Contact Advisori    US: (571) 380-9751      UK: +44 20 8138 9983      info@advisori.com

Standard Contractual Clauses 

As summer begins, many companies doing business in the European Economic Area (“EEA”) and the United Kingdom (“UK”) are scrambling to update their Standard Contractual Clauses (“SCCs”). This is the result of the Court of Justice of the European Union's (“CJEU”) decision in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (“Schrems II”), issued on July 16, 2020. The Court’s ruling was a seismic shift for those companies either relying on the EU-U.S. Privacy Shield Framework or the existing standard contractual clauses as the basis for compliance with Article 46 of the General Data Protection Regulation ("GDPR"). Pursuant to Article 45 of the GDPR, personal data can only be transferred outside of the EEA to countries that the European Commission ("EC") has deemed to have adequate data protection laws and practices. Only 13 countries have been approved by the European Commission as having "adequate" privacy safeguards. The European Commission, for example, regards the United States as "inadequate" due to its government surveillance laws.

Article 46 of the GDPR, on the other hand, allows data transfers outside of the EEA to "inadequate countries" if the data exporter uses "appropriate safeguards" to protect the data. For example, the European Union and the United States government negotiated the Privacy Shield framework to facilitate commerce, in which participating U.S. companies could self-certify as an acceptable Article 46 transfer mechanism, allowing them to receive personal data from the EEA. Another option, SCCs, are the most commonly used Article 46 transfer mechanism. SCCs are a standard set of contractual data protection services terms and conditions that data exporters and importers agree to when transferring data outside the EEA to an "inadequate" country.

Remarkably, the CJEU invalidated the Privacy Shield in Shrems II. While the CJEU did approve the continued use of SCCs as a legal Article 46 transfer mechanism, it identified legal concerns with the existing SCCs. Moreover, the CJEU underscored a fundamental rule that must be followed for data transfers outside the EEA to inadequate countries - any data exporter transferring personal data outside the EEA must verify, on a case-by-case basis, whether the destination jurisdiction ensures an essentially equivalent level of data protection as EU law. More specifically, companies relying on SCCs to transfer data outside of the EEA to “inadequate” countries must conduct a transfer privacy risk assessment to determine whether the surveillance laws or practices in the third country may impinge on the effectiveness of the relevant transfer mechanism. If the results of this assessment reveal risk, the data exporter must apply “supplementary measures” to the cross-border data transfer sufficient to mitigate the identified risk - enough to ensure a level of protection to the data that is essentially equivalent to the level of data protection in the EU.

Brexit further complicates cross-border data transfers from the EEA and the UK. As a result of the UK’s withdrawal from the European Union on January 1, 2021, the CJEU no longer has jurisdiction over the UK and neither does the EC. Instead, the UK’s primary data protection services authority is now the Information Commissioner's Office (the “ICO”), and the “UK GDPR has now replaced the GDPR.” In practice, this means that companies transferring data outside the EEA or the UK, or both, may now be required to use different sets of SCCs – one set approved by the EC (EU SCCs) and another approved by the ICO (UK SCCs). This article focuses on the EU SCCs.

Guidance on International Personal Data Transfers 

On November 10, 2020, the European Data Protection Board (EDPB) released its Draft Guidance on International Personal Data Transfers (the “Guidance”) to assist data exporters with their required data transfer privacy risk assessments. The EDPB set forth a six-step program for doing so as follows:

First: the EDPB recommends that the data exporter “know your transfer.” Most critical, a data exporter must fully understand where its EEA personal data is flowing. This is often best accomplished by data mapping and the development of an accurate and comprehensive Article 30 GDPR Report.

Second: the data exporter must understand and re-evaluate any Article 46 transfer tools in use (e.g., SCCs, BCRs, etc.). Most critical, are these existing transfer tools providing your data subjects with the same level of data protection as EU law requires?

Third: the data exporter must assess whether its Article 46 transfer tool(s) is undermined, in any way, by the laws existing in the destination country. For example, do the laws of the destination country allow its government to seek personal data without permission or even knowledge of the data exporter?

Fourth: the data exporter must adopt “supplemental measures” to mitigate the risk identified in step three. Supplemental measures may come in the form of contractual, technical or organizational protections necessary to ensure that the transferred personal data maintains the same level of protection it has in the EEA.

Fifth: the data protection exporter must take all “formal procedural steps” necessary to ensure the adoption and use of any supplemental measures. For instance, a data exporter may add additional contractual clauses to the SCCs to enhance their contractual safeguards for the data transfer.

The sixth and final step: is continued re-evaluation by the data exporter, with the assistance of the data importer, of the steps identified above.

