INTA News

INTA Provides Tips for Transferring Personal Information from the EU

Published: April 14, 2021

Tara Aaron-Stelluto Aaron | Sanders PLLC Nashville, Tennessee, USA Data Protection Committee—Best Practices Subcommittee

Susan Natland Knobbe, Martens, Olson & Bear, LLP Irvine, California, USA Data Protection Committee—Best Practices Subcommittee

Are you still working to master the new requirements of transfers of personal information from the European Union to other jurisdictions, following the recent changes in privacy protections and the end of standard contractual clauses (SCCs)? INTA has some tips for you to keep in mind.

The Association recently held a webcast on this topic. Now available on demand, it discusses the practical challenges and potential solutions to the latest developments.

On recent and upcoming developments, the transfer of personal data from the EU to other jurisdictions has become more complicated after a decision by the Court of Justice of the European Union (CJEU) in 2020 known as Schrems II. That decision not only invalidated the EU-U.S. Privacy Shield affecting U.S. companies, but also restricted SCCs, one of the main cross-border data transfer mechanisms utilized by companies worldwide.

In early 2021, the European Commission (EC) and the European Data Protection Board (EDPB) issued a joint opinion on draft-revised SCCs. The final versions are expected to be released in the second quarter of this year, with a one-year implementation period. This may help inform companies on how to deal with the challenges they currently face in transferring data from the EU to the United States and elsewhere.

The EU-U.S. Privacy Shield had been a commonly used mechanism to transfer the personal data of EU data subjects from the EU to the United States. Under the Privacy Shield, U.S. companies could self-certify that they would comply with the data protection regulations that govern the protection of EU data subjects’ personal information. The CJEU found, however, that the Privacy Shield neither prevented U.S. intelligence agencies from mass-collecting the personal data of EU data subjects nor provided effective judicial redress.

But the Schrems II decision went farther. It also severely impacted SCCs, the other often-used mechanism to transfer personal data from the EU to third-party companies outside the EU. While SCCs are still an approved mechanism, companies must now conduct due diligence in order to rely on these clauses, not only for the United States but for any jurisdiction not already deemed by the EC to have “adequate” data protection laws.

In particular, it is no longer sufficient to rely solely on SCCs. Companies considering transferring data outside the EU now also need to conduct a risk impact assessment, especially in the context of any right of access to personal data by public authorities in the country to which the data is transferred.

Specifically, companies should use the same elements prescribed in the EU’s General Data Protection Regulation (GDPR) and applied by the EC in assessing the relevant data protection laws of the target country when determining if that country’s laws can be deemed “adequate” to protect EU subjects’ personal data. To date, the EC has granted adequacy findings to only 13 countries.

The EDPB recently set out further guidelines with respect to the use of the SCCs. It spelled out “supplementary measures” that companies must employ, absent a finding of adequacy, either by the EC or through an impact assessment properly conducted by the company.

Supplementary measures, according to the EDPB, consist of “contractual, organizational, or technical measures.” But given the restrictions already in place in the context of the SCCs, it is difficult to imagine that additional contractual or internal organizational measures would have much impact.

Technical measures appear to be the one supplementary measure that may meaningfully diminish the risk to EU data subjects (and therefore of a fine from the supervisory authorities). Adequate technical measures primarily consist of encryption, pseudonymization, and anonymization. Anonymization takes data outside of the definition of personal data under the GDPR although several supervisory authorities have expressed concern that it is difficult to fully achieve anonymization.

In making impact assessments and deciding whether to use supplementary measures, companies should consider the same parameters used by EU supervisory authorities to levy fines for improper processing of data under the GDPR. This can help companies minimize the risk of any fines being levied, or perhaps at least the amount of such fines.

These parameters include the purpose of the processing (is it business critical or merely convenient); the categories of data, particularly if they are “special” categories under the GDPR; the amount of data and the frequency of data transfers; and the documenting of any mitigation measures taken by the company.

To go deeper, check out INTA’s webcast entitled “The End of the Privacy Shield: What Brand Owners Need to Know,” featuring European and U.S. analysis as well as an in-house perspective.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest.