Lightning does not strike twice – except, it would seem, in the land of data privacy. Having struck down Safe Harbor – the agreement governing EU-US data transfers – in 2015, the Court of Justice of the European Union (CJEU) went on to condemn its replacement, the beleaguered EU-US Privacy Shield, to a similar fate just over a year ago.
This presented the more than 5,400 businesses reliant on the Privacy Shield to move data across borders with a bit of a problem. Happily, though, comfort was found in the shape of Standard Contractual Clauses, which seemed to provide an easy, quick-fix to the data transfer challenge. Except they didn’t.
Now, it would be wrong to say that lightning struck a third time – the CJEU did not invalidate SCCs – but the Court did rule, in the same judgment that put an end to the Privacy Shield, that businesses must assess the underlying transfer of data to which the contracts apply. A cookie cutter approach simply wouldn’t work.
The upshot is that business lost what it thought was a silver bullet, and for many readers, question marks still linger over the issue of data transfers between the EU and the US. Not only are these questions unlikely to disappear overnight, but in the months ahead, they could in fact intensify. After all, the broad powers of US authorities are proving to be one rather large spanner in the works of the ongoing EU-US data adequacy negotiations.
Businesses, then, could be forgiven for scratching their heads about what the legal requirements for transferring data actually include.
However, the European Commission recently (in June 2021) published its updated SCCs, which included provisions to combat the flaws identified by the Court, whilst the European Data Protection Board published its advice on the supplementary measures a business must take just a few days later. Taken together, the guidance does provide business with a route through the confusion.
Put simply, the guidance sets out six stages that should be completed to assess the risks of the transfer, which include:
- identifying both the initial transfer, and also any onward transfers,
- advising businesses to identify the transfer tool relied upon,
- considering whether it is effective when considered alongside national law of the importing nation,
- considering whether any “supplementary measures” are needed to safeguard the transfer. These include certain technical measures (eg, encryption and pseudonymisation), contractual measures (including imposing obligations on receiving data) and organisational measures (such as access controls),
considering any country-specific procedural steps (e.g. consulting with the relevant data supervisory authorities in the exporting country), and
- keeping ongoing obligations under review – ie: re-evaluating transfers at appropriate intervals.
It is important to note that the data protection landscape will continue to change. If the former Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, is to be believed, the UK may deviate from the GDPR in the months ahead. We’re still awaiting the proposals, so it’s too early to say precisely how the new regime will look, but if early rumblings are to be believed, UK businesses will need to watch this space closely.
Of more immediate concern is the publication by the UK Information Commissioner’s Offices of its draft international data transfer agreement [PDF] and associated guidance in August this year, adding another facet to the already complex landscape.
And thereby hangs the tale. At its core, the General Data Protection Regulation (GDPR – and in post-Brexit Britain, UK GDPR) was about promoting accountability and so, no matter where lightning strikes in the future, nothing will protect businesses more than being on their front foot. ®
Rafi Azim-Khan is head of Data Privacy Europe at Pillsbury Winthrop Shaw Pittman, and Steve Farmer is a partner at the firm.