Contact Advisori    US: (571) 380-9751      UK: +44 20 8138 9983      info@advisori.com

Standard Contractual Clauses 

As summer begins, many companies doing business in the European Economic Area (“EEA”) and the United Kingdom (“UK”) are scrambling to update their Standard Contractual Clauses (“SCCs”). This is the result of the Court of Justice of the European Union's (“CJEU”) decision in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (“Schrems II”), issued on July 16, 2020. The Court’s ruling was a seismic shift for those companies either relying on the EU-U.S. Privacy Shield Framework or the existing standard contractual clauses as the basis for compliance with Article 46 of the General Data Protection Regulation ("GDPR"). Pursuant to Article 45 of the GDPR, personal data can only be transferred outside of the EEA to countries that the European Commission ("EC") has deemed to have adequate data protection laws and practices. Only 13 countries have been approved by the European Commission as having "adequate" privacy safeguards. The European Commission, for example, regards the United States as "inadequate" due to its government surveillance laws.

Article 46 of the GDPR, on the other hand, allows data transfers outside of the EEA to "inadequate countries" if the data exporter uses "appropriate safeguards" to protect the data. For example, the European Union and the United States government negotiated the Privacy Shield framework to facilitate commerce, in which participating U.S. companies could self-certify as an acceptable Article 46 transfer mechanism, allowing them to receive personal data from the EEA. Another option, SCCs, are the most commonly used Article 46 transfer mechanism. SCCs are a standard set of contractual data protection services terms and conditions that data exporters and importers agree to when transferring data outside the EEA to an "inadequate" country.

Remarkably, the CJEU invalidated the Privacy Shield in Shrems II. While the CJEU did approve the continued use of SCCs as a legal Article 46 transfer mechanism, it identified legal concerns with the existing SCCs. Moreover, the CJEU underscored a fundamental rule that must be followed for data transfers outside the EEA to inadequate countries - any data exporter transferring personal data outside the EEA must verify, on a case-by-case basis, whether the destination jurisdiction ensures an essentially equivalent level of data protection as EU law. More specifically, companies relying on SCCs to transfer data outside of the EEA to “inadequate” countries must conduct a transfer privacy risk assessment to determine whether the surveillance laws or practices in the third country may impinge on the effectiveness of the relevant transfer mechanism. If the results of this assessment reveal risk, the data exporter must apply “supplementary measures” to the cross-border data transfer sufficient to mitigate the identified risk - enough to ensure a level of protection to the data that is essentially equivalent to the level of data protection in the EU.

Brexit further complicates cross-border data transfers from the EEA and the UK. As a result of the UK’s withdrawal from the European Union on January 1, 2021, the CJEU no longer has jurisdiction over the UK and neither does the EC. Instead, the UK’s primary data protection services authority is now the Information Commissioner's Office (the “ICO”), and the “UK GDPR has now replaced the GDPR.” In practice, this means that companies transferring data outside the EEA or the UK, or both, may now be required to use different sets of SCCs – one set approved by the EC (EU SCCs) and another approved by the ICO (UK SCCs). This article focuses on the EU SCCs.

Guidance on International Personal Data Transfers 

On November 10, 2020, the European Data Protection Board (EDPB) released its Draft Guidance on International Personal Data Transfers (the “Guidance”) to assist data exporters with their required data transfer privacy risk assessments. The EDPB set forth a six-step program for doing so as follows:

First: the EDPB recommends that the data exporter “know your transfer.” Most critical, a data exporter must fully understand where its EEA personal data is flowing. This is often best accomplished by data mapping and the development of an accurate and comprehensive Article 30 GDPR Report.

Second: the data exporter must understand and re-evaluate any Article 46 transfer tools in use (e.g., SCCs, BCRs, etc.). Most critical, are these existing transfer tools providing your data subjects with the same level of data protection as EU law requires?

Third: the data exporter must assess whether its Article 46 transfer tool(s) is undermined, in any way, by the laws existing in the destination country. For example, do the laws of the destination country allow its government to seek personal data without permission or even knowledge of the data exporter?

Fourth: the data exporter must adopt “supplemental measures” to mitigate the risk identified in step three. Supplemental measures may come in the form of contractual, technical or organizational protections necessary to ensure that the transferred personal data maintains the same level of protection it has in the EEA.

Fifth: the data protection exporter must take all “formal procedural steps” necessary to ensure the adoption and use of any supplemental measures. For instance, a data exporter may add additional contractual clauses to the SCCs to enhance their contractual safeguards for the data transfer.

The sixth and final step: is continued re-evaluation by the data exporter, with the assistance of the data importer, of the steps identified above.

If your company is struggling with where to start, please take our free Standard Contractual Clauses Assessment. You can also learn more about SCCs on our most recent blog or schedule a meeting with us here.

 

Advisori can assist your company in updating its existing Standard Contractual Clauses ("SCCs"). It's difficult to find the right resources for the job, from experienced privacy attorneys to contract managers. As a result, we have assembled a specialized team to assist our clients with meeting their compliance deadlines.

