NAALA | Not An Average Legal Advisor

Navigating International Personal Data Sharing

Navigating International Personal Data Sharing

International Data Sharing

Amy Eikelenboom

Co-founder of NAALA

Published on 4 November, 2021

By: Amy Eikelenboom – Co-founder of NAALA 

Published on 4 november, 2021

Following unsure times in the international data transfer area (which is pretty much affecting all digital users on a daily basis), we finally have guidance with the publishing of the final version of the new Standard Contractual Clauses (“SCCs”) by the European Commission (“EC”).

Why were there unsure times?

As you might know, each jurisdiction has its own (slightly different) regulations regarding data protection and privacy. The international sharing of data both within and between international organizations is complicated by these varying requirements. Various characteristics, such as the data subjects involved and the physical location of a data server, influence the applicability of specific regulation.

Jurisdictions have aimed to tackle any discrepancies between requirements with joint mechanisms, such as Safe Harbor[1], by which compliance presumably ensured an appropriate level of protection of personal data when being shared internationally.

The unsure times began when an Austrian privacy advocate, Maximilian “Max” Schrems, lodged a complaint with the Irish Data Protection Commissioner (“DPC”) in 2013. This complaint concerned the data transfers from Facebook’s European headquarters in Ireland to its server in the United States (“US”). Facebook’s international transfers were based on Safe Harbor. That sounds safe, right?

Well, Max Schrems had concerns about the potential access to personal data by the US National Security Agency (hereinafter: “NSA”).

This case, better known as “the Schrems case” or “Schrems I” was brought to the High Court of Ireland. The High Court of Ireland then referred preliminary questions to the Court of Justice of the European Union (“CJEU”) on the competence of national data protection authorities in relation to such matters of European law. On October 6th, 2015, the CJEU declared the Safe Harbor mechanism as invalid.

This ruling had a large impact on all parties sharing data internationally. With Safe Harbor being declared invalid, there was no mechanism in place ensuring data subjects’ rights following the European General Data Protection Regulation (“GDPR”). Following the CJEU ruling, the EC and US Department of Commerce began designing a suited alternative. This resulted in the EU-US Privacy Shield Framework. The European Commission deemed data transfers under EU law adequate using this framework on July 12th, 2016.

This was, however, not the end of the EU-US data sharing discussion. Following the Schrems I ruling, Max Schrems resubmitted his complaint to the Irish Data Protection Commission on the basis that Facebook had continued transferring personal data from its EU headquarters in Ireland to the US, relying on SCCs. This case had been referred to the CJEU as well along with eleven other questions for the court to address.

On 16 July 2020, the CJEU issued its Schrems II judgment, declaring the EU-US Privacy Shield invalid, but upholding the validity of SCCs as a mechanism that, in practice, make it possible to ensure compliance with a level of protection in accordance with the GDPR.

How to proceed?

Following the ruling that concluded SCCs remained valid as a data transfer tool, the EC has reviewed and published new SCCs last June. SCCs are now available for the following data sharing relations:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

Concluding these SCCs is, however, not enough. Schrems II has transformed the way SCCs are concluded. On a case-by-case basis, parties need to verify adequate protection under EU law of the data transferred. To ensure this adequate protection, supplementary measures may be necessary.

Luckily, the European Data Protection Board (“EDPB”) released the Supplementary Measures Recommendations outline a six-step roadmap. These steps provide guidance in the assessment of any third country and the measures that can be taken to safeguard the transfer of personal data. The EDPB proposes the following roadmap:

As a controller or processor you must record your processing activities and communicate transparently to your data subjects. This information can assist you in detailing the data transfer at hand. Do not forget to consider any onward transfer, i.e. (other) sub-processors. Additionally, data protection principles, such as data minimization must also be taken into account.

The GDPR lists and envisages[1] transfer tools that you may rely on. Amongst these are adequacy decisions, SCCs, binding corporate rules (“BCRs”), codes of conduct, but also derogations for transfers in certain situations.

[1] Chapter V, GDPR

Step 3 deserves specific attention as this relates to the, what we now know as, Transfer Impact Assessment (“TIA”). A TIA assesses whether transfer tools, such as SCCs, being relied upon remain effective in specific circumstances of the transfer. This assessment may include the following questions:

  • What types of personal data are being transferred? How much of the data is in the public domain?
  • What technical and organizational measures are in place to protect the personal data during and after the transfer?
  • What is the legal framework in the third country receiving the data in light of all circumstances of the data transfer? How likely are they to be exercised?
  • Do third country government agencies have the availability of access requests?
  • Are data subjects still able to exercise their rights in the context of international transfers?
  • Are fundamental rights of individuals still upheld?

If your TIA has revealed that the transfer tool you wish to rely on is not effective, you will need to consider supplementary measures. The supplementary measures should have the potential to ensure, supplementary to the safeguards of the transfer tool, that the data is afforded a level of protection essentially equivalent to that guaranteed within the EU. The EPBD provided examples of supplementary measures in Annex II of their recommendation.

After you have identified effective supplemented measures they must be implemented and procedural steps may be taken based on the transfer tool relied upon.

The developments in the third country must be monitored for any impact on your initial assessment. Preferably, there is a set interval and procedure for assessing (and recording) developments in the third country and their impact on the transfer tool and additional measures taken.

Please be referred to the EPBD’s recommendations for the exact definitions before performing your TIA.

What now?
 
The EC has issued an implementing decision on the new SSCs. From September 27th, 2021, any international data transfer that is based on the SCCs transfer mechanism will need to be based on the new SCCs. By December 27th, 2022, the new SCCs need to be incorporated into all international data transfer agreements, irrespective of when these agreements were concluded provided that the processing operations remain unchanged.
 
[1] The Safe Harbor agreement was negotiated between the US and the EU to allow US companies to meet EU data protection requirements. Transfer of personal data between EU member states and the US were permitted under this agreement.
 

At NAALA we are experienced in determining your international data sharing strategy and monitoring the appropriate requirements. Please feel free to contact us for support.

Questions? We are happy to discuss your specific case.

Related

For those working with health data, HIPAA and GDPR surely sound familiar. However, their impact may be less well known. To what extent do the US federal law and European Regulation correspond?

Requirements result in a set of documentation that needs to be in place. We make a distinction between ‘internal’ and ‘external’ documentation.

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.