If your company is struggling with where to start, please take our free Standard Contractual Clauses Assessment. You can also learn more about SCCs on our most recent blog or schedule a meeting with us here.

 

Advisori can assist your company in updating its existing Standard Contractual Clauses ("SCCs"). It's difficult to find the right resources for the job, from experienced privacy attorneys to contract managers. As a result, we have assembled a specialized team to assist our clients with meeting their compliance deadlines.

What are Standard Contractual Clauses and why use them? 

The transfer of personal data gathered in the European Economic Area (“EEA”) and the United Kingdom (“UK”) is strictly regulated by the General Data Protection Regulation (the “GDPR”). For instance, personal data can freely flow from the EEA to just 13 countries – countries that the European Commission (the “EC”) has deemed as having “adequate” data protection services laws and practices. Thus, companies collecting personal data in the EEA wanting to transfer this data to “inadequate” countries must apply “appropriate safeguards” to the data.

The most used safeguard is standard contractual clauses or commonly referred to as “SCCs.” SCCs are standardized and pre-approved contractual language, developed by the European Commission (“EC”), to ensure that all data transferred to any “inadequate” country has essentially the same level of protection as that provided by European Union law. Despite all the attention on the newly published SCCs, they are not actually new. The EC approved the prior version under the old Directive 95/46/EC ("Old SCCs"). For the reasons discussed previously, the EC published two new sets of SCCs on June 4, 2021. The “First Set” replaces the Old SCCs and should be used for international transfers of personal data. The “Second Set” (which is actually new) governs the transfer of personal data between controllers and processors – even those operating solely within the EU (for simplicity, the First and Seconds Set of SCCs will be collectively referred to as the “New SCCs”).

The New SCCs are the result of significant changes in EU law. While the Old SCCs addressed only controller to controller transfers in one set of clauses and controller to processor transfers in another set, the New SCCs are purportedly designed to be more versatile and easier to use. While they remain a combination of non-negotiable, standard clauses, they are in a modular format for transfers from (i) controller to the controller; (ii) controller to the processor; (iii) processor to processor; and (iv) processor to the controller.

Critically, businesses have until December 27, 2022, to replace all Old SCCs with the New SCCs. This will be a monumental task for some businesses. Advisori can help. We have the privacy practices lawyers, contract managers, and analysts necessary to handle any SCC update project.

We do the following to ensure that our clients meet their regulatory guidelines.

  • We collaborate with internal stakeholders to identify and gather all contracts and artifacts required to scope the SCC remediation project.
  • We examine all existing contracts and data transfers to identify contracts and SCCs that need to be updated.
  • We develop a comprehensive project plan that includes deliverables and a tracking schedule.
  • We create a detailed SCC remediation project playbook tailored to your company's operations and size.
  • Existing contacts are drafted/revised, and their SCCs are updated.
  • We identify and work with those in the privity of contracts with our clients to ensure that all contracts are updated and executed.

Please take our free Standard Contractual Clauses Assessment. You can also learn more about SCCs on our blog or schedule a meeting with us here.

If your company transacts business with residents of the State of California, you have likely heard a lot about California’s Privacy Rights Act ("CPRA"). The CPRA is a legal evolution from California’s first privacy regulation, the California Consumer Privacy Act (“CCPA”) and is commonly referred to as CCPA 2.0. The CPRA is viewed by many as California’s version of the European Union's General Data Protection Regulation ("GDPR") and there are significant parallels between the two regulations.

For instance, the CCPA provides California residents with a myriad of privacy-related rights such as the right to know the types and categories of personal information ("PI") collected by the business, the purposes for collection, to whom the information is being shared, the right to access any such personal information belonging to the individual, and even the right to have this PI deleted from the business’s databases. The CPRA was signed into law in November 2020 and will become enforceable on January 1, 2023.

The first consideration for every business should be whether it falls under the purview of the CPRA. The CPRA applies to any for-profit business transacting business in California that:

  • As of January 1, of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year;
  • Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or, households; or
  • Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

If your business satisfies one or more of the categories above, we can assist you with developing, implementing, and maintaining a CPRA compliance program.

Advisori’s Automated Privacy Notice

We ensure that your website privacy notice is CPRA compliant using our digital Privacy Notice platform. Where a business collects PI from California residents, it must advise them of the following:

  • How their PI is collected by the business, i.e., website cookies/trackers,
  • What types and categories of PI are collected,
  • With whom their PI is shared,
  • How long their PI is retained by the business,
  • How the data subject can request a copy of their PI,
  • How they can request correction of their PI,
  • How they can request deletion of their PI, and
  • How they can request to opt-out of having their PI collected, shared, or sold.

