Schrems 2: EU Standard Contractual Clauses (SCC) can still be used
The Privacy Shield-agreement between the USA and EU/EEA can no longer be used as a result of the Schrems 2 ruling this summer. Over time, the USA and EU will probably negotiate an improved transfer agreement, but until that happens, both the public and private sectors must find legal solutions. The EU has been clear that there will be no moratorium until a new solution is in place, and in Finland, the Data Inspectorate has asked several companies in writing how they now deal with transfers to the USA. Many articles have stated that transfers to the USA must now be stopped, but is that correct?
Our experience is that there is not many that "take back" their data from American suppliers. Some suppliers have wanted to solve the situation by changing their terms from relying on the Privacy Shield to relying on the so-called model agreements (most often called "SCC"), but this is not a comprehensive solution. SCC has, in principle, exactly the same weaknesses as the Privacy Shield.
The difference between the Privacy Shield and the SCC is that the SCC's weaknesses can, to some extent, be corrected. For SCC to be a legal alternative for transfer, the contracting parties will have to agree on additional clauses and technical measures.
There has been great uncertainty associated with how this should be designed in practice. Below are some suggestions for solutions consisting of technical measures and additional clauses. There are three key points in the Schrems 2 judgment that must be taken into account when considering what is required:
- Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows for a disproportionate degree of surveillance because it has no restrictions on when the authorities can collect foreign information.
- Both the FISA section 702 and monitoring in accordance with Executive Order 12333 (EO 12333), allow the collection of data beyond what is considered "strictly necessary" under European privacy law.
- Non-US citizens are not provided with sufficient legal means in the USA to be able to defend themselves against the USA surveillance.
EO12333 applies to the bulk collection for data shipped to the USA, typically via subsea cables. Interestingly, US law does not require the data importer to assist the authorities with data collection. In order to limit the USA authorities' access under EO 12333, a combination of technical and contractual measures can be used. It can be agreed that the importer will not voluntarily assist the USA authorities with the collection authorized in EO 12333 and that the information will be encrypted (with sufficient strength), and that the importer will not give the key to the authorities. The type of encryption required must be considered in each case.
Also, it is important to understand that FISA section 702 only applies to certain data importers, namely those who are so-called "electronic communication service providers" ("ECSP"). This includes e-com services providers, as we know it from European e-com rules but goes further in that cloud providers and certain providers of content services are also included. Those who are not considered ECSPs by definition can therefore agree that extradition pursuant to FISA section 702 shall not take place. In these cases, encryption also may be relevant. For data importers who are considered ECSP, the situation is more complicated. In the American media, however, it is stated that the authorities use section 702 where extensive and repeated access to data is desired without going through other and more cumbersome legal solutions (typically by using the FISA court). At the time of writing this article, we do not know how many suppliers have been placed under such access orders. Still, at the time of the Snowden revelations, it was reported that fewer than ten companies received orders according to FISA section 702. This only applies to providers of traditional e-com services (internet, telecom, etc.) and some cloud and content services - a small proportion of the companies that could move from the Privacy Shield to the SCC, and even less for all those who rely on the SCC. This means that many importers can agree and promise that they have not been subject to an access order under FISA section 702, and they can continue to promise this until they receive such an order.
It is also possible to stipulate in the agreement that the data importer shall publish how many of their users are subject to such orders in a so-called "transparency report". Suppose a risk assessment can indicate that the probability of collection under FISA section 702 is very low, and the information must be considered of little interest to the US authorities. In that case, the data exporter may assume that the risk is acceptable.
It is also important to agree on what will happen if the data importer actually receives a request for access pursuant to FISA section 702. In part, this can be resolved through clause 5 of the SCC (controller to processor agreement), which states that the data importer must notify the data exporter of the inability to comply with the terms so that the data exporter can stop the transfer and terminate the contract. On the one hand, it is wise to stipulate this in an additional clause, so that the data importer is reminded that they can, and must, notify the data exporter if the data importer can no longer keep all his promises. This can be done without the data importer notifying the data exporter of which specific promise the data importer can no longer hold. Even if the data importer can not give a specific notice that they have received a FISA section 702 request, they can give notice that they are no longer able to fulfil given promises. As the requirements under FISA section 702 requires the data importer to cooperate with the USA authorities, it should also be agreed that the data importer must notify as soon as possible so that the transfer can be stopped before access takes place.
For the data importer's use of subcontractors in the USA (and elsewhere), the data importer shall be contractually obligated to ensure that similar provisions are applicable to the subcontractors. This will probably not always be easy or possible, especially when the subcontractor is an ECSP, but this is something you have to discuss with the supplier and investigate if there is room to manoeuvre.
Summary and the difference in storage in Europe
Transfer of data abroad must be risk assessed. At the same time, one must remember that GDPR is so-called "risk-based". It is not a requirement for absolute certainty in the risk assessments, but a requirement that the measures are proportional to the risk. If the probability is low that the USA authorities will be able to obtain information, and that the information is probably not interesting, then these conditions are relevant. This means that transfers to the USA in different sectors may have different responses to their risk assessments, even if the measures are the same. It is also relevant what information is provided to the data subjects and whether they have the option to make reservations against such transfer. Although the abovementioned proposals for contract measures and selected encryption mechanisms are not perfect, they outline the scope of options available under the SCC.
At the same time, it should be remembered that the USA authorities also have some access to data stored in Europe, even in Norway or Ireland, through what is often called the Cloud Act. These rules do not give the USA police authorities free access to data stored in the cloud but have clear conditions for access to data linked to specific criminal acts and are subject to review and approval by an independent judge. Electronic storage of data will always involve a risk that the authorities may obtain legal access to information.
Processors must carry out documentable measures and risk assessments before transferring data abroad. The conclusion may be that the transfer is completely OK, also to the USA, but it is absolutely necessary to have good agreements and assessments for such transfer.