There was no major election in November in the European Union, but there were two important privacy initiatives related to personal data transfers under the General Data Protection Regulation (GDPR). These apply not only to companies in the EU, but also to any companies doing business with the EU.
The European Data Protection Board (EDPB) on Nov. 11, 2020, published Recommendation 01/2020, which supplements transfer tools for complying with EU regulations for protecting personal data.
Then on Nov. 12, 2020, the European Commission published a draft on standard contractual clauses (SCCs) for the transfer of personal data to non-EU countries. The new SCCs are expected to be adopted during the first quarter of 2021.
Year Zero in Personal Data Transfers
The EU privacy regime continues to apply to personal data undergoing processing outside of the EU, i.e., to “transfers.” The definition of transfer is broad, which includes hosting or remote access. The GDPR has various transfers mechanisms, with adequacy decisions (a formal recognition by the EU that another country or territory has adequate level of data protection) and standard contractual clauses (imposing GDPR requirements by contract) being the two relevant ones here.
The Schrems II ruling in July 2020 invalidated the Privacy Shield (the EU-U.S. adequacy decision). The judgment also reminded that entering into standard contractual clauses is not enough.
An organization must determine whether the level of protection in the third country is essentially equivalent to the one in the EU. If not, data exporters are required to identify “supplementary measures” (i.e., “additional safeguards”) to protect the data. Failure to do so practically means no transfers (and if transfers are happening irrespective—risks of high fines and reputational damages).
Impact on the Flow of Personal Data
Below are some examples of various situations showing the broad impact of the EU developments on outside of the EU member countries.
Your U.S. group has presence in the EU. Consequently data flows from the EU to the U.S. entities, whether for intragroup purposes such as HR management; to facilitate the development of activities through sharing of contact data for marketing purposes; or as part of your activities.
Your U.S. group does business with counterparties in the EU. Providers, suppliers, clients, prospects, or you are hosting personal data from an organization located in the EU means you have personal data flows.
In both cases, your EU counterparts will have to undergo a review of the way they transfer personal data to you. This to deal with the Recommendations and transition from the existing SCCs it has in place (assuming this is the legal transfer mechanism they rely upon) to new SCCs.
Data exporters now need to review whether, in the context of the transfer, the personal data could be accessed by authorities in the data importer’s country. In the U.S., this could be the case for companies that are subject to the Foreign Intelligence Surveillance Act or Executive Order 12333 (or indirectly deal with such companies).
The Schrems II case casts doubts as to whether the U.S. will offer an adequate level; assessment will be made under a benchmark known as the European Essentials Guarantees. Then, additional and onerous measures might be required:
- contractual (i.e., legal clauses to be incorporated in data exporter-data importer contracts);
- technical (e.g., state-of-the-art encryption); and/or
- organizational (policies addressing data transfers, publication of transparency reports, etc.).
The New SCCs
The new SCCs go modular to deal with the different roles that data exporters and importers can have when transferring data. They also include provisions that reflect some of the supplementary measures identified by the Recommendations.
A one-year sunset period is granted by the European Commission to allow organizations to comply with the new requirements. If existing SCCs are to be amended (e.g., new processing activities, new party, to deal with Brexit) at a time the new SCCs are in place, you will be required to transition to them.
What to Expect
As accountability pressure is increasing, so will requests that you might be getting from your EU counterparts.
From the Recommendations, expect more questionnaires, checklists, and more onerous provisions (keeping a register of requests received by authorities, documenting the steps to make the information available, additional security measures, or more stringent audits) in your agreements.
If you haven’t yet received much (or didn’t think to prepare for it), that should be high on your privacy to dos for 2021.
From the new SCCs, plan how you will be addressing requests to transition. Those could come as early as February. Make sure you get familiar with the various options and modules in the draft (but stay open to changes), track the SCCs you have in place, and be ready to revisit your qualification (controller or processor) under the clauses.
The EU made it clear that passive compliance is not an option. If you need EU personal data in your operations, you must take steps to comply with the new standards. Your business depends on it.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Diletta De Cicco is an associate in Steptoe’s Brussels office, where she focuses on cybersecurity, data, and privacy matters. She holds a Certified Information Privacy Professional/Europe (CIPP/E) certification from IAPP. She is the co-chair of the IAPP Brussels KnowledgeNet chapter.
Charles Helleputte is a partner in Steptoe’s Brussels office, where he heads the EU cybersecurity, data, and privacy practice. He holds a Certified Information Privacy Professional/Europe (CIPP/E) certification from IAPP. He serves as European advisory board member for IAPP.