In addition, the CPRA includes a new data category - sensitive personal information (“SPI”), which includes:

  • Social Security Numbers,
  • Driver’s License Numbers,
  • Passport Numbers,
  • Financial Information,
  • Racial and ethnic origin data,
  • Geo-location data,
  • Health data,
  • Religious affiliation, and
  • Trade union membership.

With a simple installation of our privacy notice code on your website, we will build, display, and manage your CPRA compliant privacy notice.
Request a Demo

DSAR Fulfillment

In addition to advising California residents of their privacy rights, a business must allow California customers the ability to exercise these rights. This is often referred to as data subject access requests (“DSAR”). Under the CCPA/CPRA, a regulated business must provide its California customers with at least two ways of requesting the exercise of their rights such as an email address and a toll-free number. The business must respond to a legitimate request within 45 days (with an additional 45-day extension period for the business under certain limited circumstances).

The DSAR process is complicated as a business holding PI must be able to search its databases to find the data belonging to an inquiring customer. We can do this for our clients using our AI-driven data discovery tools to search for, classify, and catalog personally identifiable information, both structured and unstructured, residing in the cloud or on-premises. By doing so, we provide our clients with a comprehensive and dynamic view of their PII across their data inventories. This includes identifying, retrieving, and deleting data belonging to a single customer. We can do this nearly instantaneously.

Not surprisingly, the CPRA requires that a business properly verify the identity of any customer submitting a DSAR. We are able to do this using a variety of electronic means. Moreover, we provide our clients with a customized electronic data request portal where their customers can go to the business’s branded portal and submit a DSAR. Using this same portal, the customer can retrieve any requested data from this secure portal. Just as importantly, all activities are electronically documented for compliance purposes.
See more

Read more on our blog and contact us today to learn more about our CCPA/CPRA solutions.

Visit us at www.advisori.com or drop us a line at info@advisori.com to learn more about our CCPA/CPRA solutions.

Under EU law, and several state laws in the US, a data subject (a person) has the right to see the personal data a business has on her and to know how that business is using the data. A person can exercise these rights by making a Data Subject Access Request (DSAR) to a business holding her data. Depending on the law (be it GDPR or CCPA, etc.), data subjects may have some or all of the following rights: (1) access to the data the business holds on the person; (2) deletion of their data; (3) correction their data; (4) opt out of the sale of their personal data to a third party; (5) opt out of the processing of their personal data; and (6) data portability  (right to receive an electronic copy of their data).

While data rights are good for consumers, businesses often struggle with fulfilling these requests, even routine DSARs. For instance, a business must first properly verify that the data subject making the request is who she claims to be. This necessity is becoming increasingly critical as more and more nefarious actors seek to steal personal data from businesses. Therefore, businesses must meticulously vet and verify persons requesting to exercise their data rights.

Once a data subject is finally verified, the data discovery process itself is often cumbersome as businesses often collect and store customer data via numerous systems used to accomplish specific customer and business needs, like customer bookings and business marketing for example. The mere task of finding a certain person’s data in these multiple data stores can be like trying to find a needle in a haystack.

Also, hundreds or even thousands of copies of the same data can be in numerous databases (what we call data sprawl), making data deletion requests a nightmare to fulfill. In the data deletion/anonymization context, a multiplicity of systems means the efforts to find, erase, or anonymize data upon request can become much more time consuming than if the subject’s data is in a single solitary system. Each additional system in which the data is stored adds to the level of effort needed for the business to fulfill a DSAR.

Many businesses are still using a manual data subject verification and fulfillment process, which means the need for greater privacy specialist headcount, and thus more business costs. In addition to being inefficient and labor intensive, manual DSAR fulfillment means human error in both the data subject verification and data discovery process thereby exposing the business to violations of privacy laws and resulting regulatory fines.

Ongoing developments in privacy law worldwide promise to increase the burdens of compliance with DSAR fulfillment as consumer privacy laws are rapidly emerging globally and in the US. For instance, The California Consumer Privacy Act (CCPA) came into effect  in 2020, following the effective date of Europe’s General Data Protection Regulation (GDPR). Currently, California, Colorado, and Virginia have laws that provide or will provide the functional equivalent of DSARs; whereas Nevada allows its residents the right  to opt-out, or restrict the processing of their personal data.

While the COVID-19 pandemic resulted in a temporary reduction in the number of incoming DSARs; our clients have seen an increase in the numbers of people exercising their privacy rights in the past several months, returning to and in some cases exceeding pre-COVID numbers. We can expect these numbers to steadily increase over the coming months. Not only are more people becoming aware of their privacy rights under existing laws in their jurisdictions, but additional jurisdictions such as Brazil and China have added privacy rights to their laws. We also expect additional states to follow the example of current data privacy laws in CA, CO, NV, and VA, at some point in the future, and a Federal privacy law is not out of the question in the next few years.

