Privacy Post-Schrems II - Third of a Four-Part Series on Compliance with EU Privacy Laws Using Standard Contractual Clauses
October 20, 2020
In the first couple installments in this blog series, we introduced standard contractual clauses (“SCCs”) and briefed the main U.S. surveillance legal considerations SCCs require in light of the Schrems II case, being Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333 (“EO 12333”). The Court of Justice of the European Union (the “CJEU”) in the Schrems II case ruled that SCCs ensured “adequate” levels of protection for personal data transfers in compliance with EU privacy law.1 However, it also ruled that Section 702 of FISA and EO 123333 did not ensure “adequate” levels of protection because they did not adhere to the principle of “proportionality” according to EU law. According to Article 52 of the Charter of the Fundamental Rights of the European Union (the “Charter”), this principle states that “limitations [on the exercise of the rights and freedoms recognised by the Charter] may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.”
In the final two installments in this blog series, we will discuss some of the SCCs that could resolve certain limitations of Section 702 of FISA and EO 12333 addressed in the Schrems II case, ultimately resolving the imbalance of “proportionality” and authorizing personal data transfers from the EU to the U.S. These installments will be divided as follows:
- Broader SCCs that could apply to multiple laws and regulations, including Section 702 of FISA and EO 12333; and
- Certain SCCs with ad hoc contractual clauses that could address issues specific to Section 702 of FISA and EO 12333.
With this installment pertaining to broader SCCs, we first consider the various SCCs that address data protection principles regarding security and confidentiality. Before the Schrems II case, the European Commission, the EU’s politically independent executive arm, issued two decisions regarding controller-to-controller SCCs and one decision regarding controller-to-processor SCCs.2 Each of these decisions include SCCs that refer to technical and organizational security measures that can be appropriate for proportionate risks.3 Such measures would include data obfuscation, data minimalization, and encryption, which focus on risks such as unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, and alteration.4 The CJEU in the Schrems II case had grievances with the surveillance programs based on Section 702 of FISA and EO 12333 because of their bulk collection of personal data. However, technical and organizational security measures such as data obfuscation and encryption would make that collected personal data unreadable; thus, the risk of unauthorized disclosure or access by the U.S. government would be nullified.
Second, we consider groups of SCCs that concern notification requirements and subsequent actions. One set of SCCs obligates a data importer to not only know and be in compliance with local laws and applicable legislation, but to also notify the data exporter and/or appropriate supervisory authority if that jurisprudence changes to the point where it prevents the data importer from fulfilling its contractual obligations.5 Another set of SCCs are broader and require the data importer to inform the data exporter if it is in breach of its obligations and unable to process personal data without being in compliance with its instructions and SCCs.6 Finally, Clause 5(d)(i) of the European Commission’s controller-to-processor SCC decision states that the data importer will “promptly notify the data exporter about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited . . . .”7 If these notifications are received and the underlying conditions concern unpreventable violations of the contract and/or EU law, remedial provisions could be put into place to suspend the data transfers and/or terminate the contract. These remedial measures would put a stop to any underlying violations of data subject rights and the principle of “disproportionality” as addressed in the Schrems II case.
While broader SCCs like the ones above can apply to many situations, the entirety of each contract should be drafted on a case-by-case basis. Every party, whether data exporter or data importer, has their own specific wants and needs. Thus, it is important to have proper help and guidance when defining and negotiating the best contractual terms for your own situation. Jackson Kelly is here to help you traverse that process, so please feel free to reach out to us at any time.
1 Paragraph 184, the Schrems II case.
2 Commission Decision 2001/497/EC of 15 June 2001; Commission Decision 2004/915/EC of 27 December 2004; Commission Decision 2010/87/EU of 5 February 2010.
3 Clause 5(b), Appendix 2, Clause 4, Annex Set I, Commission Decision 2001/497/EC of 15 June 2001; Clause II(h)(iii), Annex A, Clause 4, Annex Set II, Commission Decision 2004/915/EC of 27 December 2004; Clause 5(c) of Annex, Commission Decision 2010/87/EU of 5 February 2010.
5 Clause 5(a), Annex Set I, Commission Decision 2001/497/EC of 15 June 2001; Clause II(c), Annex Set II, Commission Decision 2004/915/EC of 27 December 2004; Clause 5(b) of Annex, Commission Decision 2010/87/EU of 5 February 2010.
6 Clause VI(a), Annex Set II, Commission Decision 2004/915/EC of 27 December 2004; Clause 5(a) of Annex, Commission Decision 2010/87/EU of 5 February 2010.
7 Clause 5(d)(i) of Annex, Commission Decision 2010/87/EU of 5 February 2010.