#11 Data Privacy Best Practices: Update to Privacy Shield and SCCs

#11 Data Privacy Best Practice: How can US companies legally transfer EU personal data in the post-Schrems II era?

My recent posts in this series have discussed best privacy practices for the hypothetical software company BizConnect. These practices have included:

a) drafting a GDPR compliant privacy policy;
b) self-certifying under the Privacy Shield for transfers of EU personal data;
c) adopting GDPR model clauses for transfers of EU personal data;
d) deciding whether to conduct a DPIA and/or adopt a Code of Conduct;
(e) discuss why BizConnect should draft an internal written data security plan, obtain SSAE-18 audit reports, and adopt a Business Continuity Plan;
(f) consider whether it is necessary to appoint a DPO and compliance with Article 27 (data representative appointment; (g) consider DPO contractual issues regarding controller indemnification and subprocessor changes; and (h) considering the record keeping and training requirements under GDPR.

This post updates posts #2 (Privacy Shield) and #3 (Standard Contractual Clauses referred to herein as “SCCs”). It discusses what small companies need to consider following the EU’s Court of Justice decision of July 23, 2020 (referred to herein as “Schrems II”), which invalidated the Privacy Shield. The Privacy Shield was found to be an insufficient mechanism to lawfully transfer personal data from the EU to the US under GDPR.

Schrems II decision did not invalidate the SCCs but called for greater scrutiny and due diligence by data controllers. The EU court essentially called on EU Data Protection Authorities to invalidate data transfers on a case by case basis if the data exporter has not sufficiently ensured that the SCCs will in practice protect the personal data.

This post continues to use BizConnect as the hypothetical company for the discussion and analysis. BizConnect, a small SaaS company, offers enterprise customers a platform to strategically set and execute their company goals. The enterprise customers’ employees’ personal data is uploaded to the platform to participate in their employer’s SaaS subscription.

BizConnect needs to analyse its data flows:

1. Data Flows reliant SOLELY on Privacy Shield:

BizConnect should analyze which data flows (if any) (e.g. customers sending data from EU to US) rely SOLELY on Privacy Shield. For these customers (if any), there is no valid basis for the export of personal data from EU to US. Recommendation: BizConnect needs to get the SCCs in place for these customers.

2. Data Flows reliant on BOTH Privacy Shield & SCCs:

For data flows that rely on BOTH Privacy Shield and Standard Contractual Clauses (SCCs), the EUCJ upheld the SCCs BUT called for greater scrutiny. Since BizConnect’s customers are the data controllers, it is likely that BizConnect will see greater inquiries related to encryption and other security measures around the data transfer. The Schrems II decision focused on the fact that US national security law allows USG to compel disclosure of personal data under certain circumstances. There may be questions about whether there have been any NSA requests to BizConnect, or to its knowledge, to other similar companies.

3. Should BizConnect continue to be certified under Privacy Shield?

The US Dept of Commerce has issued a statement that obligations under the Privacy Shield continue. Also if a company wants to withdraw from the Privacy Shield they need to consider their answer to #1 above because USG will request a statement about how the company will continue to protect any data received under Privacy Shield. A better solution may be to consider not renewing the Privacy Shield when it comes up for renewal. Remember that if/when a company withdraws (or does not renew) certification under Privacy Shield, it needs to remove all references to Privacy Shield (e.g., in its publicly facing privacy policy document, and anywhere else it appears).

Going forward for B2B data processors like BizConnect:

BizConnect can expect more scrutiny and due diligence from its customers (who are data controllers). The Court of Justice (and European Data Protection Board “EDPB”) has indicated that data controllers (i.e. B2B customers) will need to investigate whether the data importer (i.e. the B2B company acting as a data processor) can meet the SCC requirements.

Schrems II refers to “supplementary measures” that may be required by the data controller/exporter of the data processor/importer. The decision did not describe what the “supplementary measures” might look like.

Here are my thoughts:

1. Encryption: more pressure for data processors to use encryption and more prescriptive about the specific encryption used.

2. Geolocation: to the extent possible, data controllers may require data processors to store/process the personal data in the EU.

3. Pseudonymization: there may be more discussion about pseudonymization of data. It doesn’t take it out of GDPR but lowers the risk to data subjects (ultimate goal of GDPR).

What are supplementary measures going to look like?

A recent blog post by Sagi Leizerov with Dataguise discussed some examples of possible supplementary measures including geolocation and pseudonymization.

Sagi also highlights the references by the court around knowledge by the data exporter of the data importer’s activities with the data. Data exporters will be charged with having granular knowledge around the categories of data and precise location of the data as well as the actual processing activities.

This means more security reviews in advance of data transfers and more audits of data processing activities during processing.

For BizConnect it will likely be reactive, shaping its practices in response to its customers’ demands.