Understanding International Data Transfer’s Impact
The landscape of data privacy is certainly dynamic and, at times, imposing. In particular, transferring data across borders can be difficult to navigate. Does your journey to responsible and compliant data governance seem daunting? Let’s explore some of the data privacy implications and their impact on research.
What is Brexit’s Impact on Organizations with GDPR Exposure?
In addition to the need for a lawful basis for processing personal data subject to the General Data Protection Regulation (GDPR) [1], directly regulated and contractually obligated entities must also have a basis to transfer personal data outside the European Economic Area (EEA). Valid transfer mechanisms include:
- A blanket decision made by the European Commission (EC) that the destination jurisdiction maintains an adequate level of data protection [2]
- Conformance with appropriate safeguards such as standard contractual clauses (SCCs) [3] or binding corporate rules [4]
- Utilization of derogations such as informed consent from the data subject [5]
As the name implies, however, derogations should be limited exceptions rather than standard practice.
While the UK exited the EU on January 31, 2020, a grace period for the existing regulatory framework governing data privacy extended through December 31, 2020. [6] The flow of personal data from the UK to the EEA (and to those countries that were the subject of an adequacy decision by the EC at the time of Brexit [7]) was never in jeopardy. [8] However, a measure of uncertainty existed over the future state of EEA-to-UK transfers. The status quo of limbo persisted for another six months. [9] Then, on June 28, 2021, the EC adopted an adequacy decision ensuring the lawful transfer of personal data from the EEA to the UK. [10]
How does this Impact Data Transfer to the United States?
Litigation known as Schrems II [11] (July 16, 2020) resulted in the invalidation of the EU-U.S. Privacy Shield, [12] which served as an adequacy determination. The Court of Justice of the European Union (CJEU) judgement, though rendered after Brexit, remains authoritative in the UK, as well as in the EEA. Consequently, the Privacy Shield can no longer be used as a tool for data transfers from either the UK or the EEA to the US, and entities that self-certifying under the framework must decide whether to renew or abandon their related obligations (with associated costs), at least until a new paradigm for adequacy is established.
Furthermore, Schrems II has implications for relying on the appropriate safeguards for data transfer, including SCCs. Additional due diligence is required beyond contractual terms execution to demonstrate accountability. Essentially, the private entities involved in the transaction are responsible for ensuring an adequate—or GDPR equivalent—level of data protection throughout the voyage. These contractual terms cannot be susceptible to subversion along the way, given the actual circumstances in any particular destination.
What are Supplementary Measures?
The European Data Protection Board (EDPB) published recommendations on adopting and implementing supplementary measures necessary to legitimize transfers, including pursuant to SCCs. [13] The recommended steps are as follows:
- Map data flows
- Identify basis for transfer
- Assess effectiveness of transfer tool(s)
- Adopt supplementary measures, as necessary
- Consider process for implementing supplementary measures and documentation, as necessary
- Re-evaluate periodically
Foremost, organizations should map expected data flow, considering any onward transfers after the initial one outside the EEA. Then, organizations must assess local law and practice, conduct a risk/impact assessment, and implement any additional safeguards (contractual, technical, or organizational measures) for each implicated jurisdiction, given the particularized circumstances of the transfer. [14] This process based on relevant, objective, reliable, verifiable, and accessible information should be documented, with a rationale as to how the measures adequately safeguard the transfer. It is not necessary to repeat the assessment when transferring a specific data type to the same jurisdiction. This documentation must be available to supervisory authorities upon request.
It may be possible to avoid implementing supplementary measures if the implicated organizations, based on individual and broader experience in the relevant sector, conclude there is no reason to believe that any identified problematic legislation, [15] regulation, or practice will compromise the subjects’ fundamental privacy rights in the data transferred. More specifically, for example, parties involved in the transfer should conclude public authorities do not have disproportionate access to data, without notice, and private entities are adequately regulated so as not to inhibit adherence to the requirements of the SCCs. However, such a determination and the rationale need to be thoroughly documented and vetted.
Finally, organizations conducting international transfers of personal data have a continuing obligation to monitor changes in local circumstance and should have established processes to act accordingly.
To assist, the EC issued new SCCs in June 2021. [16] While the former SCCs may continue to support new data transfers until September 2021, all transfers must be based on the revised SCCs by December 2022. Importantly, the SCCs consider the fallout from Schrems II. To this end, per Clause 14:
The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of personal data by the data importer […] prevent the data importer from fulfilling its obligations under these Clauses.
