Staying Ahead of the EU Data-Protection Curve: How Companies Can Ensure Continued Transatlantic Data Transfers

Though European Union authorities are still finalizing new rules governing the transfer of personal data outside of the EU, European data exporters and US-based data importers should take steps now to comply with anticipated new requirements.

Those coming requirements, laid out in two draft guidance documents issued by European authorities last month, could prove disruptive. Companies on both sides of the Atlantic should start working toward compliance now by taking the key steps detailed below—some of which will require significant time and resources. Companies that fail to act risk fines, investigations by European data protection authorities, legal actions by data subjects, and, perhaps most severe, orders to terminate data transfers.

The new guidance marks the latest development in a years-long struggle by European courts and regulators to grapple with a fundamental question: whether US intelligence agencies’ access to European personal data processed by US companies is consistent with European law. In July, the Court of Justice of the EU (CJEU) in Schrems II struck down the EU-US Privacy Shield and cast doubt on whether Standard Contract Clauses (SCCs), which impose EU data protection obligations through contracts between data controllers established in the EU and data recipients established in a recipient country (or “third country”), could adequately protect transferred data.¹ The CJEU found that while SCCs were valid in principle, the validity of SCCs in a particular circumstance turns on whether it is possible “in practice” for the European personal data to receive “essentially equivalent” protection in the third country as in the EU. This may be a difficult standard for US companies to meet as the CJEU, in striking down the EU-US Privacy Shield, held that US surveillance laws did not provide “essentially equivalent” protections.

The recent guidance documents reflect EU regulators’ attempt to strike a balance between fostering EU-US business relationships and protecting European personal data from US intelligence agencies following Schrems II. However, it remains to be seen whether European stakeholders policing EU-US data transfers, such as European data protection authorities or courts, will find the proposed balance palatable or demand more stringent data protections.

Recent Developments

On November 10, 2020, the European Data Protection Board (EDPB)—an independent body overseeing EU data-protection rules—suggested a process for evaluating cross-border data transfers and offered a non-exhaustive list of supplementary data-protection measures for companies to consider if their evaluations suggest additional measures are needed. The guidance, which is open for public comment until December 21, 2020, is sure to impact how European data regulators view data transfers to the United States.²

The EDPB’s guidance sets forth six steps to help data exporters assess existing protections in third countries and identify appropriate supplementary measures:

1. Know the Transfer: Companies should map all data transfers to understand what type of information is transferred where and to whom.
2. Identify the Transfer Tools: Data exporters should identify the legal mechanisms under which their data is transferred.
3. Ensure Transfer Tool is Effective: Data exporters should assess whether the law or practices of the third country may compromise the transfer tool’s effectiveness.
4. Identify and Adopt Supplementary Measures: If the assessment reveals that the transfer tool is ineffective, companies should adopt “contractual, technical, or organizational” supplementary measures necessary to ensure adequate protection.³
5. Implement Any Necessary Procedural Safeguards: Data exporters should take any procedural steps necessary to ensure effective supplementary measures.
6. Reevaluate: Data exporters should monitor relevant developments in third countries.

The guidance also includes an annex that lists supplementary contract requirements, technical measures, and organizational measures that data exporters can require data importers to adopt and implement in order to provide adequate safeguards for EU personal data that is transferred to the United States.

Two days after the EDPB issued its recommendations, the European Commission published a draft set of new SCCs that will become the required format for SCCs once formally approved, likely in the first half of 2021.⁴ The proposed SCCs contain four “modules” of contractual clauses to address different data-transfer relationships: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. All modules include a provision requiring a data importer to disclose certain government requests to the data exporter and, where possible, the data subject. While the draft SCCs do not mandate adoption of any specific supplementary measures, the European Commission offers a proposed list of suggested supplementary measures in the annex.

The European Commission is accepting public feedback on the proposed SCCs through December 12, 2020, after which Member State representatives and the EDPB will offer their input. Once the new SCCs are finalized, companies will have one year to incorporate them into their existing contracts. However, if companies enter into new contracts or amend their contracts in any way after the decision is finalized, they will have to incorporate the new SCCs immediately. And companies relying upon existing SCCs may still need to immediately adopt supplementary measures.

Now What?

