national security, defence, public security or the prevention and detection of criminal offences and execution of criminal penalties?
- Does the law provide effective judicial remedies for data subjects?
d. Is the data encrypted or tokenised in transit (see below).”
• Article by McDermott Will & Emery’s Laura Jehl, Romain Perray and Ashley Winton discussing alternative arrangements to the Privacy Shield, considerations for assessments, and supplementary measures — In part: “At the very minimum, such an assessment will require the data exporter to review: The data and purposes. Where the data was obtained from, the type of data being transferred and the purposes of the transfer. ... The technological and organizational security. It may be the case that the risk of bulk interception can be mitigated because of the encryption used. ... Additional supplementary measures. Data exporters and importers may want to explore additional supplementary measures to provide protection against US surveillance. ... The contractual provisions in place. Do these include additional clauses that provide additional protection – g., onsite/remote audit provisions or regular compliance checks? ... The U.S. legal system. This should be considered as it applies to your sector; sensitive industries such as healthcare and telecommunications will need to pay particular attention to applicable law. ... Onward transfer and sub-processing. Particular care should be taken where personal data can be ‘onward transferred’ to a third party and where a sub-processor is used, as there will be supply chain risk in this further transfer.”
• LinkedIn Live: The 'Schrems II' Aftermath: A Deep Dive into SCCs, with Future of Privacy Forum Senior Counsel Gabriela Zanfir-Fortuna, Fieldfisher Privacy, Security and Information Partner Renzo Marchini, CIPP/E, CIPT, and Hogan Lovells Partner Eduardo Ustaran, CIPP/E.
• LinkedIn Live: ‘Schrems II’: The Immediate Aftermath, with the IAPP’s Omer Tene and Caitlin Fennessy, CIPP/US — Fennessy, in part: “One of the issues that was addressed … was what the appropriate comparator is when regulators or companies are doing this assessment, whether it is a comparison to EU law, Member State law or Member State practices governing government access and the protections around government access. The Court seems to have been fairly clear that we are looking at EU law here not Member State law or Member State practices as the appropriate comparator.”
• EDPB guidance — In part: “The supplementary measures you could envisage where necessary would have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection. The Court highlighted that it is the primary responsibility of the data exporter and the data importer to make this assessment, and to provide necessary supplementary measures. The EDPB is currently analyzing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organizational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own. The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance.”
• Article by Schwartz Group Managing Partner Joel Schwartz, CIPP/G, on transparency as a safeguard – In part: “What steps can an organization take to address the concerns raised by the CJEU? For years now, initially pursuant to an agreement with the U.S. Department of Justice and later Section 604 of the 2015 USA Freedom Act, a number of tech companies have published statistics about the production orders received from national security and law enforcement authorities. Providers are allowed to disclose aggregated statistics about the number of requests received pursuant to various criminal and national security authorities, but given the non-disclosure orders that generally accompany FISA and National Security Letters, disclosures are limited to a preset number of data points and the use of general ranges of numbers (“bands”)….While the details and format of each report vary, the key takeaway is that this model offers a way for data importers to clarify the extent and impact of national security access requests on their businesses (the below being merely two of a number of options).”
• Article by Christopher Kuner on four issues the decision raises under GDPR – In part: “A few examples of clauses and safeguards could include the following:
- Legal measures: The parties to the transfer could agree on enhanced legal guarantees that build on those in the SCCs but provide stricter conditions for suspending data flows and deleting data in cases of unauthorized government access, as well as stricter penalties for breaches of their obligations.
- Technical measures: Strong encryption could be used to make it nearly impossible for unauthorized actors to read the data.
- Organisational measures: Groups of data exporters and importers (such as in a trade association) could commit to suspend data transfers to countries that do not respect the rule of law, based on internationally-recognized standards (for example, those published by the World Justice Project). This approach is already used in other areas, such as fair labour standards.”
• Norton Rose Fulbright blog post on recommended actions post Schrems II – In part: “Consider what additional safeguards could be applied: these could be technical, contractual or involve a throttling back of certain transfers. Technical safeguards will include:
- encryption of the data flow (remember the adversary here is a nation state so the measures will need to be robust – which may mean cumbersome or expensive to use). U.S. companies should use commercially available encryption, or else they may need a special license to export the software, since U.S. export laws regard such unique software as a “munition” under 15 C.F.R. 742.15;
- contractual measures that might include increased transparency from, and control over, the data importer so that the data exporter can satisfy itself that the importer has a robust process for challenging requests;
- minimising the amount of data disclosed;
- notifying the exporter of requests from law enforcement authorities so it can intervene unless truly prohibited by law from doing so, together with statistics as to how often and what types of requests have been complied with in the past 24 months so the exporter can assess the likelihood of its data also being accessed; and
- the ability to relocate certain data types or data processing activities to other countries or ultimately ceasing processing (on acceptable commercial terms).”
