GTC Law Group Client Advisory – SCCs Fall; Now What?

Schrems II Client Adv #2 (4 Sep bis)

          Under European Union law,[1] every export of personal data from the EEA[2] requires one of several specified legal bases.  In our July 21, 2020 Advisory we reported on the July 16, 2020 decision of the Court of Justice of the European Union (“CJEU”),[3] commonly known as Schrems II, which invalidated Privacy Shield as a legal  basis for exporting personal data from the EU to the United States.  The decision rests on the perceived adverse impact of US national security surveillance laws on the adequacy of data protection for EU persons in the US, and on the rights of EU data subjects to obtain redress in the US for violation of their rights.  This professed deficiency would appear to affect all data exported to the US, no matter the vehicle by which it was transferred.  Accordingly, we and many others predicted that the decision would have consequences beyond Privacy Shield.

The other shoe has now dropped: Supervisory Authorities (“SAs”) in Berlin,[4] Hamburg, Baden Württemberg and Netherlands have all declared that Standard Contractual Clauses are an insufficient basis for the transfer of personal data from their locales to the United States.  Other SAs are likely to fall into line in the future.

Given these developments, how is one to do business in Europe without risking the draconian penalties provided by GDPR?  There is a hope, but no assurance, that a further iteration of the Safe Harbor and Privacy Shield inter-governmental solutions could be negotiated and survive challenge in the CJEU.[5]  In this Advisory we offer some currently available solutions.  None are perfect, and all are subject to revision in this rapidly evolving field.  In sum:

• If you relied on Privacy Shield in the past:
  • Continue to honor its commitments with respect to personal data already transferred from the EU to the United States
  • Adopt a new basis for future transfers of personal data from the EU to the United States (see below)
  • Amend your privacy policies, data processing agreements and other documents to reflect your new solution
• General solutions likely to be viable in long-term
  • Consent
  • SCCs and BCRs coupled with encryption and other means of establishing a low risk of US government surveillance
  • SA-authorized contracts
  • Transfer processing to EU or another country deemed “adequate”
• Interim/narrow solutions
  • Enhanced SCCs, BCRs, and other contracts combined with a finding of adequate protection addressing Schrems II concerns
  • Necessity derogations

These possible solutions are discussed in detail below.

Discussion

As a result of the decision, the Privacy Shield program is now totally defunct for exporting to the US.  But it nevertheless continues to apply to data previously exported under it that is still in the possession of its US importer, or a third party that acquired it under onward transfer.  All such data must be (i) returned to its EU exporter, (ii) destroyed, or (iii) maintained in accordance with the Privacy Shield principles.

Inasmuch as the court offered no “grace period,” nor has any supervisory authority announced one, parties to export to the US are justifiably scrambling for a solution.  Set forth below are suggestions for potentially compliant export.  But a caveat is in order: little is certain, and it is not at all clear in many situations that there is now any legal basis for export to the US.  The following suggestions are divided into two subdivisions:

• Those that may have long-term general viability, and
• Those we view as being:
  • of short-term use only because they are in the nature of a rear-guard action, perhaps viable for the moment, but likely to crumble as supervisory authorities (“SAs”) climb on the bandwagon,
  • available only for occasional use, or
  • available only for very narrow use.

Vehicles that may have long-term general viability:

• Consent – GDPR Art. 49(1)(a) sets forth explicit consent as a lawful basis for export, where the data subject has been “informed of the possible risks of such transfers … due to the absence of an adequacy decision and appropriate safeguards.” In practice, for the majority of situations consent will not be suitable as an export basis because it is (i) unrecognized or at least frowned on in situations where one party has leverage over the other (as in the employment relationship), (ii) often impossible to secure as a practical matter, and (iii) subject to withdrawal at any time.  For example, consent is not well suited to the typical B2B relationship, because the transferor’s employees may have no contact with the transferee, and the transferor lacks authority to give consent on behalf of its employees.  Also, the data subject’s right to withdraw consent at any time makes this vehicle impractical for some purposes.  Nevertheless, where it is lawfully available, can be secured, and is not impractical, appropriate consent is a viable (perhaps the most viable) export vehicle.
  • Appropriate consent – Consent must be explicit, freely given, unambiguous, specific, informed, and subject to withdrawal. If given in writing, it must be clearly distinguishable from other matters, in intelligible and easily accessible form, in clear and plain language.  In a contractual setting, consent should not be conditioned on processing that is unnecessary to perform the contract.  You must maintain a record of each consent.
  • Acquisition of consent – The data subject must be fully informed of the “danger” of transfer of her or his personal data to the US. A prominent notice advising that the Court of Justice of the European Union has determined that the United States does not provide data protection equivalent to that in the European Union, and has further determined that that United States data safeguards are not adequate, would support the conclusion that the consent is informed. The notice should also advise that consent, if given, can be withdrawn at any time.
• Enhanced SCCs, BCRs – GDPR Art. 46(1) authorizes export if the transferor “has provided appropriate safeguards, and on condition that enforceable data subject rights and effective data subject remedies for data subjects are available.”
  • An argument can be made that if data is appropriately encrypted in transmission end-to-end, it is then adequately safeguarded. And it can further be argued that this form of safeguard renders nugatory the necessity for any rights and remedies as to surveillance, because the government will not be able to misuse the data.  It is unknown just how potent encryption need be to be effective in this situation, as the NSA is a highly regarded codebreaker.  Nevertheless, those using state-of-the-art encryption have a non-frivolous argument that they are complying with Art. 46(1).  It may be years before there is any judicial authority on this point, although one or more SAs may at some point issue guidance on it.  Transmission encryption is now not difficult to obtain.  It is for the parties to determine what level may be suitable, and whether its cost and inconvenience is acceptable.
  • Reasons to believe that data has little attraction for US surveillance.  For example, where true, the parties to the transfer might indicate that they have never received a National Security Letter[6] and no process under FISA § 702 requiring either of them to assist the government in the acquisition of data.
  • The parties to the transfer can commit not to voluntarily assist the government in its operations under Executive Order 12333.
  • The importer can publish periodic statements indicating the number of individuals affected by US national security surveillance orders it has received. Exporters can compare those numbers to the number of individuals whose personal data they export to the importer; if the percentage is sufficiently low, the exporter may be able to justify continued exports.