What are Standard Contractual Clauses and why use them? 

The transfer of personal data gathered in the European Economic Area (“EEA”) and the United Kingdom (“UK”) is strictly regulated by the General Data Protection Regulation (the “GDPR”). For instance, personal data can freely flow from the EEA to just 13 countries – countries that the European Commission (the “EC”) has deemed as having “adequate” data protection services laws and practices. Thus, companies collecting personal data in the EEA wanting to transfer this data to “inadequate” countries must apply “appropriate safeguards” to the data.

The most used safeguard is standard contractual clauses or commonly referred to as “SCCs.” SCCs are standardized and pre-approved contractual language, developed by the European Commission (“EC”), to ensure that all data transferred to any “inadequate” country has essentially the same level of protection as that provided by European Union law. Despite all the attention on the newly published SCCs, they are not actually new. The EC approved the prior version under the old Directive 95/46/EC ("Old SCCs"). For the reasons discussed previously, the EC published two new sets of SCCs on June 4, 2021. The “First Set” replaces the Old SCCs and should be used for international transfers of personal data. The “Second Set” (which is actually new) governs the transfer of personal data between controllers and processors – even those operating solely within the EU (for simplicity, the First and Seconds Set of SCCs will be collectively referred to as the “New SCCs”).

The New SCCs are the result of significant changes in EU law. While the Old SCCs addressed only controller to controller transfers in one set of clauses and controller to processor transfers in another set, the New SCCs are purportedly designed to be more versatile and easier to use. While they remain a combination of non-negotiable, standard clauses, they are in a modular format for transfers from (i) controller to the controller; (ii) controller to the processor; (iii) processor to processor; and (iv) processor to the controller.

Critically, businesses have until December 27, 2022, to replace all Old SCCs with the New SCCs. This will be a monumental task for some businesses. Advisori can help. We have the privacy practices lawyers, contract managers, and analysts necessary to handle any SCC update project.

We do the following to ensure that our clients meet their regulatory guidelines.

  • We collaborate with internal stakeholders to identify and gather all contracts and artifacts required to scope the SCC remediation project.
  • We examine all existing contracts and data transfers to identify contracts and SCCs that need to be updated.
  • We develop a comprehensive project plan that includes deliverables and a tracking schedule.
  • We create a detailed SCC remediation project playbook tailored to your company's operations and size.
  • Existing contacts are drafted/revised, and their SCCs are updated.
  • We identify and work with those in the privity of contracts with our clients to ensure that all contracts are updated and executed.

Please take our free Standard Contractual Clauses Assessment. You can also learn more about SCCs on our blog or schedule a meeting with us here.

If your company transacts business with residents of the State of California, you have likely heard a lot about California’s Privacy Rights Act ("CPRA"). The CPRA is a legal evolution from California’s first privacy regulation, the California Consumer Privacy Act (“CCPA”) and is commonly referred to as CCPA 2.0. The CPRA is viewed by many as California’s version of the European Union's General Data Protection Regulation ("GDPR") and there are significant parallels between the two regulations.

For instance, the CCPA provides California residents with a myriad of privacy-related rights such as the right to know the types and categories of personal information ("PI") collected by the business, the purposes for collection, to whom the information is being shared, the right to access any such personal information belonging to the individual, and even the right to have this PI deleted from the business’s databases. The CPRA was signed into law in November 2020 and will become enforceable on January 1, 2023.

The first consideration for every business should be whether it falls under the purview of the CPRA. The CPRA applies to any for-profit business transacting business in California that:

  • As of January 1, of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year;
  • Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or, households; or
  • Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

If your business satisfies one or more of the categories above, we can assist you with developing, implementing, and maintaining a CPRA compliance program.

Advisori’s Automated Privacy Notice

We ensure that your website privacy notice is CPRA compliant using our digital Privacy Notice platform. Where a business collects PI from California residents, it must advise them of the following:

  • How their PI is collected by the business, i.e., website cookies/trackers,
  • What types and categories of PI are collected,
  • With whom their PI is shared,
  • How long their PI is retained by the business,
  • How the data subject can request a copy of their PI,
  • How they can request correction of their PI,
  • How they can request deletion of their PI, and
  • How they can request to opt-out of having their PI collected, shared, or sold.

In addition, the CPRA includes a new data category - sensitive personal information (“SPI”), which includes:

  • Social Security Numbers,
  • Driver’s License Numbers,
  • Passport Numbers,
  • Financial Information,
  • Racial and ethnic origin data,
  • Geo-location data,
  • Health data,
  • Religious affiliation, and
  • Trade union membership.

