The European Union’s General Data Protection Regulation (GDPR) prohibits transfers of personal information about Europeans to destinations outside of the EU unless one of several tests is satisfied. As pertains to transfers of information to the United States, the most common bases for such data transfers are (1) express consent of the individual, (2) necessity for the performance of a contract with the individual, and (3) standard contractual clauses (SCCs) adopted by the European Union.
In many cases, US companies provide back-end services to large organizations with operations in the EU. Those large organizations routinely ask the service companies to agree to the SCCs in order to comply with the GDPR.
On September 27, 2021, a new set of SCCs came into effect. Parties relying on the SCCs for transfers of personal information from the EU to the US must now use them in all new contracts and in all modifications of existing contracts. The old SCCs may be relied upon in older contracts until December 27, 2022, by which time the parties must transition to the new SCCs.
On the surface, the new SCCs are an improvement because they are modular. They allow for lengthy chains of processors and subcontractors serving a single data controller. This may arise, for example, in the context of cloud storage of personnel records for the purpose of computing withholding taxes. The cloud service provider may subcontract some of its duties, passing personal information to third parties; and those subcontractors may in turn pass the information to their own vendors for further processing.
While the new SCCs acknowledge the complexity of today’s internet-driven data chains, they also impose requirements that are likely to be honored in the breach because of the difficulty of true compliance.
The rubber starts to hit the road in addressing the required annexes to the SCCs. In Annex I, the parties must specify the categories of personal data being transferred, the categories of individuals whose personal data is being transferred, any sensitive data being transferred, the frequency of the transfers, the nature of the process, the purpose of the data transfer, and the retention period of the data being transferred.
Annex II requires a description of the technical and organizational measures being taken to ensure the security of the data. The explanatory note states that the description must be specific, not generic. The description must take into account the nature, scope, context and purposes of the process, and the risks for the rights and freedoms of individuals.
These annexes will require thought and time to prepare properly, but they are not unreasonable. However, a further requirement, not specified in the annexes, may present an exercise in futility for transfers of data to the US.
Clause 14 of the SCCs requires the parties to warrant that they believe that US laws and practices regarding disclosure of personal data to police, intelligence services and other public authorities, “do not exceed what is necessary and proportionate in a democratic society” to safeguard such interests as national security, national defense and public security.
This warranty must be given after taking into account a number of factors, including the length of the processing chain, the type of recipients, the categories and format of the data, the economic sector in which the transfer occurs, and the storage location of the data. Moreover, the parties must take into account the US laws and practices regarding the disclosure of data to US authorities. Finally, the parties must document this assessment and make the assessment available to EU privacy authorities upon request.
There are two fundamental problems with this: the scope (and potential cost) of the undertaking; and its potential for futility. While the prospect of preparing the analysis that is contemplated is daunting, it may be made somewhat easier by referring to the numerous documents created by and for the Commerce Department in its attempt to support the “EU-US Privacy Shield,” which the EU Court of Justice held to be invalid in 2020.
As that invalidation suggests, parties relying on such an analysis should be aware that they are wandering into an area that has been hotly contested in Europe. Several privacy advocates have long challenged any and all means of transferring data about EU residents to the US because of what they believe to be excessive power granted to the CIA, the FBI and similar agencies charged with intelligence gathering. And so far, these privacy advocates have a stunning record of success in overturning all arrangements meant to accommodate EU-US data transfers.
You can find a history of the challenges on the website of NOYB (an acronym for “None of Your Business”). The short version is that Max Schrems, an Austrian, has managed to invalidate two separate arrangements made between the EU and the US (first the “Safe Harbor” compact, and its replacement, the Privacy Shield). In ruling the Privacy Shield to be invalid, the Court of Justice of the EU declined to also invalidate the SCCs, ruling that they could be valid if the parties have undertaken adequate analysis and investigation to make sure that the principles of the EU are not violated. Clause 14 of the new SCCs is intended to ensure compliance with this requirement.
There is a distinct possibility that any analysis undertaken to show compliance in the United States with EU principles of privacy will be a castle built on sand. Privacy advocates in the EU believe that US surveillance laws – FISA in particular – are fundamentally at odds with EU values and cannot be reconciled with them. They may also point to a recent court ruling, which our newsletter covers here, that the FBI may snoop on an individual’s web browsing without a warrant, as being inconsistent with EU values.
It is only a matter of time before Mr. Schrems brings this question to the fore in Europe and seeks a ruling that the revised SCCs merely promote the carrying on of a charade that ignores the fundamental problem presented by FISA and similar US laws. The outcome of such a challenge is hard to predict, but the success that Mr. Schrems has enjoyed to date suggests that the new SCCs may have a limited life span in enabling EU-US data transfers unless US surveillance of EU citizens is curtailed.
In the meantime, US processors of data pertaining to EU residents should be prepared to adopt the new SCCs and should be aware of the substantive documentation, analysis and record-keeping required to comply with their terms.