New compliance obligations for cross-border data transfers | Baker Donelson
Why the EU has struck down the Privacy Shield
Before July 2020, more than 5,000 companies transferred personal data from the EU to the United States through the Privacy Shield framework approved by the United States and the EU. For 15 months following the Schrems II decision, companies are grappling with this “Suez Canal moment” posing serious obstacles to transatlantic data transfer. Similar to the accidental blockage of the Suez Canal by the container ship Evergreen in 2021, the deadlock in cross-border data transfer is jeopardizing EU-US trade at an estimated $ 1 trillion per year.
Frictions between the EU and the US over cross-border data transfer stem from their different approaches to privacy and data protection: while the US sees data privacy as important, the EU lays it down. considers it inalienable and sacred. Edward Snowden’s revelation about US surveillance programs further demonstrated that the US federal government can compel companies like Facebook to hand over data from EU residents. In response, the EU court ruled that US laws undermine protections in the General Data Protection Regulation (GDPR). The court noted in its opinion that US national security laws do not grant individuals sufficient rights when their personal data is intercepted by US intelligence agencies.
Options for cross-border data transfers
US organizations must undergo an in-depth, case-by-case assessment of cross-border data transfers, known as a Transfer Impact Assessment (TIA). Other options are Binding Corporate Rules (BCRs), but these are generally not preferred by most organizations.
When to modify existing agreements with the new CCN
For contracts signed before September 27, 2021 under the old SCC, companies have until December 27, 2022 to modify with the New SCC. The new SCC is provided in a single document with four distinct cross-border transfer scenarios or modules:
- Controller to controller,
- Processor controller,
- Processor to processor, and
- Processor to controller.
A company should select the applicable module before initiating the transfer based on the new SCC executed. A key step for the TIA described below is that the company must also adopt additional measures, in addition to the new SCC, to provide GDPR-equivalent data protection to EU residents.
The six steps of a transfer impact assessment
The European Data Protection Board (EDPB), the EU body responsible for implementing the GDPR, has asked companies exporting personal data from the EU to the US to complete the following six-step assessment:
Step 1: Perform data mapping for cross border data transfer.
Step 2: Identify the appropriate transfer tools, i.e. the new CSC or some other mechanisms.
Step 3: Assess whether the GDPR will be compromised by the laws and / or practices of the third country (i.e. the United States) applicable to the specific data transferred based on relevant, objective and publicly available information .
Step 4: Identify and adopt the appropriate contractual, technical and organizational measures (additional measures) if the laws of the third country do not have equivalent protection to the GDPR.
Step 5: Take formal procedural steps to adopt additional measures.
Step 6: Reassess at appropriate intervals the protection afforded to transferred EU personal data.
Whether organizations choose the new SCC or other transfer tools for cross-border transfers, they should involve their data privacy legal advisor to perform the six-step TIA mandated by the EDPB.
The good news is that an organization does not need to repeat the assessment every time it transfers the same specific categories of personal data to the same country outside the EU. For example, if a company regularly transfers to the United States a set of data with the names, email addresses and job titles of EU residents, the company must complete and document a TIA specific to the transfer of this type. dataset in the United States in order to comply with the EDPB. guidelines. For this specific scenario, the company can rely on the documented TIA without repeating the same process for each data transfer, subject to the following conditions:
- The transfer involves the same specific type of data from the EU to the same third party, i.e. the US in this case,
- It continues to implement the necessary additional measures, and
- It reassesses and monitors the level of data protection granted to this specific set of data by maintaining ongoing vigilance of the laws and practices of third countries.
Similar to the blockade of the Suez Canal in 2021 that disrupted global trade, businesses will feel the ripple effects of the Schrems II decision as they operationalize and implement the new CSC. Most US organizations will now have to rely on the new SCC as their primary tool for cross-border transfers. The new CCN provides a mechanism to facilitate commerce, while imposing complex and ongoing contractual data protection obligations. All organizations should thoroughly review the conditions and implement additional measures, or risk cross-border data transfers for tenuous reasons.