With a simple installation of our privacy notice code on your website, we will build, display, and manage your CPRA compliant privacy notice.
Request a Demo

DSAR Fulfillment

In addition to advising California residents of their privacy rights, a business must allow California customers the ability to exercise these rights. This is often referred to as data subject access requests (“DSAR”). Under the CCPA/CPRA, a regulated business must provide its California customers with at least two ways of requesting the exercise of their rights such as an email address and a toll-free number. The business must respond to a legitimate request within 45 days (with an additional 45-day extension period for the business under certain limited circumstances).

The DSAR process is complicated as a business holding PI must be able to search its databases to find the data belonging to an inquiring customer. We can do this for our clients using our AI-driven data discovery tools to search for, classify, and catalog personally identifiable information, both structured and unstructured, residing in the cloud or on-premises. By doing so, we provide our clients with a comprehensive and dynamic view of their PII across their data inventories. This includes identifying, retrieving, and deleting data belonging to a single customer. We can do this nearly instantaneously.

Not surprisingly, the CPRA requires that a business properly verify the identity of any customer submitting a DSAR. We are able to do this using a variety of electronic means. Moreover, we provide our clients with a customized electronic data request portal where their customers can go to the business’s branded portal and submit a DSAR. Using this same portal, the customer can retrieve any requested data from this secure portal. Just as importantly, all activities are electronically documented for compliance purposes.
See more

Read more on our blog and contact us today to learn more about our CCPA/CPRA solutions.

Visit us at www.advisori.com or drop us a line at info@advisori.com to learn more about our CCPA/CPRA solutions.

Under EU law, and several state laws in the US, a data subject (a person) has the right to see the personal data a business has on her and to know how that business is using the data. A person can exercise these rights by making a Data Subject Access Request (DSAR) to a business holding her data. Depending on the law (be it GDPR or CCPA, etc.), data subjects may have some or all of the following rights: (1) access to the data the business holds on the person; (2) deletion of their data; (3) correction their data; (4) opt out of the sale of their personal data to a third party; (5) opt out of the processing of their personal data; and (6) data portability  (right to receive an electronic copy of their data).

While data rights are good for consumers, businesses often struggle with fulfilling these requests, even routine DSARs. For instance, a business must first properly verify that the data subject making the request is who she claims to be. This necessity is becoming increasingly critical as more and more nefarious actors seek to steal personal data from businesses. Therefore, businesses must meticulously vet and verify persons requesting to exercise their data rights.

Once a data subject is finally verified, the data discovery process itself is often cumbersome as businesses often collect and store customer data via numerous systems used to accomplish specific customer and business needs, like customer bookings and business marketing for example. The mere task of finding a certain person’s data in these multiple data stores can be like trying to find a needle in a haystack.

Also, hundreds or even thousands of copies of the same data can be in numerous databases (what we call data sprawl), making data deletion requests a nightmare to fulfill. In the data deletion/anonymization context, a multiplicity of systems means the efforts to find, erase, or anonymize data upon request can become much more time consuming than if the subject’s data is in a single solitary system. Each additional system in which the data is stored adds to the level of effort needed for the business to fulfill a DSAR.

Many businesses are still using a manual data subject verification and fulfillment process, which means the need for greater privacy specialist headcount, and thus more business costs. In addition to being inefficient and labor intensive, manual DSAR fulfillment means human error in both the data subject verification and data discovery process thereby exposing the business to violations of privacy laws and resulting regulatory fines.

Ongoing developments in privacy law worldwide promise to increase the burdens of compliance with DSAR fulfillment as consumer privacy laws are rapidly emerging globally and in the US. For instance, The California Consumer Privacy Act (CCPA) came into effect  in 2020, following the effective date of Europe’s General Data Protection Regulation (GDPR). Currently, California, Colorado, and Virginia have laws that provide or will provide the functional equivalent of DSARs; whereas Nevada allows its residents the right  to opt-out, or restrict the processing of their personal data.

While the COVID-19 pandemic resulted in a temporary reduction in the number of incoming DSARs; our clients have seen an increase in the numbers of people exercising their privacy rights in the past several months, returning to and in some cases exceeding pre-COVID numbers. We can expect these numbers to steadily increase over the coming months. Not only are more people becoming aware of their privacy rights under existing laws in their jurisdictions, but additional jurisdictions such as Brazil and China have added privacy rights to their laws. We also expect additional states to follow the example of current data privacy laws in CA, CO, NV, and VA, at some point in the future, and a Federal privacy law is not out of the question in the next few years.

The increased DSARs will result in a major cost center for firms in coming years unless they are proactive. According to one recent survey by the Gartner organization, businesses report spending, on average, $1,400 per data subject rights request. Unfortunately some requests can be even more expensive than this eye-popping number. For instance, some records require the redaction of large amounts of information to ensure protection of the privacy of persons beside the data subject. The result is the multiplication of DSAR fulfillment costs.

All the above issues are good business practices to ensure efficient use of customer data. However, these redundancies and multiplicity of systems match poorly with new access and erasure requirements coming into use by customer bases worldwide. For this reason companies which tackle their DSAR tasks manually see their costs per DSAR start high, and go higher.

Businesses looking to outsource their DSAR fulfillment process can rely on Advisori. Advisori is a full-service DSAR Fulfillment Center. Our virtual DSAR platform allows a data subject to submit a DSAR directly to our Fulfillment Center via our secure DSAR portal. We verify the data subject using multiple means and sources, use our cutting-edge technologies with the capabilities of searching every type of data store for personal data of all categories and formats, and then packaging all related personal data up for dissemination back to the data subject through our secure electronic portal. The data subject can review her data via our portal or even download it. We are also able to find and delete/anonymize data when a data deletion request is filled. We are able to do this quickly and efficiently to ensure that all DSAR regulatory requirements and deadlines are met. Bottom line is, we help our clients fulfill DSARs cheaper, faster, and better. Check us out at www.advisori.com or contact us at info@advisori.com.

Are You Getting Noticed?

Privacy compliance obligations are becoming increasingly onerous on global and even US based companies. The European Union’s General Data Protection Regulation (“GDPR”) is often seen as the gold standard of privacy frameworks as evidenced by its influence on other privacy laws such as California’s Consumer Privacy Act (“CCPA”) and even Brazil’s General Personal Data Protection Law (“LGPD”).

Woman

Unfortunately, the GDPR, and laws modeled after it, are highly complex. For instance, the GDPR has eleven chapters, containing 99 articles. Because of the complexities and nuances of existing and emerging privacy regulations, we, at Advisori, are often asked by our clients where to start with privacy compliance. We believe the first step is knowing what personally identifiable information (“PII”) the business possesses and what it is doing with it. Next is developing a data privacy/protection strategy based on governing privacy regulations, existing capabilities, and available resources.

The second step is memorializing the above in a written privacy policy and privacy notice. We often see privacy policies and notices being conflated. While related, it is important to understand that privacy notices and privacy policies are distinct concepts with different requirements. In this blog, we focus on privacy notices.

A privacy policy is an internal resource, which should instruct employees on the organization's rules related to PII. In contrast, a privacy notice is a publicly facing document advising potential and existing customers, website visitors, and others on the organization’s PII collection, use, and related privacy practices; more specifically, what categories of PII the organization is collecting and who it is collecting this data from; how it is collected, who it is shared with, what legal basis the organization has for collecting the data, when the data is purged, and what rights the data subject has regarding the collection and use of their data.

Considered a best practice, we believe an organization should publish a privacy notice in most cases, even where the law does not mandate it. Articles 12, 13, and 14 of the GDPR address the requirements of privacy notices.

At a high-level, a privacy notice should include sufficient information so that the data subject can understand what personal data is being collected, why it is being collected, what is it being used for, how long it is being retained, and the data subject can restrict the processing of her data and even withdraw her consent.

We note, however, many regulators consider privacy notices a contractual promise by the organization to the data subject. Therefore, a privacy notice must be both accurate and transparent. The GDPR requires plain-language privacy notices, void of legalese or terms buried in poorly-structured paragraphs. Furthermore, privacy notices should use definitive language - not qualifiers such as “may,” “might,” “some,” often,” ''usually,” etc., as these terms can be viewed by a regulator as purposefully vague.

Privacy notices should be conspicuously labeled as “PRIVACY NOTICE” and should be in writing, placed on the organization’s website (on the same page where data collection occurs) and be available orally upon request both to ensure adequate comprehension by the reader and to aid the visually impaired.

The following elements should be included in a Privacy Notice.

  • Contact information for the representative/data protection officer;
  • Purpose and legal basis for processing personal data;
  • The legitimate interests of the organization (or third party);
  • Recipient or categories of recipients of personal data;
  • Details related to any inter-country transfers of personal data, as well as procedural safeguards in place;
  • The duration that the data is being kept (retention period), or the criteria under which data is retained;
  • The existence of the rights of the person from whom data is collected (referred to as a data subject under GDPR);
  • The right to withdraw consent;
  • The right to initiate a complaint with the supervisory authority;
  • Whether the personal data pertains to a statutory or contractual right and the potential consequences for failing to provide the necessary data (this is not required if data comes from a third-party);
  • The existence of any automated decision-support/decision-making system; how the system has been set up, its overall process, and any resulting consequences;
  • If data is obtained via third-party, then privacy notice must advise the categories of personal data that is being collected; and
  • When the privacy notice was last updated.

Picture

Picture

Privacy Notice Challenges

Drafting and updating privacy notices are time-consuming and risky for a number of reasons. From a legal perspective, there are numerous country/region-specific privacy laws and a rapidly growing number of state-specific US privacy laws. As such, businesses operating in multiple jurisdictions may need to comply with more than just one privacy law/regulation. For instance, California has specific privacy notice requirements unique to that state. Many businesses do not have in-house privacy counsel to draft and maintain privacy notices and outsourcing such work to a law firm can be costly.

Furthermore, privacy notices are dependent on the business’s data. The categories of PII collected by a business, as well as the business's use of such data, often change as the business evolves. Maintaining an accurate manual data catalog and keeping the privacy notice synced with the business’s ever-changing data collection/processing is often an untenable task, even for small businesses. The bottom line is, a privacy notice is only as good as a business's understanding of its data assets to include PII provided by and shared with its customers, vendors, and business partners.

The above effort is even more complicated for larger businesses with segmented departments like product development, marketing, sales, etc., as each group has its own needs and purposes for collecting and processing PII. Moreover, a business can have multiple subsidiaries requiring the use of multiple websites, each with its own set of cookies and other data collection and user tracking technologies.

For the reasons outlined above, privacy notice management is a significant task. Relying on a manual process to do so is often time-consuming and tedious. Aside from the reputational risks associated with inaccurate or incomplete privacy notices, the business is further exposed to regulatory violations and related penalties when failing to have an accurate and transparent privacy notice.

How Advisori Can Help.

Advisori has the people, processes, and technology necessary to assist our clients with managing their privacy notices. Using Securti.ai’s secure privacy portal, we collaborate with all necessary stakeholders to assist in the selection of the appropriate privacy notices from our extensive template library. We then tailor the chosen privacy notice to business operations to ensure a regulatory compliant, accurate, detailed, and transparent public-facing Privacy Notice.

Picture

We also give our clients the option of AI-powered robotic automation and data intelligence, which enables a continuous scan of data stores and an automatic updating to any changes to the collection, processing, sharing, selling, or retention of personal data. These updates are then pushed to the business’s published privacy notice, thereby allowing real-time updates. This can even include cookie related updates as well.

Reach out to us at info@advisori.com to learn more.

The first pillar of a strong data protection/privacy program is an effective data discovery and classification capability. Bottom line is, you have to know your assets in order to properly protect them.

In addition to the data protection benefits of data mapping, this exercise is often required by law. For instance, the EU’s General Data Protection Regulation (GDPR) requires covered entities to create what is known as a “Record of Processing Activities (ROPA).” More specifically, Article 30 of the GDPR requires a “data controller” to “maintain” a ROPA that identifies the following elements:

The bottom line is, the ROPA is an important undertaking as it gives companies a complete inventory of their data processing and provides an overview of precisely how personal data is being handled. From a practical standpoint, an accurate, updated, and comprehensive ROPA helps companies remain legally compliant, thereby helping them avoid sanctions, fines, or penalties that might be otherwise imposed under the GDPR.

Advisori understands that the development and maintenance of a ROPA, even for the smallest enterprise, is a significant undertaking. However, as data privacy laws grow and evolve, (e.g. GDPR, CCPA/CPRA) we believe that best practices dictate that even for those companies not required to build a ROPA, that doing so would aid in overall risk mitigation. As specified above, the process of building the ROPA requires a company to investigate and discover, with precision, the types and volumes of the data they hold and related data-processing activities, cross-boarder data transfers, and data retentions schedules. From there, companies must document their legal basis for collecting and processing all personal data they hold. Finally, they must accurately document what they are doing to protect such personal data.

We provide our clients with the necessary people, process, and technology to efficiently build and just as importantly, maintain an accurate, comprehensive, and current ROPA. Our DPOs have extensive experience building and maintaining ROPAs for business in all industries, operating around the world. Moreover, Advisori has partnered with Securiti.ai to provide our clients with the most advanced data mapping automation technology in the industry. Combining this technology with our mature and robust data mapping processes, our DPOs start with the creation and dissemination of user-friendly electronic assessments custom-tailor for our clients. These assessments allow us to quickly and efficiently identify business assets, vendors, and institutions holding or processing personal data. From there, we scrutize company assets for a precise and current data inventory and map these assets to processing activities. Where appropriate, we further assess this asset for privacy risks, which we then quantify and document, thereby allowing us to implement effective risk mitigation strategies.

Data Mapping Automation

When considering what a ROPA really is, one might surmise that this knowledge already exists organizationally and is readily available. That may be true for some companies; however, this critical information is typically siloed and lives within multiple knowledge bases, which are neither centrally maintained nor refreshed on a regular basis. Therefore, from a company perspective, automated data discovery and ROPA development just makes good business sense, irrespective of whether or not a regulatory body mandates it. Also, as consumers grow increasingly savvy and more “data-privacy conscious,” the smart play is to get in front of this now.

Contact the Advisori Team: we can get this process underway, and give you the people and tools you need to maintain compliance.

This fall begins a new journey for businesses transferring personal data outside the European Economic Area (EEA). On June 4, 2021, the European Union’s executive branch, the European Commission (“EC”), released their highly anticipated new and updated Standard Contractual Clauses (“SCCs”). The EC’s new SCCs are the result of the Court of Justice of the European Union’s (“CJEU”) Schrems II decision, which ultimately invalidated the “EU – US Privacy Shield” – a mechanism designed to regulate the flow of personal data from the European Economic Area (EEA) to “third countries” such as the United States.