The increased DSARs will result in a major cost center for firms in coming years unless they are proactive. According to one recent survey by the Gartner organization, businesses report spending, on average, $1,400 per data subject rights request. Unfortunately some requests can be even more expensive than this eye-popping number. For instance, some records require the redaction of large amounts of information to ensure protection of the privacy of persons beside the data subject. The result is the multiplication of DSAR fulfillment costs.

All the above issues are good business practices to ensure efficient use of customer data. However, these redundancies and multiplicity of systems match poorly with new access and erasure requirements coming into use by customer bases worldwide. For this reason companies which tackle their DSAR tasks manually see their costs per DSAR start high, and go higher.

Businesses looking to outsource their DSAR fulfillment process can rely on Advisori. Advisori is a full-service DSAR Fulfillment Center. Our virtual DSAR platform allows a data subject to submit a DSAR directly to our Fulfillment Center via our secure DSAR portal. We verify the data subject using multiple means and sources, use our cutting-edge technologies with the capabilities of searching every type of data store for personal data of all categories and formats, and then packaging all related personal data up for dissemination back to the data subject through our secure electronic portal. The data subject can review her data via our portal or even download it. We are also able to find and delete/anonymize data when a data deletion request is filled. We are able to do this quickly and efficiently to ensure that all DSAR regulatory requirements and deadlines are met. Bottom line is, we help our clients fulfill DSARs cheaper, faster, and better. Check us out at www.advisori.com or contact us at info@advisori.com.

Are You Getting Noticed?

Privacy compliance obligations are becoming increasingly onerous on global and even US based companies. The European Union’s General Data Protection Regulation (“GDPR”) is often seen as the gold standard of privacy frameworks as evidenced by its influence on other privacy laws such as California’s Consumer Privacy Act (“CCPA”) and even Brazil’s General Personal Data Protection Law (“LGPD”).

Woman

Unfortunately, the GDPR, and laws modeled after it, are highly complex. For instance, the GDPR has eleven chapters, containing 99 articles. Because of the complexities and nuances of existing and emerging privacy regulations, we, at Advisori, are often asked by our clients where to start with privacy compliance. We believe the first step is knowing what personally identifiable information (“PII”) the business possesses and what it is doing with it. Next is developing a data privacy/protection strategy based on governing privacy regulations, existing capabilities, and available resources.

The second step is memorializing the above in a written privacy policy and privacy notice. We often see privacy policies and notices being conflated. While related, it is important to understand that privacy notices and privacy policies are distinct concepts with different requirements. In this blog, we focus on privacy notices.

A privacy policy is an internal resource, which should instruct employees on the organization's rules related to PII. In contrast, a privacy notice is a publicly facing document advising potential and existing customers, website visitors, and others on the organization’s PII collection, use, and related privacy practices; more specifically, what categories of PII the organization is collecting and who it is collecting this data from; how it is collected, who it is shared with, what legal basis the organization has for collecting the data, when the data is purged, and what rights the data subject has regarding the collection and use of their data.

Considered a best practice, we believe an organization should publish a privacy notice in most cases, even where the law does not mandate it. Articles 12, 13, and 14 of the GDPR address the requirements of privacy notices.

At a high-level, a privacy notice should include sufficient information so that the data subject can understand what personal data is being collected, why it is being collected, what is it being used for, how long it is being retained, and the data subject can restrict the processing of her data and even withdraw her consent.

We note, however, many regulators consider privacy notices a contractual promise by the organization to the data subject. Therefore, a privacy notice must be both accurate and transparent. The GDPR requires plain-language privacy notices, void of legalese or terms buried in poorly-structured paragraphs. Furthermore, privacy notices should use definitive language - not qualifiers such as “may,” “might,” “some,” often,” ''usually,” etc., as these terms can be viewed by a regulator as purposefully vague.

Privacy notices should be conspicuously labeled as “PRIVACY NOTICE” and should be in writing, placed on the organization’s website (on the same page where data collection occurs) and be available orally upon request both to ensure adequate comprehension by the reader and to aid the visually impaired.

The following elements should be included in a Privacy Notice.

  • Contact information for the representative/data protection officer;
  • Purpose and legal basis for processing personal data;
  • The legitimate interests of the organization (or third party);
  • Recipient or categories of recipients of personal data;
  • Details related to any inter-country transfers of personal data, as well as procedural safeguards in place;
  • The duration that the data is being kept (retention period), or the criteria under which data is retained;
  • The existence of the rights of the person from whom data is collected (referred to as a data subject under GDPR);
  • The right to withdraw consent;
  • The right to initiate a complaint with the supervisory authority;
  • Whether the personal data pertains to a statutory or contractual right and the potential consequences for failing to provide the necessary data (this is not required if data comes from a third-party);
  • The existence of any automated decision-support/decision-making system; how the system has been set up, its overall process, and any resulting consequences;
  • If data is obtained via third-party, then privacy notice must advise the categories of personal data that is being collected; and
  • When the privacy notice was last updated.

