On June 4, 2021 – as a result of the 2020 Schrems II decision – the European Commission published new versions of its Standard Contract Clauses (SCCs) under the European Union’s (EU) General Data Protection Regulation (GDPR). GDPR and EU member-state data protection laws, along with the United Kingdom’s Data Protection Act, require data exporters (e.g., a ‘data controller’ based in Europe) and data importers [such as “a data processor” (or supplier) located outside the UK or EU] to have “adequate” protections in place or identify an exception in the relevant law.
SCCs are a primary means to effectuate European data transfers under those rules. The new versions of the SCCs came into effect on September 27, 2021. We previously reviewed some of the prominent features of the new SCCs and the timetable for implementation in our July blog post on the topic.
One key aspect of the European Commission’s June 4 decision is that the parties to the SCCs, i.e., the controllers and/or processors, are now required to both assess the risks associated with transferring European/UK personal data to a non-EU country and warrant consistent protections for the data while it is processed outside of the EU/UK. This means that the parties will likely need to conduct a Transfer Risk Assessment (TIA). There is still much-requiring clarification by the European Commission and supervisory authorities (including in the UK) regarding the necessity for TIAs, but presently this much is certain:
- TIAs must be conducted when the data processing to occur outside of the EU/UK could result in a risk to the rights and freedoms of natural persons, i.e., European data subjects. While this standard is somewhat unclear, it has been well-established that European supervisory authorities are concerned with data transfers that could result in a government agency, such as in the US, having unfettered or surreptitious access to European personal data. Data transfers to large cloud providers have also previously come under scrutiny, with some European supervisory authorities contending that those cloud providers fail to process personal data in accordance with European data protection law. Consequentially, organizations may simply need to conduct TIAs in all or most circumstances where a data export is planned.
- The data exporter and the data importer need to coordinate on the TIA. While one of the parties, such as the data controller, can lead the exercise, both parties should participate to ensure the consistency and integrity of the TIA.
- The TIAs must be documented. Unfortunately, regulators have yet to release any “official” TIA templates. However, some associations and agencies (e.g., IAPP and the UK Information Commissioner’s Office) have begun to promulgate their own drafts. In any case, while it seems possible to conduct a TIA as part of another workstream, such as a broader privacy impact assessment project, the TIA itself should be clearly articulated and discernable in written form. Doing so is important because…
- …the TIAs will need to be made available to relevant EU/UK supervisory authorities upon request. We do not yet have a sense of whether authorities will ask to see TIAs en masse, as part of spot audits, or only when cases or controversies arise. However, the parties will need to be prepared and have records ready in any case.
To meet these requirements, and despite some remaining ambiguity, organizations have already begun to conduct TIAs for new personal data transfers from the EU and the UK. The most logical moment to do so is when negotiating a new contract between a data exporter and importer, whether controllers or processors. Some organizations may decide to conduct TIAs before starting a new project/Statement of Work that will involve transferring personal data outside of Europe.
A third opportunity for organizations to conduct a TIA will be during the ongoing transitional phase of the new SCCs, which ends on December 27, 2022, when all applicable contracts are expected to incorporate the new SCCs. Through that date, organizations may wish to engage their data processors and controllers when reviewing, renewing, or amending existing agreements to complete TIAs if they have not already done so.
This, of course, may present significant planning, logistical, process, and resource concerns for organizations. Those who already have solid contracting, data inventorying/mapping, and privacy impact and vendor risk assessment mechanisms in place may fare better than those who do not. Wherever your organization stands concerning the new requirements, Elevate stands ready to help you meet these challenges.
Those who already have solid contracting, data inventorying/mapping, and privacy impact and vendor risk assessment mechanisms in place may fare better than those who do not.