New EU data privacy laws impact companies in 2022.
In June 2021, the European Commission adopted a new set of standard contractual clauses (SCCs) for the transfer of personal data outside of EU countries such as the United States. Businesses have found it challenging to ensure legal transfers of EU citizen personal data to the US for decades. For many organizations, proving that data is legally transferred to the US without facing fines or claims has become exhaustive.
US organizations that process EU users' data typically want to use data processing tools in the US. Let's say you want to process EU users' data using third-party tools, such as Amazon Web Services, Facebook, Converkit, MailChimp, or Google Analytics. Using US data processing tools requires data transfer to the US subject to GDPR rules. As a controller or processor, it is incumbent on you to assure GDPR compliance.
The Schrems II Judgement
In the Schrems case, activist Maximillian Schrems argued that personal data processed in the US was subject to the US Foreign Intelligence Surveillance Act (FISA). In the judgment, the EU court found that considering FISA and other laws, including presidential executive order EO 12333, EU personal data could not be protected under US law alone satisfactory to GDPR.
FISA and EO 12333 allow the National Security (NSA) Agency to seize the personal data of EU citizens for surveillance and monitoring programs. The court noted that "EO 12333 allows the NSA to access data in transit to the US by accessing underwater cables on the floor of the Atlantic. On July 16, 2020, the day of the Schrems II judgment, the Court of Justice of the EU (CJEU) invalidated Privacy Shield and declared previous SCCs inadequate.
It is up to the organization exporting data to the US or another third country to perform a Transfer Risk Assessment to determine if the recipient country's legislation meets GDPR requirements. If not, additional safeguards are necessary. The European Data Protection Board (EDPB) post-Schrems II published recommendations to help data exporters process personal data within the scope of GDPR. The EDPB guidelines outline a six-step process for legal data transfers to the US.
The EDPB Six-step Data Transfer Process
- Know Your Transfers
Understand the complete data flow of the personal information you collect. Mapping all transfers of personal data to third countries can be a challenging exercise. Often businesses engage in multiple, diverse and regular transfers with third countries and use a series of processors and sub-processors. Knowing your transfers is an essential first step to fulfilling your obligations under the principle of accountability.
- .Verify the 'Legal' Transfer Tool You're Relying on.
For data processing in the US, you require SCCs, BCRs, or User Consent to maintain GDPR compliance.
- Adequacy decision – The EU ruled US law inadequate in Schrems II
- Standard Contract Clauses (see the new contract clauses below)
- Binding Corporate Rules (BCRs)
- User Consent
- Conduct a Risk-Assessment of U.S. Laws to Your Data
The EDPB recommends conducting a risk assessment of US laws impacting your data concerning GDPR. As part of Scheme II, the EU court ruled that US laws are not adequate protection according to GDPR. Supplemental measures are required per GDPR Article 46.
- Adopt Supplemental Measures to Protect your Data
The supplemental measures include technical, organizational, and contractual recommendations. For example, an organization might deploy encryption or split-processing technology, administrative policies for data minimization, technology deployment, and contractual updates based on the new SCCs.
- Take the Necessary Procedural Steps
Necessary procedural steps include implementing new SCCs. The EDPB refers to Article 46 as recommended GDPR data transfer tools. According to Art. 46, safeguards may be provided by contractual clauses between controllers, processors of personal data in the US, and other third countries.
- Periodically Re-evaluate
Review your transfer tools and risks at appropriate intervals. "Accountability is a continuing obligation." – GDPR Article 5
EU SCCs for the Transfer of Personal Data to Third Countries
On June 4, 2021, the European Commission released new standard contractual clauses to facilitate data sharing. The EU published the SCCs in a "modular" structure for flexibility. Organizations choose the appropriate modules and clauses for their given situation.
EU Standard Contract Clauses - Modules:
- Controller-to-controller transfers
- Controller-to-processor transfers
- Processor-to-processor transfers
- Processor-to-controller transfers
According to GDPR Article 4:
- 'controller' means the natural or legal person, public authority, agency, or other body which alone or jointly with others, determines the purposes and means of processing personal data.
- 'processor' means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
The new 'pre-approved' SCCs replace previous SCCs adopted under a prior Data Protection Directive. As of September 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs. For contracts executed before September 2021, businesses can continue to rely on those earlier SCCs until December 2022.
Read the full text of the new SCCs at the European Commission.
US businesses should assess and update their GDPR data transfer tools based on new EU guidance. must update contracts to new EU standard contract clauses by December 2022. New 2022 contracts must use the new pre-approved SCCs, and all existing agreements need to be reviewed and updated by December.
Truvantis has the expertise to guide you through Schrems II requirements and other complexities of GDPR, Federal and State privacy laws. At Truvantis, we do not offer a one-size-fits-all solution. We’ll work with you to build a privacy compliance solution unique to your business.