Picture

Picture

Privacy Notice Challenges

Drafting and updating privacy notices are time-consuming and risky for a number of reasons. From a legal perspective, there are numerous country/region-specific privacy laws and a rapidly growing number of state-specific US privacy laws. As such, businesses operating in multiple jurisdictions may need to comply with more than just one privacy law/regulation. For instance, California has specific privacy notice requirements unique to that state. Many businesses do not have in-house privacy counsel to draft and maintain privacy notices and outsourcing such work to a law firm can be costly.

Furthermore, privacy notices are dependent on the business’s data. The categories of PII collected by a business, as well as the business's use of such data, often change as the business evolves. Maintaining an accurate manual data catalog and keeping the privacy notice synced with the business’s ever-changing data collection/processing is often an untenable task, even for small businesses. The bottom line is, a privacy notice is only as good as a business's understanding of its data assets to include PII provided by and shared with its customers, vendors, and business partners.

The above effort is even more complicated for larger businesses with segmented departments like product development, marketing, sales, etc., as each group has its own needs and purposes for collecting and processing PII. Moreover, a business can have multiple subsidiaries requiring the use of multiple websites, each with its own set of cookies and other data collection and user tracking technologies.

For the reasons outlined above, privacy notice management is a significant task. Relying on a manual process to do so is often time-consuming and tedious. Aside from the reputational risks associated with inaccurate or incomplete privacy notices, the business is further exposed to regulatory violations and related penalties when failing to have an accurate and transparent privacy notice.

How Advisori Can Help.

Advisori has the people, processes, and technology necessary to assist our clients with managing their privacy notices. Using Securti.ai’s secure privacy portal, we collaborate with all necessary stakeholders to assist in the selection of the appropriate privacy notices from our extensive template library. We then tailor the chosen privacy notice to business operations to ensure a regulatory compliant, accurate, detailed, and transparent public-facing Privacy Notice.

Picture

We also give our clients the option of AI-powered robotic automation and data intelligence, which enables a continuous scan of data stores and an automatic updating to any changes to the collection, processing, sharing, selling, or retention of personal data. These updates are then pushed to the business’s published privacy notice, thereby allowing real-time updates. This can even include cookie related updates as well.

Reach out to us at info@advisori.com to learn more.

The first pillar of a strong data protection/privacy program is an effective data discovery and classification capability. Bottom line is, you have to know your assets in order to properly protect them.

In addition to the data protection benefits of data mapping, this exercise is often required by law. For instance, the EU’s General Data Protection Regulation (GDPR) requires covered entities to create what is known as a “Record of Processing Activities (ROPA).” More specifically, Article 30 of the GDPR requires a “data controller” to “maintain” a ROPA that identifies the following elements:

The bottom line is, the ROPA is an important undertaking as it gives companies a complete inventory of their data processing and provides an overview of precisely how personal data is being handled. From a practical standpoint, an accurate, updated, and comprehensive ROPA helps companies remain legally compliant, thereby helping them avoid sanctions, fines, or penalties that might be otherwise imposed under the GDPR.

Advisori understands that the development and maintenance of a ROPA, even for the smallest enterprise, is a significant undertaking. However, as data privacy laws grow and evolve, (e.g. GDPR, CCPA/CPRA) we believe that best practices dictate that even for those companies not required to build a ROPA, that doing so would aid in overall risk mitigation. As specified above, the process of building the ROPA requires a company to investigate and discover, with precision, the types and volumes of the data they hold and related data-processing activities, cross-boarder data transfers, and data retentions schedules. From there, companies must document their legal basis for collecting and processing all personal data they hold. Finally, they must accurately document what they are doing to protect such personal data.

We provide our clients with the necessary people, process, and technology to efficiently build and just as importantly, maintain an accurate, comprehensive, and current ROPA. Our DPOs have extensive experience building and maintaining ROPAs for business in all industries, operating around the world. Moreover, Advisori has partnered with Securiti.ai to provide our clients with the most advanced data mapping automation technology in the industry. Combining this technology with our mature and robust data mapping processes, our DPOs start with the creation and dissemination of user-friendly electronic assessments custom-tailor for our clients. These assessments allow us to quickly and efficiently identify business assets, vendors, and institutions holding or processing personal data. From there, we scrutize company assets for a precise and current data inventory and map these assets to processing activities. Where appropriate, we further assess this asset for privacy risks, which we then quantify and document, thereby allowing us to implement effective risk mitigation strategies.

