International transfers of data in a muddle (again) – 5 practical actions
Yesterday (16 July 2020), the Court of Justice of the EU delivered a judgment in relation to the way that international data flows are legitimised. The judgment was – from a data protection perspective – relatively seismic. There are plenty of summaries of this case available and so we are not going to add to the word count. Essentially, the Court did two things: (i) invalidated Privacy Shield; and (ii) said that whilst SCCs (also referred to as model clauses) remain valid, the parties to SCCs and the regulators themselves need to seriously step up their game.
There's no 'silver bullet' solution or quick fix here unfortunately. Whilst we suspect that the ICO and other supervisory authorities won't dive straight into enforcement on this point, organisations exporting (or allowing the export of) data do need to be doing something to acknowledge the change.
So what should be your first steps?
Don't enter into any new data export arrangements based on Privacy Shield without: (i) a conversation with the importer/counterparty; and (ii) an analysis of alternatives available. The only substantive output from the ICO so far addresses this very point (by way of a holding note on the web pages dedicated to guidance on international transfers) and so to ignore it would not be a good move.
Clearly, if you're mid-negotiation (or signing up to some standard terms with no leverage) then you may need to rethink the arrangement or at least consider your risk appetite. Either way, we'd expect and advise transparent communication with the importing entity.
Identify existing data transfers based on Privacy Shield (these will be transfers to the US) and SCCs (these could be transfers to the US or anywhere else outside of the EEA) and prioritise based on risk to the data subjects (i.e. consider type of data, identity of data subjects, scale and scope of transfer, etc.). Remember that you may well be called upon to 'show your working' at some point in accordance with GDPR's accountability principle.
To some extent, everyone's in the same frying pan/fire/mess here and so we would advise that you engage with relevant counterparties and suppliers (i.e. the exporters or importers of the data) to address risk mitigation in a collaborative manner. Larger, global players (e.g. major cloud service providers based in the US and relying on Privacy Shield) will need to take a uniform approach to their client base to avoid things becoming even more complicated than they already are. It's likely that we will see a rapid mass issue of SCCs.
Whatever your role in the global flow of data, document the steps you take towards a solution/risk mitigation as you'll need the evidence should your actions ever be subject to the scrutiny of a supervisory authority.
4. Proceed with SCCs with caution
They've been given the green light (for now) but with some major caveats. If in practice the importing entity can't or doesn't comply with the SCCs then the SCCs won't work to legitimise the transfer and the data flow could be stopped by the ICO or another supervisory authority. What this means is that you'll need to do your homework.
Look at the territory you're exporting to: does it have local laws to protect personal data, do local law enforcement or other bodies have wide ranging powers to access data? Take a close look at the importing entity: how seriously are they taking this and can they show you how they'll comply? A supplier should be able to help (if they don't know or won't help answer these questions, that should tell you a lot about your risk exposure…). If it's an intra-group transfer, make sure it's more than a box-ticking exercise: can the overseas importer really comply and if not, what needs to change? Avoid these difficult questions at your peril!
5. Future proofing and "further assurance"
There's more to come! Supervisory authorities will issue guidance. We can probably expect a greater uptake of Binding Corporate Rules (another, more complex transfer mechanism). We anticipate updated SCCs from the European Commission (the most recent are from 2010 – ancient in data protection terms). If nothing else, it's now a matter of relative certainty that market practice will get an upgrade.
There are also serious implications for Brexit (if the SCCs need a new approach for the transfers to the rest of the world, they'll need the same approach for transfers to the UK). One practical drafting tip is to make sure that your contracts include decent further assurance clauses as you can be fairly sure that you may be called on to revisit the issue again in months or years to come.
We hope that this is useful and helps to reassure our clients that there are ways through the muddle. Please do get in touch if we can help.