Under Article 45 of the General Data Protection Regulation (“GDPR”), personal information can only be lawfully transferred to third countries that the EC has determined to have “adequate” privacy safeguards. Currently, this list of countries is just 13 and the U.S. is not one of them due to U.S. government surveillance laws. Instead, to facilitate commerce, the European Union and U.S. government agreed to the Privacy Shield framework. Until the CJEU’s Schrems II ruling, U.S. companies could self-certify under the Privacy Shield framework, allowing them to receive personal data transfers from the EEA. Prior to the Schremes II decision, the Privacy Shield and SCCs were the most commonly used data transfer mechanisms by U.S. companies.

Standard Contractual Clauses (SCCs)

SCCs are standard sets of contractual terms and conditions approved by the EC to which both the data “exporter” and data “importer” of EEA personal information must agree to before personal data can be transferred outside the EEA to third countries without adequacy decisions. SCCs have been in existence since 2001 and were amended first in 2004 and then again in 2010. The old SCCs were separate agreements: one for data transfers from controllers to controllers and one for data controllers to data processors. Many will find the new SCCs more user-friendly as they are contained in one document consisting of four “modules” for transfers from controller to controller; transfers from controller to processor; transfers to processor to processor; and transfers from processor to controller.

In addition to the new SCCs format, this new version incorporates Article 28 of the GDPR (the old SCCs were developed under the General Data Protection Directive – the GDPR’s precursor). Article 28 sets forth “technical and organisational measures” required for the transfer of personal information from controllers to processors and from processors to sub-processors. Under the new SCCs, the parties no longer need additional data processing agreements for data transfers to data processors.

Transfer Impact Assessments

While the CJEU did uphold the use of SCCs, the Court warned that the use of this data transfer mechanism was not sufficient – data controllers are still required to conduct a data Transfer Impact Assessment (“TIA”) – a case-by-case assessment of all cross-border transfers to ensure that the data protection requirements set forth in the SCCs can actually be met. Article 14 of the SCCs lays out the TIA criteria such as considerations of: 1) the “specific circumstances of the transfer (e.g., categories and format of personal information, the number of individuals involved, type of data recipient, the purpose of processing, etc.); 2) the data laws and practices of the third country of destination; and 3) any supplemental data safeguards needed to ensure compliance with the SCCs data protection requirements such as any additional contractual, technical, or organisational safeguards needed. Also critical to compliance, the data exporter must document its TIAs and make them available to the relevant supervisory authority when requested.

Supplemental Measures

Should the TIA conclude that the recipient third country’s legislation impinges on the effectiveness of the Article 46 GDPR data transfer mechanism, data exporters must identify and rely upon supplementary measures, as mentioned above, to ensure that personal information is sufficiently safeguarded. For instance, the data exporter may install technical safeguards like data encryption or pseudonymization. The data exporter may also add additional contractual safeguards on the data importer such as requiring additional technical safeguards or requiring it to submit to audits. Finally, the data exporter may rely on organizational measures to enhance data transfer protections such as data transfer policies and procedures and data minimization/purging policies.

New SCCs Enforcement Timeline

The old SCCs were repealed on September 27, 2021, meaning that all new cross-border data transfers must now be governed by the new SCCs. All existing SCCs will remain in effect until December 27, 2022 (and must be updated by that date).

How Advisori Can Help

Advisori has seasoned professionals who know the GDPR, understand the Schrems II decision, and have completed cross-border data inventories, data TIAs, and SCCs for EAA exporters and U.S. importers of personal data.

SCCs Related Services

Please contact us at info@advisori.com to learn more.

Businesses collecting and processing personal information are at extreme risk. The month of July 2021, was particularly concerning as Amazon was fined a record $886.6 million for allegedly violating the European Union’s General Data Protection Regulation (“GDPR”), while TikTok was fined 750,000 euros ($885,000 US) for failing to post its privacy statement in Dutch. The reality is, data protection authorities are becoming more active in the enforcement of data protection regulations and they are not going to slow down.

Advisori is in the business of privacy risk management and our clients seek guidance on how to effectively manage their privacy risks using their available resources. One of the most frequent questions we get is whether or not the business is required to appoint a data protection officer (“DPO”). The legal answer to that question is relatively straightforward as outlined by Article 37 of the GDPR; if a business collects data of European citizens and any one of the following apply, the appointment of a DPO is a regulatory requirement:

  • The organization is either a public authority or body;
  • The business’s core activities include (but are not limited to) the ongoing monitoring and processing of data subjects on a large scale (e.g., the numbers of data subjects, the volume of personal data being processed; etc.); or
  • The business’s core activities include the large-scale processing or retention of sensitive information such as health data, religious affiliations, gender, or sexual orientation, or data related to criminal histories.