Data Mapping Automation

When considering what a ROPA really is, one might surmise that this knowledge already exists organizationally and is readily available. That may be true for some companies; however, this critical information is typically siloed and lives within multiple knowledge bases, which are neither centrally maintained nor refreshed on a regular basis. Therefore, from a company perspective, automated data discovery and ROPA development just makes good business sense, irrespective of whether or not a regulatory body mandates it. Also, as consumers grow increasingly savvy and more “data-privacy conscious,” the smart play is to get in front of this now.

Contact the Advisori Team: we can get this process underway, and give you the people and tools you need to maintain compliance.

This fall begins a new journey for businesses transferring personal data outside the European Economic Area (EEA). On June 4, 2021, the European Union’s executive branch, the European Commission (“EC”), released their highly anticipated new and updated Standard Contractual Clauses (“SCCs”). The EC’s new SCCs are the result of the Court of Justice of the European Union’s (“CJEU”) Schrems II decision, which ultimately invalidated the “EU – US Privacy Shield” – a mechanism designed to regulate the flow of personal data from the European Economic Area (EEA) to “third countries” such as the United States.

Under Article 45 of the General Data Protection Regulation (“GDPR”), personal information can only be lawfully transferred to third countries that the EC has determined to have “adequate” privacy safeguards. Currently, this list of countries is just 13 and the U.S. is not one of them due to U.S. government surveillance laws. Instead, to facilitate commerce, the European Union and U.S. government agreed to the Privacy Shield framework. Until the CJEU’s Schrems II ruling, U.S. companies could self-certify under the Privacy Shield framework, allowing them to receive personal data transfers from the EEA. Prior to the Schremes II decision, the Privacy Shield and SCCs were the most commonly used data transfer mechanisms by U.S. companies.

Standard Contractual Clauses (SCCs)

SCCs are standard sets of contractual terms and conditions approved by the EC to which both the data “exporter” and data “importer” of EEA personal information must agree to before personal data can be transferred outside the EEA to third countries without adequacy decisions. SCCs have been in existence since 2001 and were amended first in 2004 and then again in 2010. The old SCCs were separate agreements: one for data transfers from controllers to controllers and one for data controllers to data processors. Many will find the new SCCs more user-friendly as they are contained in one document consisting of four “modules” for transfers from controller to controller; transfers from controller to processor; transfers to processor to processor; and transfers from processor to controller.

In addition to the new SCCs format, this new version incorporates Article 28 of the GDPR (the old SCCs were developed under the General Data Protection Directive – the GDPR’s precursor). Article 28 sets forth “technical and organisational measures” required for the transfer of personal information from controllers to processors and from processors to sub-processors. Under the new SCCs, the parties no longer need additional data processing agreements for data transfers to data processors.

Transfer Impact Assessments

While the CJEU did uphold the use of SCCs, the Court warned that the use of this data transfer mechanism was not sufficient – data controllers are still required to conduct a data Transfer Impact Assessment (“TIA”) – a case-by-case assessment of all cross-border transfers to ensure that the data protection requirements set forth in the SCCs can actually be met. Article 14 of the SCCs lays out the TIA criteria such as considerations of: 1) the “specific circumstances of the transfer (e.g., categories and format of personal information, the number of individuals involved, type of data recipient, the purpose of processing, etc.); 2) the data laws and practices of the third country of destination; and 3) any supplemental data safeguards needed to ensure compliance with the SCCs data protection requirements such as any additional contractual, technical, or organisational safeguards needed. Also critical to compliance, the data exporter must document its TIAs and make them available to the relevant supervisory authority when requested.

Supplemental Measures

Should the TIA conclude that the recipient third country’s legislation impinges on the effectiveness of the Article 46 GDPR data transfer mechanism, data exporters must identify and rely upon supplementary measures, as mentioned above, to ensure that personal information is sufficiently safeguarded. For instance, the data exporter may install technical safeguards like data encryption or pseudonymization. The data exporter may also add additional contractual safeguards on the data importer such as requiring additional technical safeguards or requiring it to submit to audits. Finally, the data exporter may rely on organizational measures to enhance data transfer protections such as data transfer policies and procedures and data minimization/purging policies.

New SCCs Enforcement Timeline

The old SCCs were repealed on September 27, 2021, meaning that all new cross-border data transfers must now be governed by the new SCCs. All existing SCCs will remain in effect until December 27, 2022 (and must be updated by that date).

How Advisori Can Help

Advisori has seasoned professionals who know the GDPR, understand the Schrems II decision, and have completed cross-border data inventories, data TIAs, and SCCs for EAA exporters and U.S. importers of personal data.

