European Union flag.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

Image Credit: GregMontani from Pixabay.

On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”).

These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post).

Who can use the new SCCs?

The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”).

The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:

  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).

In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR.

Continue Reading EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses
Blue EU flag fluttering in the wind

Schrems II: No Privacy Shield for EU-US Data Transfers, but Don’t Put Your Eggs into Standard Contractual Clauses Either

Image Credit: Capri23auto from Pixabay

On July 16th, 2020, privacy professionals scrambled after the Court of Justice of the European Union (CJEU) handed down its decision in Schrems II. The ruling invalidated the US-EU Privacy Shield agreement, which authorized transfers of data from the EU to the US for Privacy Shield-certified companies. Though the ruling on Privacy Shield was unexpected given that it was not directly at issue, such a decision is not without precedent or historical pattern. Privacy Shield itself was a replacement for the Safe Harbor framework that was invalidated in 2015 in Schrems I.

Now that the Privacy Shield framework has been invalidated, both data controllers and data processors are likely concerned about the next steps to take to ensure that any data transfers integral to its operations can continue. Although the U.S. Department of Commerce has indicated that it will continue processing Privacy Shield certifications, affected companies such as U.S. data importers and EU data exporters should quickly explore and adopt other transfer legitimizing mechanisms with their service providers and vendors in order to prevent any gaps in compliance.

Alternative Mechanism: Standard Contractual Clauses

Under the GDPR, data transfers to “third countries” outside the EU and international organizations are restricted unless validated by an approved mechanism to ensure that GDPR protection will follow.

Under GDPR Article 45, data transfers may be valid on the basis of an “adequacy decision,” where the European Commission has previously evaluated and determined that a third country provides “an adequate level of protection.”

GDPR Article 46(1) provides that, in the absence of an adequacy decision for the third country, other possible transfer mechanisms include Standard Contractual Clauses (SCC). SCCs, also known as “model clauses,” are sets of pre-approved and non-negotiable contractual provisions that both the importer and exporter must agree to.

SCCs are the primary mechanism for data transfers between EU and non-EU entities. This is because binding corporate rules (BCR) are traditionally reserved for intraorganizational transfers of data within multinational corporations, Article 49 derogations should typically only be used for limited, non-repetitive situations, and the other mechanisms listed under Article 46(1) (codes of conduct and certification mechanisms) have not yet been tested.

Evaluate on a “Case-by-Case” Basis

Even if using SCCs, the importer and exporter must complete a “case-by-case” analysis to determine if the laws of the third country provide an adequate level of protection or whether additional safeguards are necessary to meet the standards of the GDPR or the Charter of Fundamental Rights.

For instance, laws that allow presumptively broad law enforcement surveillance of personal data without a judicial review process will likely be non-compliant with the GDPR.

Given China’s recently enacted Cryptography Law, which provides for an encryption backdoor accessible to government actors, China may serve as an example of a third country where SCCs might not be able to automatically validate a cross-border data transfer. Since businesses operating in China may be legally required to provide data to government without requiring judicial approval, such a legal obligation would defeat the adequacy of SCCs as a transfer mechanism. The reliance on SCCs to validate data transfers might fail in such instances.

A similar analysis may have to be completed for US service providers. For instance, many cloud providers may fall under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, both of which govern surveillance programs like PRISM and UPSTREAM. The CJEU heavily scrutinized these programs in its decision to strike down Privacy Shield, finding that these programs were not subject to adequate judicial oversight and that EU citizens would be especially vulnerable given that the protections of the Fourth Amendment of the U.S. Constitution do not apply to EU citizens.

Moving Forward

What’s next on the horizon? Perhaps the third time is the charm.

It is foreseeable that the European Commission and U.S. Department of Commerce might again negotiate a third agreement. This new agreement will need to provide additional checks and balances and reassurances for EU individuals whose data is transferred to the US for processing, beyond the level provided for in the stricken-down Privacy Shield.

In an Opinion dated April 13, 2016, Article 29 Working Party (WP29), the predecessor to the current European Data Protection Board (EDPB), had already determined that one of Privacy Shield’s deficiencies was its failure to address “massive and indiscriminate collection of personal data originating from the EU” by US intelligence agencies. WP29 also expressed concerns that the Privacy Shield Ombudsperson was not sufficiently independent and powerful enough to be an adequate tribunal. It concluded by urging the Commission to improve Privacy Shield to provide equivalent protections as in the EU. Given that these concerns were telegraphed well in advance of Privacy Shield’s actual invalidation, the next framework must absolutely address these issues if it wishes to survive scrutiny. In the meantime, businesses should review their data transfer flows, remain agile and flexible in responding to developing law, and ensure that transfers are validated by multiple mechanisms as a contingency.

American Privacy Laws in a Global Context: Predictions for 2018

Should putative class members have privacy rights in class action claims under the CCPA?
Image Credit: kmicican from pixabay.com

[Originally published as the May 2018 Cover Story: Data Privacy and the Law – American Privacy Laws in a Global Context: Predictions for 2018, by Lily Li, in Orange County Lawyer Magazine, May 2018, Vol. 60 No.5.]

Cybersecurity Attacks Are Inevitable

Cybersecurity attacks are on the rise. According to the non-profit organization, Identity Theft Resource Center, there were over 1,579 publicly reported data breaches in 2017, compared to 1,091 in 2016, and 780 in 2015. Not only are these cyberattacks happening at high-profile companies like Equifax, Uber, and Yahoo, they are increasingly happening to businesses of all sizes. Any entity able to pay a ransom is now a potential target.

Law firms are no exception. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous email hacks of Cravath and Weil Gotshal in 2016. Earlier this year, UK-based cybersecurity firm, RepKnight, reported that almost 800,000 UK law firm email addresses and affiliated passwords were available on the dark web, with over 50% of these credentials posted in the last six months. These law firms did not just include local UK firms, but global law firms with a UK presence.

Given these alarming statistics, what should legislators do?

In the EU, Canada, and China, legislators have decided to develop and implement national data privacy and cybersecurity frameworks: GDPR, PIPEDA, and CSL respectively. The United States, by contrast, still relies upon a patchwork of sectoral laws and inconsistent state rules. This article will take a brief look at developments in the EU, Canada, and China, discuss the current United States privacy framework, and predict likely developments in U.S. privacy law over the next year.Continue Reading American Privacy Laws in a Global Context: Predictions for 2018