We have all read about the recent judgement by Court of Justice of the European Union (CJEU) on the EU-US Privacy Shield and Standard Contractual Clauses (SCC’s). I am not going to go into the history of the cases Schrems has brought to the Irish Data Protection Commission against US companies likes of Facebook. What is important for this article is that the USA is a 3rd Country in the eyes of the EU, but the free flow of data has been allowed because of the EU-US Privacy Shield.
Following an investigation by the Irish DPC into the complaint Schrems made, the Irish High Court referred the concerns the DPC had to the Court of Justice of the European Union (CJEU). What we need to remember is that the Schrems complaint and the concerns of the Irish DPC were whether SCC’s offered sufficient protection with regard to processing personal data in the US. The Advocate General (CJEU) gave a judgement that the SCC’s were still valid, but raised concerns with regard to the use of the EU-US Privacy Shield and the level of protection if gave to EU citizens person data in the US, especially taking into account the law enforcement and intelligence activities.
The judgement ruled that the use of the EU-US Privacy Shield was invalid and the transfer of data using that mechanism was to stop with immediate effect. This has caused an enormous amount of confusion and sent organisations running to the SCC’s for a legal mechanism to continue the transfer of data to the US.
A separate part of the judgement was to say that the use of SCC’s as a mechanism for the transfer of data to 3rd countries was still valid, but an additional requirement was set, making organisations using this method conduct full due diligence. The CJEU ruled that the level of protection GDPR provided to the data subject’s personal data, travels with the data to the 3rd country and the data importer. If this same level of protection cannot be provided by the receiving jurisdiction or importer, the use of an SCC for the data transfer will not be valid.
So, where does this leave us in Jersey. Jersey is not in the EU, we have our own law, the Data Protection (Jersey) Law 2018 (DPJL) and our own requirements for data transfers to 3rd countries. On the 22nd July 2020, the Jersey Deputy Information Commissioner Paul Vane published a blog on the EU-US Privacy Shield invalidation (read it here)
As Deputy Commissioner Paul Vane points out, SCC’s are not directly binding on Jersey based companies, but the Jersey Office of the Information Commissioner (JOIC), in all likelihood will consider SCC’s as a valid mechanism to transfer personal data to a 3rd country, as long as the level of protection afforded in the agreement meets the standards laid down by GDPR and the DPJL.
The Article 66 of the DPJL states:
(1) A controller or a processor must not transfer personal data for processing or in circumstances where the controller or processor knew or should have known that it will be processed after the transfer to a third country or an international organization, unless that country or organization ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
(2) The level of protection referred to in paragraph (1) is adequate if –
(a) the Commission has so decided, by means of an implementing act under Article 45 of the GDPR;
(b) there are appropriate safeguards in place that meet the requirements of Article 66; or
(c) the transfer falls within the exceptions set out in Schedule 3.
(3) Regulations may –
(a) amend Schedule 3;
(b) make further provision about international transfers of data.
The use of SCC’s is not just for the USA, but any 3rd country not having an adequacy decision. Jersey was assessed have having all the safeguards to protect personal data which meet the high standards of the EU and was granted an adequacy decision, this of course was before GDPR came into force in May 2018. Jersey and most other jurisdictions with an adequacy decision will need to be re-assessed against the standards and safeguards provided by GDPR.
But, let us just look at the US for now. The issue is with the access granted to personal data of non-US citizens who fall under the regulations discussed by CJEU in their judgement i.e. 50 US Code § 1881a (Section 702 of the US Foreign Intelligence Surveillance Act [FISA]) – or whether they make personal data available to US authorities under Executive Order 12.333 or other US regulations with comparable objectives (e.g. the US Cloud Act).
If the data importer does fall under any of these regulations, the data controller has to stop the transfer of data immediately, as the US does not offer the levels of protection required by the DPJL or GDPR, so an SCC cannot be used.
So is there any other way data can be transferred to the US legally within the scope of DPJL or GDPR? If you are a multinational company and have an establishment in the US, you can still use Binding Corporate Rules (BCR’s). These are for internal use within the same organisation and need to be approved by the JOIC before they are put in place. The JOIC will ask for the same level of protection for the data subjects’ personal data as with SCC’s, so BCR’s may not be approved when it comes to the US because of the law enforcement and intelligence activities.
Schedule 3 (Article 66(2)(c) of the DPJL gives exceptions to adequacy requirements, so you could consider Consent as a means to transfer data to the US. This means of course that every data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision under Article 45 of the GDPR and appropriate safeguards.
You also have to remember that consent can be withdrawn at any time by the data subject. If that causes problems, you should seek an alternative exemption. You could consider using a Contract between data subject and Controller. This is where, the transfer is necessary for –
(a) the performance of a contract between the data subject and the controller; or
(b) the implementation of pre-contractual measures taken at the data subject’s request.
There are other exemptions which can be read here – go to Schedule 3 of the law. These are all very similar to the Derogations of Article 49 GDPR.
Now that you have considered all of that and made the decision that you are not going to transfer data to the US because you cannot find a way to do so that you are happy with the level of protection provided, you now have to look at your data processors and are they transferring your data to the US, if they are the same rules apply. Your data processor agreement must address whether transfers are authorised or not. You should also remember that even providing access to data from a third country, for instance for administration purposes, also amounts to a data transfer.
It does not stop there; you are responsible as part of your due diligence to know where your processors sub-processors transfer your data.
If your data is transferred to the US and measures cannot be provided to ensure that US law does not impinge on the required levels of protection, and the exemptions under Article 66 of the DPJL do not apply, the only solution is to forbid data transfers to the US. Data should not only be stored but also administered in the EU or another 3rd country that can provide the required levels of protection.
So to end, I will suggest the following:
1. Know where your data is going. For you to know this you have to map the data flows from your organisation, to your processors and their sub-processors. Be very clear about areas where your data may be transferred to another 3rd country and what implications that may have on your data.
2. Review all your current data processors and drill down on what they do with your data.
3. Review your IT applications and data storage, such as Google or Office 365. Where do they store your data and if another jurisdiction can access it? If you only use the application for data storage, consider encrypting the data before it is stored.
4. Do you due diligence on other 3rd countries to ensure they have an equivalent level of protection to DPLJ. Document your findings in your risk assessment.
5. Keep up to date with the advice coming from the European Data Protection Board (EDPB) and JOIC. The world cannot stop transferring data so they have to provide a safe mechanism for use to do so.
If you would like to explore this further or need assistance with mapping your data flows, the team at Propelfwd can help. Contact us.