For organizations that are not legally required to appoint a DPO, we suggest that they should still consider doing so where the business handles personal information, especially that of European citizens. For instance, Article 37 dictates that the DPO should be a subject matter expert in the realm of data protection law and practices. A DPO is also responsible for staying abreast of the corporate privacy policies and procedures to fully comprehend how data is being collected, used, shared, and retained by the business. Moreover, as Article 39 lays out, the DPO serves as the liaison between the business and regulatory authorities. Finally, and maybe most importantly, a DPO interacts with data subjects by both servicing their data subject access rights requests and answering customer questions related to how the business collects, processes, and protects personal information.

An experienced DPO serves a critical risk mitigation function. As international and state privacy laws become more prevalent and as privacy regulators take a more aggressive position on enforcement, businesses must navigate a complex and ever-changing regulatory landscape (consider the adoption of the GDPR and the ever-expanding list of jurisdictions that are adopting the same or similar data privacy protections). A DPO can significantly reduce privacy risk by advising the business on data protection best practices, managing critical operational data protection activities like data security assessments and audits, as well as providing employees with data protection education, training, and strategies.

However, the DPO is not just an “insurance policy.” Having a DPO sends a strong message to the marketplace that the business takes data privacy and protection seriously.  In a tightening competitive landscape, that difference could be critical for any business because customers are demanding that businesses respect and ensure their privacy.

In sum, a DPO serves as the face of a business's data protection program by ensuring critical regulatory compliance and by demonstrating, to data protection authorities and to the public, that the business is serious about data protection and customer privacy.

California citizens continue to demand privacy. On November 3, 2020, a majority of California voters approved Proposition 24, (“the California Privacy Rights Act of 2020”) or (the “CPRA”), further expanding California’s existing California Consumer Privacy Act (“CCPA”). California’s new enforcement body, the California Privacy Protection Agency (“CPPA”) will begin the process of adopting revisions of the CPRA starting July 1, 2021, and concluding on July 1, 2022. The CPPA operates as an independent overseer of the CPRA and is tasked with both enforcement of the CPRA as well as information and outreach to ensure that both businesses and consumers are informed of both their rights and obligations. While the original enforcement arm of the CCPA was the California Attorney General, the CPPA augments that core function with the addition of an educational outreach program. (see “What is the California Privacy Protection Agency” at IAPP.org).

Additionally, each iteration of the CPRA will follow the normal agency process and will be subject to a comment period prior to adoption. The final CPRA version becomes enforceable on July 1, 2023. This two-year enforcement delay will provide affected businesses with valuable time to prepare for the new requirements imposed by the final CPRA. It is expected that the specifics of key provisions, to include, amongst others: opt-outs; the timing and frequency of consumer correction requests; and determining whether the look-back window extends beyond 12 months; will all be handled during the 2021 and 2022 timeframe under standard agency rulemaking procedures.

While businesses prepare for the CPRA enforcement date, it is important that those in charge of compliance keep in mind that CCPA will continue to govern California residents’ privacy rights in the interim. Accordingly, those affected businesses that are not yet compliant with the CCPA should begin their privacy compliance journey there as CCPA enforcement will likely ramp up. For instance, the California Attorney General’s office has been sending out CCPR “Notices to Cure” since mid-2020; any entity receiving such a notice has a 30-day window to remedy any claimed violation.

For those businesses that have CCPA privacy programs in place, their efforts have not been in vain since the CPRA is a revision and expansion of the existing CCPA framework. In sum, the CPRA is less revolutionary and instead, more evolutionary.

For businesses operating in California, no matter their current privacy posture, they should consider the following questions:

 

Will the CPRA affect your Business?

Obviously, the first step a business should take is to determine whether it subject to either the CCPA, CPRA, or both. If a company “does business in the State of California and a) has annual gross revenues of more than $25 million or b) alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, or c) derives 50% or more of its annual revenues from selling consumers’ personal information (“PI”), than the business is governed by the CCPA.

The CPRA, on the other hand, is more favorable to small business in that it amends section b) above by increasing the threshold for “consumers” or “households” to 100,000 and omits the “devices” category. The key point here is that small businesses currently governed by the CCPA may be freed from privacy compliance obligations when the CPRA goes into effect on July 1, 2023.

 

Does your Business tell your customers what data you are collecting from them?

The CPRA imposes an affirmative duty on a covered business to inform consumers “at or before the point of collection” of 1) the categories of personal data being collected on them; 2) the purpose for which the company will use this personal information; and 3) whether such personal information will be sold or shared. Also critical, should your business change or modify the use of any collected personal information, it must give notice to the affected individuals of this change.

 

Is your business seeking and obtaining lawful consent from your customers for the collection and use of their PII?

The issue of “consent” is somewhat ambiguous; the CPRA uses a GDPR definition of consent – “…freely given, specific, informed, and unambiguous indication of the consumer’s wishes” The CPRA goes even further by expressly prohibiting the use of “broad terms” when requesting consent or assuming consent where a consumer simply hovers over a website consent button or merely closes a consent pop-up. Essentially, the consent requirements in the CPRA are largely analogous to those under Article 4 of the GDPR; however, regulations which outline how the CPRA will interpret “consent” is still fluid as the CPRA undergoes the rulemaking process throughout 2021.