Companies involved in transatlantic data transfers should act now to get ahead of these new developments. We recommend that European data exporters and US data importers independently take the following steps:

Data Exporters

Data exporters should consider taking the following steps now to ensure they comply with the EDPB guidance:

• Understand Data Transfers: Data exporters should make or update their data maps to understand where their data is transferred.
• Consider Whether Data Needs to Leave EU: Data exporters should evaluate whether the value of exporting data is worth the potentially onerous supplementary measures to ensure “essentially equivalent” data protection.
• Reduce the Number of Parties Involved in Data Transfer: Data exporters should consider limiting the number of parties involved in a transfer, as much of the new guidance also applies to onward transfers to US sub-processors—meaning data exporters will need to understand and assess not only their initial data transfers, but any onward transfers as well.
• Conduct Diligence on Data Importers: Both the EDPB and the European Commission emphasize that data exporters conduct diligence on their data-importing partners. Data exporters must understand their business partners’ data-security practices and legal obligations to determine whether those partners adequately protect European personal data.
  • In particular, data exporters should understand if their US-based partners have in the past received any information requests from US intelligence agencies. If so, data exporters should work closely with those partners to adopt supplementary measures to protect data in future transfers. ⁵
• Document, Document, Document: Data exporters should implement processes to maintain accurate, up-to-date documentation of their data-protection practices in case there is a need to demonstrate their compliance to EU authorities or in response to litigation. These documents should be easily accessible and producible. 
• Monitor Updates to Law: Data exporters should watch for any changes in this area, including changes to the EDPB’s recommendations, the European Commission’s draft decision, or any adequacy decisions that may impact existing transfer mechanisms.

Data Importers

US-based data importers should not wait for instructions from their European counterparts, but instead should take the following steps to position themselves to maintain relationships with their data-exporting partners:

• Assess Feasibility of Adopting Adequate Supplementary Measures to Satisfy EU Requirements: Data importers should carefully review the non-exhaustive list of proposed supplementary measures and consider what measures, if any, they could implement to adequately protect EU personal data. Some companies have already announced such measures.
• For example, Microsoft recently announced that, where it has a lawful basis to do so, it would challenge every government request, from any government, for “public sector or enterprise customer data.”⁶ Microsoft also pledged to provide “monetary compensation” to any data subjects if Microsoft discloses data to a government authority in contravention of GDPR.⁷ Some European data protection authorities received Microsoft’s announcement favorably.⁸
• Develop SCC Compliance Program: Data importers may have an obligation to “promptly inform” data exporters if they cannot comply with their commitments under SCCs. Data importers must understand their SCC obligations and develop a system to track compliance with those commitments. Data importers should also ensure that they maintain adequate documentation because they may be required to submit to audits or otherwise demonstrate their compliance.
• Understand Applicable US Law: Exporters may require importers to provide information about laws that might affect data transfers. Importers should work to understand how US law—and particularly laws governing data requests from intelligence agencies—may affect their business practices.⁹
• Develop a System to Track Requests from Intelligence Agencies: Data importers should develop a system to track whether responding to an intelligence agency request will involve disclosing transferred EU data, as data importers may be required, “to the extent possible,” to notify the data exporter and the data subject of the request.

Conclusion

European regulators are closely scrutinizing EU-US data transfers and the practices of data importers and exporters alike. As the EU continues to develop new regulations, companies should work to address the concerns outlined in the recent guidance while simultaneously keeping a close eye on any relevant developments. The inherent tension between Europe’s data-protection regime and US surveillance law makes this treacherous territory for companies on both sides of the Atlantic.

¹ Case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II).

² The recommendations will be effective after their publication, meaning European Data Protection Agencies and courts could then consider the recommendations in deciding whether a company has taken adequate steps to protect European data. However, no material changes are expected given the level of detail in the draft guidance.

³ The EDPB recommends considering the following factors when deciding what supplementary measures would be most effective: format of the transferred data; nature of the data; length and complexity of data processing workflow; and possibility that the data may be subject to onward transfers.

⁴ Other means of transfer are still available. See Article 46(2) of Regulation (EU) 2016/679.

⁵ Data exporters should note that the EDPB and the European Commission may disagree about whether a data importer’s past intelligence agency requests have any bearing on its ability to protect European data from future requests. The European Commission states the parties should consider “any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred,” while the EDPB warns against relying “on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.”

⁶ https://blogs.microsoft.com/on-the-issues/2020/11/19/defending-your-data-edpb-gdpr/.

⁷ Id.

⁸ E.g., https://www.baden-wuerttemberg.datenschutz.de/dsgvowirkt/; https://www.lda.bayern.de/media/pm/pm2020_9.pdf.

⁹ U.S. companies may find a September 2020 white paper issued by several federal agencies (“Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II”) helpful.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Christian Peeters, an O'Melveny of counsel licensed to practice law in Germany, Rechtsanwalt and Belgium, Avocat, Scott W. Pink, an O'Melveny special counsel licensed to practice law in California, John Dermody, an O'Melveny counsel licensed to practice law in California and the District of Columbia, and Kristin R. Marshall, an O'Melveny associate licensed to practice law in the District of Columbia and Missouri, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.