SCCs Related Services

Please contact us at info@advisori.com to learn more.

The CJEU’s decision to end the Privacy Shield has left everyone wondering: What’s next? As of this writing, there are over 5,000 U.S. companies certified under the Privacy Shield framework, and many of them are now struggling to determine how to maintain lawful cross-border data transfers.

In order to face the challenges ahead, it is helpful to understand exactly how we got here. Prior to the Privacy Shield, there was the Safe Harbor. The Safe Harbor Privacy Principles, like the Privacy Shield, provided a legal framework for the transfer of data from the EU to the US. Although the United States did not qualify as a country that provided adequate protections, US companies that self-certified adherence to the Safe Harbor Principles were considered to meet the EU data protection requirements and therefore could continue receiving data from the EU.

The inevitable fall of the Safe Harbor agreement all started when Maximilian Shrems, an Austrian law student, did a semester abroad in California. He heard firsthand from a Facebook employee that the company considered EU privacy laws to be virtually inoperable, as there were no consequences for not complying with them. Not long after this disclosure, the Edward Snowden leaks revealed the National Security Agency’s PRISM program, which collected vast amounts of internet communications and personal data on foreigners directly from the servers of US companies, including Facebook.

The revelation initiated Shrems to bring his first complaint to the Irish Data Protection Commissioner (DPC) in 2013, where he argued that the transfer of his personal data from Facebook Ireland, Ltd. to Facebook USA should be prohibited based on the company’s involvement with the PRISM program. Facebook’s mandatory compliance with the NSA to turn over personal data clearly showed the company could not also meet the adequate protections that EU law required, even under the Safe Harbor. In 2015, the CJEU ruled the Safe Harbor was invalid.

The US Department of Commerce and the Article 29 Working Party (which became the European Data Protection Board) got to work on creating a new framework to ensure that the EU-US transfer of data could continue, and in 2016 the Privacy Shield was adopted.

While the Privacy Shield aimed to address the issues that invalidated the Safe Harbor agreement, Shrems again brought a complaint against Facebook alleging the same concerns he had had previously: his fundamental data protection and privacy rights under EU law were not upheld when his personal data was transferred to Facebook’s headquarters in the United States, even under the Privacy Shield. And again, in 2020, the CJEU sided with Shrems and invalidated the Privacy Shield, but upheld SCCs and BCRs if additional safeguards ensured that personal data flowing to non-EU countries remained adequately protected.

Which brings us to today… How can companies that relied on the Privacy Shield agreement continue transferring data from the EU and fully comply with all of the EU’s data protection and privacy laws?

Unfortunately, the current options are limited and confusing. So much so that the United Kingdom’s data protection authority, the Information Commissioner’s Office (ICO), published guidance to those affected businesses stating in sum:

The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK.

The ICO further warns that any continued data transfers outside of the EU, relying solely on the Privacy Shield are now “illegal.” As it now stands, those companies previously relying on the now invalidated Privacy Shield appear to be regulated to Standard Contractual Clauses (SCCs), which are template contract clauses approved and adopted by the European Data Protection Board (EDPB). EU Companies sending PII to their corporate locations outside the EU may similarly rely on Binding Corporate Rules (BCRs).

Critical to the use of SCCs and BCRs are the required data protection “supplementary measures” that must accompany these contractual provisions. The EDPB advised that:

[w]hether or not you can transfer personal data on the basis of SCCs [or BCRs] will depend on the … supplementary measures you could put in place. The supplementary measures along with SCCs [and BCRs], following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.

Unfortunately, the EDPB is yet to give specific guidance on what these “supplementary measures” should include. However, the Board does invoke the need for stringent measures that hold up against overreaching government interference:

If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However if you are intending to keep transferring data despite this conclusion, you must notify your competent [supervisory authority].

Until thorough guidance is released, companies should take multiple steps to continue GDPR compliant cross-border data transfers and incorporate legal, technical, and organizational supplementary measures.

First, companies must conduct an initial assessment in order to have an accurate understanding and dynamic view of their cross-border data flows. Critically, assessments should be conducted on a regular basis to maintain this precise understanding.

Second, companies must review their existing contracts to ensure that they contain the required contractual clauses, and simultaneously prepare to rewrite these contracts in the near future once the EDPB releases their updated SCCs. Company-specific provisions should additionally be incorporated to provide the highest possible level of data protection.

Third, companies must ensure that they maintain sufficient data security protections to meet the necessary requirements under the General Data Protection Regulation. For example, following data minimization principles like deleting data as soon as it is no longer needed.

Finally, these companies must clearly and transparently communicate their cross-border data processes to the public.