• LinkedIn Live: The ‘Schrems II’ Aftermath: A Deep Dive into SCCs — Renzo Marchini, in part, “You only get to additional safeguards, additional measures, if you conclude you need to do something more. ... In my mind, there’s three things you can do. You can do something technical ... if it’s encrypted before it’s transferred to the U.S. so that even if the NSA got the data, even in the undersea cables, it’s meaningless to them … you might be able to do something policy-wise, law enforcement access, ask your receiving company about how they handle it. Ask them some transparency questions ... you can ask about practice. You can ask about history. You can do some due diligence. ... Lastly, you can bolster that with some contractual language ... it might be along the lines of you really will make sure you are under legal compulsion before you give the data over. ...”
• Article by ZwillGen’s Kandi Parsons, Mason Weisz, and Marc Zwillinger on supplementing SCCs to solve surveillance shortfalls – In part: “By invalidating the EU-U.S. Privacy Shield but not rejecting wholesale the use of standard contractual clauses to transfer data to the U.S., the Court of Justice of the European Union in "Schrems II" left open the possibility that such transfers could continue. However, it emphasized that exporters and importers may need to adopt additional safeguards when using SCCs to ensure an adequate level of protection for personal data transferred to the U.S. Until now, commentators have seemed unsure as to what those safeguards might be or how they can address potentially irredeemable flaws in the U.S. surveillance system. In this piece, we detail a proposed solution consisting of technical measures, supplemental clauses and exit strategies. ”
• Kilpatrick Townsend blog post discussing possible supplemental measures for transferring data – In part: “to address the CJEU’s concerns regarding data subjects’ lack of enforceable rights and judicial redress, parties should consider implementing supplemental measures such as those listed below to establish arguments that transferred personal data remains adequately protected:
- enhanced notice requirements under which the data importer must notify the data exporter, and the data subject to the extent practical and permitted by law, of law enforcement or surveillance requests;
- contractual commitments to challenge law enforcement or surveillance requests and disclose only the minimum amount of personal data required by law;
- publishing transparency reports describing FISA requests to the extent permitted by federal law (i.e., delaying reporting by 6 months from the request date and reporting in bands of 500); and
- enhanced encryption requirements.”
• Article by Littler Mendelson’s Philip Gordon, Zoe Argento, CIPP/US, and Kwabena Appenteng, CIPP/E, CIPP/US, on transferring HR data – In part: “The CJEU's decision has the potential to severely disrupt U.S. multinationals' administration of their global workforce. Those who have relied on Privacy Shield to transfer personal data from their EU subsidiaries to the U.S. parent corporation and U.S. affiliates, or to U.S.- based service providers supporting global HR administration, will need to identify an alternative data transfer mechanism. The alternatives, however, are limited. BCRs are not a practical solution for many U.S. multinational employers because of their complexity and the required investment of time and budget to implement them. At the same time, the European Data Protection Board has effectively eliminated consent as an option for cross-border transfers of employees’ personal data. While SCCs remain valid, their utility as a data transfer mechanism could be short-lived.”
15. Does the Schrems II decision impact communications providers, tech companies, and/or companies across sectors?
• Article by Baker McKenzie’s Lothar Determann and Michaela Nebel, CIPP/E, CIPP/US, discussing technology, media and telecommunications services after “Schrems II” — In part: “At a minimum, providers must offer the contractual safeguards their customers need to buy and use their services in compliance with applicable law. According to the GDPR, this means unmodified SCC and national data protection laws pile on requirements in some countries.”
• Article by Morrison & Foerster’s Bob Litt, Miriam Wugmeister and Alex van der Wolk — In part: “That means, for example, that a manufacturing company in Germany that wants to outsource its data center to India must determine whether the laws of India sufficiently protect personal information, a pharmaceutical company in the Netherlands that wishes to share research to fight COVID-19 with researchers in Brazil must determine if the Brazilian government engages in bulk surveillance, and a company in France that wishes to share the names and email addresses of its employees with its parent company in Singapore as part of a global employee directory must determine if those French citizens could obtain appropriate judicial redress for privacy violations in Singapore.”