Moreover, to fulfill this warranty, any internal documentation supporting conclusions (e.g., practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative timeframe) must be derived from a process of continuous evaluation and certified at senior management level. This documentation too must be made available to a supervisory authority upon request. As distinct from modifications to the SCCs themselves, adopting supplementary measures does not trigger an authorization by a competent supervisory authority. Consequently, these measures can be incorporated in the contract as long as they do not directly or indirectly contradict the SCCs.
Returning to the impact of Brexit, the new SCCs have no force and effect in the UK. [17] The Information Commissioner’s Office (ICO) advised UK controllers to continue to use the former EU SCCs. Organizations may make changes to the former EU SCCs so they are relevant to the UK, while not disturbing the substantive legal meaning of the clauses. Much the way Switzerland maintains its own SCCs, the UK intends to publish its own SCCs for transfers from the UK. The ICO warned after the Schrems II decision, organizations should conduct the same sort of assessment and adoption of additional safeguards to ensure sufficient data subject protection.
Illustratively, from a GDPR perspective, if clinical trial data is transferred from France to the US and, finally, to a commercial entity in Canada, the onward transfer from the US to Canada could be made pursuant to the applicable EC adequacy determination. The transfer to the US could rely upon SCCs, provided parties have performed the requisite due diligence and perfected all relevant documentation. Effective supplementary measures could include pseudonymization, where:
- The US-based entity is contractually prohibited from re-identifying or receiving codes enabling re-identification of the subjects to whom the data pertains, and
- an assessment concludes third parties would not be able to identify the subjects with other available information. [18]
It is important to also consider individual US states, not only federal laws. Colorado, as of July 2021, joins California and Virginia in having GDPR-like laws on the books.
Ultimately, organizations do not want to compromise their obligations or their data, and it certainly is no longer enough to adopt a reactive position. Instead, organizations can proactively establish an infrastructure and culture to support good data stewardship. Purposeful and strategic execution, such as implementing supplementary measures where appropriate, will help meet the complex regulatory landscape’s demands and mitigate today’s inherent risk involved in international personal data transfer.
References:
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[2] Id. at Art. 45.
[3] Id. at Art. 46.
[4] Id. at Art. 47.
[5] Id. at Art. 49. See also European Data Protection Board, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 (May 25, 2018), https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf.
[6] European Commission, The EU-UK Withdrawal Agreement, https://ec.europa.eu/info/relations-united-kingdom/eu-uk-withdrawal-agreement_en.
[7] See European Commission, Adequacy decisions, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
[8] Information Commissioner’s Office, International transfers after the UK exit from the EU Implementation Period, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/.
[9] European Commission, The EU-UK Trade and Cooperation Agreement, https://ec.europa.eu/info/relations-united-kingdom/eu-uk-trade-and-cooperation-agreement_en.
[10] Commission implementing decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.
[11] C-311/18, Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, ECLI:EU:C:2020:559 (July 16, 2020) (holding Section 702 of the U.S. FISA does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary, and the level of protection of the programs authorized by Section 702 is not essentially equivalent to the safeguards required under EU law.)
[12] Privacy Shield Framework, Privacy Shield Overview, https://www.privacyshield.gov/Program-Overview.
[13] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (June 18, 2021), https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf (superseding draft recommendations available at https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf) [Hereinafter Supplementary Measures].
[14] European Data Protection Board, Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (July 23, 2020), https://edpb.europa.eu/sites/default/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf.
[15] “‘Problematic legislation’ is understood as legislation that 1) imposes on the recipient of personal data from the European Union obligations and/or affect the data transferred in a manner that may impinge on the transfer tools’ contractual guarantee of an essentially equivalent level of protection and 2) does not respect the essence of the fundamental rights and freedoms recognised by the EU Charter of Fundamental Rights or exceeds what is necessary and proportionate in a democratic society to safeguard one of the important objectives as also recognised in Union or EU Member States’ law, such as those listed in Article 23 (1) GDPR.” Supplementary Measures, supra n. 13 at 22 n. 63, https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.
[16] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.
[17] Information Commissioner’s Office, Standard Contractual Clauses (SCCs) after the transition period ends, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/.