Table of Contents Hide
- Map your data transfers to the US.
- Check the legal basis for your data transfers to the US
- Carry out an impact analysis of the applicable regulations
- Identify additional measures to secure data transfers
- Regularly reassess your data transfers to the United States
- Transfer personal data using the new standard contractual clauses
- Conclusion: Transferring personal data to the United States is possible but more regulated
The CJEU’s decision left a sense of emptiness by invalidating the Privacy Shield. Signing standard contractual clauses and implementing additional measures is necessary to secure data transfers to the United States. DPA’s recommendations were published on November 10 and can be summarized in 5 points.
Map your data transfers to the US.
This is the opportunity to map your processing of personal data. And perhaps to realize… that there is a lot of it. They can result from:
- the use of modules, extensions, and plugins provided by US companies to enhance the features of your site (analytics solutions, chat modules, captchas tags, etc.);
- the use of IT solutions provided by European actors but embedding modules provided by US actors (an analytics tool, for example);
- the hosting of data on servers located in the US;
- Remote access to databases by parent companies providing essential solutions for your business (CRM, HRIS, etc.) or by your service provider to carry out the mission you entrust to them (call center, for example).
Take this opportunity to terminate services that you no longer need. Remember that processing data is not an end in itself. You pursue well-identified objectives, and manipulating data is a means of achieving them.
Check the legal basis for your data transfers to the US
Does the provider adhere to the Privacy Shield? Have they signed standard contractual clauses? Consent? Other?
Processing data from data subjects (customers, employees, others, etc.) is a lot of work. Your Data Protection Officer will ensure that you have a legal basis to do so.
What legal instrument have you put in place to secure your data transfers?
You will likely need to review your contractual relationship with your suppliers to have them sign standard contractual clauses. If you do not sign the traditional model the European Commission provides but an ad hoc agreement, authorization from the CNIL will be required.
Carry out an impact analysis of the applicable regulations
Have all your suppliers and service providers signed standard contractual clauses when transferring data? Good job.
But in practice, can they meet the contractual commitments they accept?
Since the CJEU ruling, data controllers (i.e., customers) must conduct an impact analysis of the regulations respected by subcontractors. This is mainly to identify the possible existence of national laws authorizing access to data by public authorities for surveillance purposes.
To carry out this analysis, you can count on the help of your suppliers. In any case, you will have to document the steps taken.
Identify additional measures to secure data transfers
By examining the American case, you will have the opportunity to see that your suppliers and service providers cannot comply with their contractual commitments. Therefore, you will have to impose additional measures on them.
These measures will be based on risk analysis to determine appropriate actions. These may be technical or organizational measures, such as:
- data compartmentalization.
Remember the basics, like managing data retention periods.
This analysis is critical in a critical environment. For example, the French State Council requested additional measures to secure the “Health Data Hub” health data platform currently hosted by Microsoft.
If no measure can achieve data protection equivalent to European requirements, the processing of personal data should be suspended.
Regularly reassess your data transfers to the United States
This is not a one-shot deal.
You will need to review what you have put in place periodically. This will ensure suppliers and service providers can meet their commitments over time. If necessary, you will need to manage the practices of your subcontractors better or even terminate the relationship.
Transfer personal data using the new standard contractual clauses
Two draft standard contractual clauses are open for public consultation until December 10. This flagship tool is being revised to better regulate data transfer outside the European Union. The second draft deals with intra-European transfers.
New SCCs for transferring data to the United States
Standard contractual clauses are another document in your relationship with your suppliers.
This document is often annexed when you sign a contract or accept general terms and conditions. Behind this complicated term are three models provided by the European Commission to be annexed without changing a single comma.
This standard document specifically imposes commitments on the provider:
- on the transfer of data outside the European Union;
- on their use by your provider;
- or even by its subcontractors.
The Commission has therefore developed a draft that takes into account the findings of the post-Schrems II rulings. A dusting off of contractual templates that will not prevent you from having to apply the measures above of encryption, pseudonymization… or other.
In short, signing a contract will not be enough. You will need to examine how your provider uses the data.
CCTs for intra-European data transfers
The second project of the European Commission regulates the relationship between a data controller and a processor located in the EU.
You must sign a contract with your processors and suppliers as a client company. This contract details their commitment to protecting the personal data they process for your needs.
- A contract that does not detail these commitments or does so incompletely exposes your liability. Your company assumes the actions and failures of your processors. This implies ensuring their compliance with the GDPR.
- Fundamentally, processors have more legal obligations to comply with than before. The contract content must take this into account.
The model developed by the European Commission is optional to use. But it will help optimize the framework of your contractual relationship.
If its use becomes widespread, this approach will also harmonize the regulation of processes or activities at the European level.
Conclusion: Transferring personal data to the United States is possible but more regulated
The Privacy Shield is dead, and Axeptio has already talked about it.
Following the Schrems II ruling, you can continue to work with American suppliers.
But it would be best if you did so in a more constrained manner than before.
- Some transfers will undoubtedly be stopped because they correspond to unnecessary service offerings or critical infrastructure for your business.
- The EDPB will require you to conduct a risk analysis and implement specific technical and organizational measures for data security’s most significant benefit.
- CCTs will remain a flagship tool for legal security. And that’s good news since the European Commission is currently updating them.
Complying with the GDPR and the French Data Protection Act of January 6, 1978, is necessary. However, do not fear control by the National Commission for Information Technology and Civil Liberties.