Considering how the GDPR definitions have been historically interpreted, however, businesses can expect that “freely given” consent means the consumer must be given an actual choice. In other words, cookie walls or take-it-or-leave-it clickthroughs will likely not be sufficient. Furthermore, businesses must make the option of revoking previously given consent as simple as it was for the consumer to provide it.  “Specific and Informed” means that entities must advise consumers of what data is being collected on them and how the business intends to use this data at a granular level. Finally, “unambiguous” consent requires an affirmative action by the consumer and cannot merely be some default or pre-selected items on a form. For now, it appears that the consumer must take an affirmative act to properly indicate her consent.

 

Does your business “share” personal information?

The CPRA expands California’s governance of PI to the sharing of personal information, not just selling it. The CPRA defines sharing as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”

Under the CCPA, businesses sharing information in exchange for either money or other “valuable” consideration must only provide consumers with an opt-out notice. The CPRA goes further; business “sharing” PI must provide consumers with the means to opt-out of the share of their PI, whether the business derives financial benefits from the sharing of PI or not.

However, it is important to note that “sharing” does not include either service providers or contractors (many online advertisers, cookie providers, etc., fall within this category) and are not covered under this.

 

Will your business’s webpage be compliant with the CPRA?

The CCPA currently requires businesses to provide consumers with “two or more designated methods for submitting requests for information” about the data collected on them including a toll-free number. The CPRA expands consumer privacy requests to PI deletion and correction. If the business has a website, it must allow consumers the ability to submit information access request through its website. As further addressed below, the CPRA will expand the consumers right to control her data using company websites.

 

Does your Business Collect, Process, Sell, or Share Sensitive Personal Information?

The CPRA has an entirely new data classification: sensitive personal information, which includes passport numbers, driver’s license numbers, social security numbers; credit card numbers accompanied by secondary access codes (e.g., pins, or CSC); precise geolocation data; demographic information (such as religion, race, ethnicity, biometric, sexual orientation); and content data (mail, e-mail, SMS messages) where the business is not the intended recipient. Where a business does collect such sensitive personal information, it must post a “Limit the Use of My Sensitive Personal Information” link on its website giving consumers the right to limit the use of this data to the extent needed to perform the core services or goods purchased.

As indicated above, the CPRA is both a revision and expansion of the CCPA. While affected businesses have a two-year window to prepare for CPRA enforcement, they cannot forget the obligations and penalties associated with CCPA. For more information, please contact us at info@advisori.com.

Since the United Kingdom’s departure from the EU, ADVISORI has received multiple inquiries from UK based organizations regarding Brexit’s impact on the application of Article 27 of the General Data Protection Regulation. We offer this guidance to assist those organizations with Article 27 compliance.

Setting aside Brexit, we have found that Article 27 is often overlooked or misunderstood due to Article 37’s data protection officer requirement. While complimentary, the roles and responsibilities identified in these two articles are quite different. For instance, a data protection officer must operate within the highest levels of the company to educate the organization on data privacy and protection regulations; identify existing privacy risks; develop, implement, and maintain affective risk mitigation strategies, achieve overall compliance with data privacy requirements, and work with both data subjects and data protection authorities to ensure that private and sensitive data is properly collected, processed, and destroyed when necessary.

Representation Article 27

 

In contrast, the Article 27 data protection representative serves primarily as the front-line contact for the organization and “…should perform its task according to the mandate received from the controller or processor, including cooperation with the competent supervisory authorities with regard to any action taken to ensure compliance with [the GDPR].” (See Recital 80 of the GDPR).

In sum, the DPO should be proactive in organizational data protection activities while the representative is more reactive to data subject and data protection authority inquiries and requests.

Article 27 requires organizations based outside the European Economic Area (EEA) processing personally identifiable information belonging to EEA residents on a “large scale” or those processing “special categories of data” or both, to appoint a data protection representative as described above.

Prior to Brexit, these organizations could appoint a single representative as the UK was a member of the EEA. Post-Brexit, organizations based outside either the UK or the EU may have an obligation to have multiple representatives. For instance, if a non-UK/EEA organization collects or processes data belonging to UK residents, it will be required to have a UK representative. If this same organization also collects or processes data belonging to a resident of the new EEA alignment, it may also be required to appoint additional representatives in one or more of the EEA member-states.

Adding to the complexity, the Irish Data Protection Commission (DPC) has suggested that using a single person serving as both data protection officer and data protection representative could give rise to a conflict of interest. Best practices dictate that the roles should be separated.

Despite the complications identified above, any organization dealing with either UK or EU data must act. As of the date of this publication, May 12, 2021, the Dutch DPA imposed a €525,000 fine on an organization operating in the EU for failure to appoint a data protection representative.

For assistance with determining your organizational needs relating to Article 27, please contact us at info@advisori.com.