Electronic Discovery & Information Governance – Tip of the Month: New Compliance Requirements for Transferring Personal Data Outside Europe
Over the past few years, litigators and eDiscovery practitioners have had to familiarize themselves with European data privacy laws to ensure that when they oversee transfers of personal data from the European Economic Area (the “EEA”) to the United States (the “US”), they comply with the strict requirements in the General Data Protection Regulation (the “GDPR”) on international personal data transfers.
In December 2020, our Tip of the Month considered a scenario in which a US company conducting a global internal investigation needed to transfer documents and emails held by its French subsidiary to the company's US servers. A similar issue arises where a European company wishes to engage a vendor based in the US for eDiscovery or data analysis. Similarly, an employee of a US parent company remotely accessing personal data stored on servers in Europe would also be considered an international personal data transfer under the GDPR.
In all three scenarios, the transfer of the personal data outside the EEA will have to comply with the GDPR requirements on international personal data transfers. Businesses commonly move personal data between the EEA and other jurisdictions, such as the US, in a way that is compliant with the GDPR by using a set of non-negotiable terms approved by the European Commission known as Standard Contractual Clauses (the “SCCs”).1 This Tip of the Month considers recent developments that impact the use of SCCs for cross-border data transfers.
However, it is often not possible to rely on SCCs as a mechanism for transfer of personal data in investigations and litigation, where disclosure of documents to regulators, the court and opponents is likely to be required. This includes situations where the data importer is not itself the subject of the relevant subpoena or where the data importer wishes to make disclosures of personal data to a third party on a non-compelled basis. In such cases, it may be necessary to seek data subjects' consent, to review and remove personal data prior to exporting data to the US or to seek a supporting local court order or compulsion notice from a local regulator in the European jurisdiction where the data controller is based.
Three important developments have happened in 2021 that are relevant to the scenarios described above:
- With the Brexit transition period ending on December 31, 2020, transfers of personal data outside the United Kingdom (the “UK”) are now subject to separate requirements under the UK GDPR (which are, at least at the moment, substantially the same as the requirements under the EU GDPR).
- At the beginning of June 2021, the European Commission published a final version of its new SCCs for international personal data transfers outside the EEA (the “New SCCs”), which will replace the SCCs that many businesses currently rely on for transfers to the US (the “Old SCCs”). Businesses will have 18 months, until December 27, 2022, to transition from the Old SCCs to the New SCCs.
- Also in June 2021, the European Data Protection Board (the “EDPB”) published a final version of its recommendations on supplementary measures for international personal data transfers outside the EEA (the “Recommendations”). The Recommendations include guidance for businesses on how to carry out transfer impact assessments when transferring personal data subject to Article 46(2) GDPR “appropriate safeguards.”
1. Transfers of personal data from Europe might have to comply with both the GDPR and the UK GDPR.
While the requirements are substantially the same at the moment, possible divergence is expected between the two data protection regimes. It is currently unclear if businesses will be allowed to use the New SCCs also for transfers of personal data outside the UK. The UK Information Commissioner's Office has announced that it will launch a public consultation in summer 2021 on bespoke standard contractual clauses for international personal data transfers outside the UK (the “UK SCCs”). It will also consider whether to recognize the New SCCs as an "appropriate safeguards" for transfers outside the UK. If not, it is possible that businesses might be required to implement both the New SCCs and the UK SCCs to allow such transfers.
2. Businesses that require transfers of personal data outside Europe should review their contractual arrangements with third-party vendors and their intra-group transfer agreements.
If businesses have implemented the Old SCCs for transfers of personal data from Europe to a vendor (such as a cloud storage provider or an eDiscovery services provider) or a group company based outside of Europe, they can continue to rely on the Old SCCs for the next 18 months. However, contracts incorporating the Old SCCs will have to be renegotiated to include the New EU SCCs within the 18-month period to ensure that personal data transfers from the EEA can continue under the contracts.
Importantly, businesses will have to consider if they are able to meet the stricter requirements imposed by the New SCCs or if there are alternative solutions they might need to adopt, such as relying on one of the derogations in Article 49 of the GDPR or deciding not to transfer the personal data outside of Europe.
3. Where businesses rely on “appropriate safeguards” for international personal data transfers (such as the Old SCCs or the New SCCs), the European data exporter and the non-European data importer are also required to carry out and document a transfer impact assessment and, where needed, implement supplementary measures for the transfer.
Entering into the SCCs is no longer sufficient to function on its own as an “appropriate safeguard” for transferring personal data outside of Europe. Businesses that transfer personal data to a jurisdiction that is not deemed by the European Commission to offer an adequate level of data protection2 are additionally required to carry out an assessment (also known as a transfer impact assessment) of the local laws and practices in the jurisdiction of the data importer relating to access by public authorities to the transferred personal data.
The aim of the transfer impact assessment is to confirm if the data importer will be able to comply with its obligations set out in the relevant “appropriate safeguard” (such as the New SCCs), taking into account the laws and practices in the jurisdiction of the data importer. If this is not possible, implementation of supplementary technical measures (such as state-of-the-art encryption with no unencrypted access to the data outside of Europe and/or effective pseudonymization) to safeguard the data from access by public authorities is likely to be required.
The Recommendations provide guidance to organizations on how to carry out the transfer impact assessment and what factors they should consider when carrying out the assessment. The Recommendations also set out that the transfer impact assessment should not be a static document but should be re-evaluated at appropriate intervals. For more details on the Recommendations, please see our Legal Update.
While SCCs provide a convenient method for transferring data between the EEA and the US, their use is now subject to more complex considerations, including the need to undertake an assessment of the protection afforded in the jurisdiction to which the personal data is being exported.
Further, SCCs are unlikely to provide a complete solution to the transfer of personal data for the purposes of investigations, regulatory enforcement and litigation. In such cases, it will remain necessary to undertake an analysis on a case-by-case basis to determine the appropriate mechanism for transfer of personal data.
1 The EU-US Privacy Shield was ruled invalid by the Court of Justice of the European Union in July 2020 and, therefore, no longer provides a mechanism for data transfer that is compliant with the GDPR.
2 The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, the UK and Uruguay as providing adequate protection. The European Commission has also launched the procedure for adoption of an adequacy decision for transfers of personal data to South Korea.