Transfers of personal data to the U.S.: update on EU Standard Contractual Clauses (SCCs)
Reminder: the SCHREMS II judgment of the CJEU
On July 16, 2020, in a long-awaited SHREMS II ruling, the Court of Justice of the European Union (CJEU) invalidated the agreement between the European Union and the United States known as the "Privacy Shield".
The Privacy Shield is no longer an acceptable legal basis for such transfers.
The Court also ruled on the European Commission's standard contractual clauses, which it did not invalidate. However, it recalled that it was up to the parties to ensure the level of data protection in the countries to which the data is exported in order to guarantee compliance with the principles of the GDPR. In particular, the importer (who takes the data to the USA), must assure the other party that the legislation of his country allows the respect of the clauses and thus ensure a level of guarantees in accordance with European law. In the event of legislation contrary to European law, the exporter must take measures such as terminating or suspending the transfer (articles 5.b and 8.3 of the standard clauses).
The use of these clauses poses a difficulty because an incompatibility is linked to the US surveillance regime and the fact that it is not framed in such a way as to meet requirements substantially equivalent to those required, under EU law, by the principle of proportionality, in that the surveillance programs based on these regulations are not limited to the strict necessary.
In other words, the standard contractual clauses do not prevent the United States from going beyond the European protective framework and thus cannot be used as they stand.
Now that we know this and have realized that a very large number of services transfer data under my responsibility to the US, what can we do?
Already, as we have said, make a list of these services and check that nothing is being transferred on the basis of the Privacy Shield.
Secondly, there are no miracle solutions. The EDPB (European Data Protection Board, a grouping of European DPAs) has given its opinion and published a FAQ (available here).
It considers that the American legislation does not guarantee a substantially equivalent level of protection and therefore is not sufficient as it stands. According to articles 5.b and 8.3 of the clauses, it is thus necessary: either to stop the transfer/termination of the contract, or to inform the supervisory authority on which one depends of the continuity of the transfer.
Most importantly, it states that an assessment must be made to measure the level of risk on the transfer with respect to U.S. law. This assessment, which is part of the documentation that must be kept, is an opportunity to consider additional measures to the transfer.
If you consider that the assessment concludes that there are sufficient safeguards to ensure a transfer in compliance with European law, then you may proceed with the transfer.
If you consider that the assessment concludes that the guarantees are not sufficient, then you must either stop or inform the supervisory authority if you continue.
What additional measures should be taken?
This is done on a case-by-case basis, but of course we are thinking of technical measures. Several supervisory authorities have already made these hypotheses, such as the supervisory authority of Baden Württemberg in Germany, which mentions the following acceptable measures (here) :
- encryption of data whose key is known only to the data exporter and which cannot be broken even by the American services (which in this case will be very difficult to prove),
- anonymization of personal data.
One can also add data minimization, pseudonymization, no data retention. Depending on the context, the measures will be more or less strong and necessary. In the case of data transfers for the purpose of technical support, one could, for example, imagine that only indirectly identifying data is transferred (such as a piece of code that is expunged from directly identifying data) and that no re-identification is possible for the importer (in the USA).
Today, the authorities have not made a concerted decision. The CNIL has not yet communicated on the subject and is analyzing the consequences of the ruling.
The EDPS has indicated that he will come back with clear guidelines to present these acceptable complementary measures.
What can be done?
Stopping all transfers without having concrete proposals from the supervisory authorities probably seems premature. The real risk has not been multiplied since the SCHREMS II judgment, the US legislation existed before. Today, the main risk is legal and European.
Thus, in the logic of accountability, transfers must be evaluated and documented... while waiting for DPA's guidelines. There is a good chance that the supervisory authorities will adopt a reasoned position in the face of this legal earthquake.
The same Baden Württemberg authority has stated that Microsoft's Office 365 is not usable under current conditions under data protection regulations. However, it has indicated that it is working with Microsoft to find solutions. The major American companies, who are primarily affected by this decision, will certainly take steps to provide sufficient guarantees to comply with European law in the context of transfers on the basis of the standard clauses.
These standard clauses are currently the only way to continue massive US transfers.
As data controller, you can ask your US processors for additional measures implemented in order to document your compliance.
The European Commission has indicated that a new version of the clauses is being studied in order to take into account the provisions of the SCHREMS II judgment. According to Margrethe Vestager, the European Commission's Executive Vice President in charge of digital, these should be in place before Christmas ... pending a new agreement with the USA ?