• A Custom SA-Authorized Contract – Among the appropriate safeguards recited in GDPR Art. 46 is one for a contract between exporter and importer that has been authorized by the pertinent SA. You (or perhaps your exporter) might, for example, approach the SA with a draft contract similar to a SCC and also requiring appropriate end-to-end encryption.  Such an approach would take time (certainly, months), and such an authorized contract would be required for each Member State from which you seek to export.
• Change of processing location – A highly disruptive solution, but one sure to succeed, is to move the location of the transferee’s processing to (a) an EEA Member State, or (b) one of the twelve jurisdictions deemed “adequate” by the European Commission, such as Argentina, Canada, Israel, or Switzerland. Such a move would (a) eliminate the need for export from the EEA, or (b) involve transfer to a jurisdiction whose data protection law does not concern the EU, thereby eliminating the need for data restrictions to be added upon transfer.

Short-term or occasional/narrow  vehicles:

• Standard Contractual Clauses – The CJEU ruling endorsed the general validation of SCC. However, in invalidating Privacy Shield, it implicitly doomed use of SCC for export to the US.  Since the decision, at least four SAs[7] have stated that bare SCC are not to be used for export to the US, with more SAs likely to follow.  The use of SCC from any jurisdiction where the SA has not issued a prohibition is permitted only if the parties have determined that the transferee data protection environment is essentially equivalent to that of the EU.  Among the constituents of that environment are:
  • The restrictions in the SCC themselves;
  • Any technological means used, such as encryption;
  • The transferee data protection regime;
    • The likelihood of transferee government surveillance;
  • Dangers associated with any onward transfer; and
  • Any supplementary measures used.

If you determine, based on that environment, that appropriate safeguards would not be ensured, you must suspend or end the transfer.  If you decide to transfer despite such a conclusion, according to the European Data Protection Board,[8] you must notify the SA.

Even after the parties make their determination, the pertinent SA may form its own opinion on the matter.  As noted above, perhaps SCC with good encryption would suffice.  If the parties determine that such a regime qualifies, they can export unless and until the SA concludes otherwise.  But the use of unadorned SCC for export to the US has no long-term or even intermediate-term viability.

• Binding Corporate Rules (“BCR”) – These seem to suffer from the same maladies as SCC, but they are one step removed from the Schrems II decision, because it was not about BCR and they were not extensively discussed. Moreover, BCR by their nature have been approved by the pertinent SAs (although that was before Schrems II).  We are not aware of any SA that has yet expressly condemned their use for export to the US but, when such an instance is addressed, we believe that will be the result.  Nevertheless, you may continue to use them unless and until the pertinent SA declares them invalid for export to the US, as they arguably still have the fig leaf of validity.  And perhaps use of BCRs in connection with good encryption would stand up to scrutiny.  But, whatever their value elsewhere, we believe the use of unadorned BCRs for export to the US has no long-term future.
• “Necessity” Derogations – GDPR Art. 49 permits export when any of several “necessities” is present. But each of the necessity exemptions permits only occasional transfers,[9] or deals with a narrow, specific situation[10] unlikely to be of use to you except in unusual circumstances.  Accordingly, they may help you in a “one-off” or occasional situation, but are not available to most organizations for continual use.

*         *         *         *         *         *         *         *         *          *         *

          In any event, to the extent you change any aspects of your cross- border transfer protocol, those changes must be reflected in such documents as your privacy policy, website statements, and contracts with exporters and customers.

This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship.  Prior results do not guarantee similar outcomes. Attorney Advertising.

[1]   General Data Protection Regulation (“GDPR”) Articles 44 – 49.
[2]   The European Economic Area comprises the 27 EU Member states plus Iceland, Liechtenstein, and Norway.
[3]   Data Protection Commissioner of Ireland v. Facebook Ireland and Maximillian Schrems, ECLI:EU:C:2020:559 (CJEU Case C-311/18 July 16, 2020), available at http://curia.europa.eu/juris/documents.jsf?num=C-311/18.
[4] https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2020/20200717-PM-Nach_SchremsII_Digitale_Eigenstaendigkeit.pdf
[5] The U.S. Department of Commerce and European Commission have announced that discussions are underway to “evaluate the potential for an enhanced EU-U.S. Privacy Shield framework….”  https://www.commerce.gov/news/press-releases/2020/08/joint-press-statement-us-secretary-commerce-wilbur-ross-and-european.
[6]   An NSL is a letter, authorized by statute, sent by the FBI or some other agency charged with national security, without judicial intervention, and requiring the recipient to produce specified transactional information (but not content).
[7]   The SAs of the German State of Berlin, the German State of Hamburg, the German State of Baden Württemberg and the Netherlands.
[8]   This Board comprises a representative from each EU Member State plus the European Data Protection Supervisor.
[9]   For performance of a contract between data subject and controller; for conclusion or performance of the controller’s  contract in the data subject’s interest; for the establishment, exercise, or defense of legal claims.
[10]   For important reasons of public interest; to protect the vital interests of an individual, where the data subject is incapable of giving consent; where no other basis applies, for a non-repetitive transfer, and the controller’s compelling legitimate interests are not overridden by the data subject’s interests.