ADVISORI can help

Advisori’s industry-leading software and experienced privacy experts can help companies get control of all the personal data they process, specifically that data flowing outside EU borders. Our experts can also assist in a review of all existing company SCCs and BCRs to ensure that they are consistent with existing cross-border data flows. Finally, our team can review and assess a company’s existing data protection measures, and how they compare to current industry standards and practices. In the aftermath of the Schrems II decision, these three critical steps help demonstrate a company’s concerted efforts to deploy and follow the “supplementary measures” the EDPB requires.

CCPA: The cost of Compliance

Since enaction, the California Consumer Privacy Act (CCPA) has had significant impacts on businesses worldwide as many struggle with compliance. In fact, the California Attorney General (AG) has already sent warning notices out to companies. The notices give entities thirty days to comply with CCPA by remedying violations or they face potential lawsuits initiated by the AG. Fortunately, at this point, the AG’s office has declined to publicly name those businesses that have been cited, Should the AG decide to do so in the future, such public exposure is likely to have a real, tangible effect on the businesses’ bottom line as consumers are increasingly savvy and privacy-oriented.

CCPA applies to three basic categories of businesses: (1) businesses with annual gross revenue in excess of $25M; (2) businesses that derive at least 50% of their revenue from selling consumer data; and (3) businesses that buy, sell, or share personal consumer information from at least 50,000 consumers, households, or devices. While at first glance, it seems that the three categories would limit the number of businesses impacted by CCPA, it is paramount to consider the behemoth that is the California economy and the depth and breadth of companies likely to fall within the ambit of the CCPA. Thus, management teams must delve deeper and assess what the financial impact will be based on the size of the business.

Those companies subject to the CCPA, must respect the significant privacy rights afforded to California residents regarding how the business collects, processes, and shares their personal information. These include: (1) the right to notice of the categories of personal information collected on California residents and the purposes for which these categories will be used, (2) the right to access any data held by the company on them, (3) the right to opt of such use (4) the right to request deletion of any personal information, and (5) the right to equal services and prices of goods and services even where a consumer exercises such rights.

In reality, the cost of CCPA compliance is significant. A recent report indicates the actual cost of CCPA compliance may reach $55B. According to an article in CPO Magazine, when looking at businesses ranging from fewer than twenty employees on the lower end of the scale to greater than 500 employees at the high end, compliance costs may range from $50,000 to over $2,000,000. Consequently, when you examine the aggregate size of such businesses the conservative estimate of $55B in initial outlays for CCPA compliance across California businesses begins to make a lot more sense.

There is a potential silver lining for larger international firms. Companies that were previously subject to GDPR have a leg up on their non-GDPR compliant counterparts as much of the underpinnings and legwork required to achieve compliance were already addressed during GDPR compliance efforts. Naturally, in order to maintain compliance there will be ongoing costs, and failure to comply with changing laws and regulations may include fines and or penalties. Therefore CCPA compliance will be a recurring expenditure for businesses. Efforts at efficiency will likely lead to increased outsourcing of privacy work in an attempt to achieve economies of scale and allow businesses to take advantage of specialized expertise.

Consequently, finding Data Privacy Experts and GDPR and CCPA knowledgeable compliance consultants may prove essential not merely in the short-term to obtain initial compliance but also in the long-term to maintain and ensure that privacy-related issues are addressed with strict adherence to the regulatory timelines. This is also something for businesses across the Country to remain cognizant of, as it is inevitable that additional privacy regulations are forthcoming at the State level as well as Nationally. Those companies that are able to get in front of compliance requirements and achieve GDPR and/or CCPA compliance will be well-positioned as these new regulations get implemented. Furthermore, consumers are likely to start choosing to do business with those companies that demonstrate proper data privacy practices.

ADVISORI Can Assist

We understand the level of effort required of businesses to develop, implement and maintain a CCPA compliance program. We know because we have done it. To aid our clients, we have developed a CCPA Compliance Center. By simply installing a CCPA link on your website, we will handle all your CCPA requests by using our people, processes, and technology.

From your website, we will be able to monitor and track customer consent to ensure that personal information is processed legally. We will also receive and process your data subject access request submitted on-line or via our 1-800 call center.

Using our PII discovery technology and DSAR Robotic Automation, we provide end-to-end data subject access request fulfillment services, irrespective of the volume. We also provide on-demand reports including DSAR types; locations of origin; fulfillment response rates; and related DSAR trending and forecasting. Outsourcing the cumbersome data subject access request fulfillment obligation to us, allows our clients to reduce the risk of untimely responses, data subject complaints, and data protection authority inquiries.

ADVISORI is a purpose built company with the sole focus of relieving our clients of the oftimes overwhelming burden of privacy/data protection functions so that they can focus on their core business activities.