The General Data Protection Regulation (GDPR) changed the landscape of data privacy and placed individuals at the center of data protection. It imposed restrictions on cross-border transfer of personal data and provided the mechanisms that can be utilized for such transfers. This was done to ensure that any transfer of personal data outside the European Union (EU) region was sufficiently protected.
Under the GDPR, Standard Contractual Clauses (SCCs) and EU-US Privacy Shield are the most widely used mechanisms for transfer of personal data. These transfer mechanisms were challenged by activist Maximilian Schrems, a lawyer and privacy activist on the grounds that personal data, in transfer or when stored in the US, could be accessed by intelligence agencies.
On July 16, 2020, the Court of Justice of the European Union (CJEU) published its decision in the matter of Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (Schrems II case). This was a landmark judgement that had an impact on the cross-border data transfer mechanisms utilized by several large organizations. The judgement concluded the following points:
The Schrems II judgement is relevant to EU based organizations as well as organizations that collect data of EU citizens, regardless of a physical presence in the EU. This judgement will also have an impact on organizations in the US and worldwide as it relates to international data flows.
On June 4, 2021, the European Commission (the Commission) published the final version of the Standard Contractual Clauses new SCCs governing international transfer of personal data.
Need for Schrems II compliance
The Schrems II judgment and the new SCCs significantly change the data transfer mechanisms currently utilized by organizations for cross-border data transfer. Today, cross border transfers are an essential part of the global economy with data being transferred from the EU across the US as well as other third countries. Schrems II will apply to all organizations irrespective of whether they are headquartered in the EU or outside if they are involved in transfer of personal data outside the EU region.
Some examples of services impacted due to Schrems II include cloud storage, telecommunications, software-as-a-service, digital platform providers, and business process outsourcing. For example, any telecommunications company providing roaming services to EU resident travelling to any third country such as US or India will fall within the purview of Schrems II due to exchange of personal data between EU and the third country. Similarly, IT services providers, contact centers and outsourcing of business processes often require transfer or access of personal data from EU region to third countries such as India and China. Any company providing services that requires cross border transfer of personal data would require to be compliant to Schrems II and execute new SCCs as a data transfer mechanism.
According to privacyshield.gov, close to 4,000 companies rely on EU-US Privacy Shield as a data transfer mechanism, which has been abolished by Schrems II.
DIGITALEUROPE’s Schrems II Impact Survey Report has provided the following implications -
Timelines for Schrems II compliance
The new SCCs come into effect from June 27, 2021 (see Figure 1). Organizations will have 18 months until December 27, 2022 to execute the new SCCs into existing contractual arrangements involving international transfers and re-negotiate contracts with customers, vendors and sub-contractors. Organizations have been provided a limited period of three months until September 27, 2021 where they can still utilize old SCCs while entering into any new contracts. However, such contracts will have to be updated with the new SCCs within the stipulated timelines of 18 months.
Figure 1: Timelines for Schrems II compliance
Changes required as per the new SCCs
In the new SCCs, the Commission has substantially updated the SCC terms.
The new SCCs provide a modular approach for new types of data transfers. The older version of SCCs only covered controller-to-controller and controller-to-processor transfers. However, considering the complexities associated with different transactions, the new SCCs additionally cover processor-to-processor (P2P) and processor-to-controller (P2C) transfers..
These provisions are depicted in Table 1.
Table 1: Provisions - old and new SCCs
Given below are some examples of this approach
· Legal requests from public authorities
Under Section 3, Clause 15 of the new SCCs, the data importer is required to notify the data exporter, as well as data subjects wherever possible, if it receives a legally binding request from any public authority, including judicial authority for disclosure of personal data. Additionally, it should notify the data exporter if it becomes aware of any direct access by public authorities to personal data transferred under the new SCCs.
The new SCCs make it imperative for the organizations to conduct a thorough due diligence of their contractual relationships with vendors, customers and sub-contractors; perform a risk assessment of the local laws and practices of importing countries and implement supplementary contractual, technical and organizational measures to ensure compliance. Hence, there is a need for a structured approach to meet the requirements within the timeline of 18 months provided under the new SCCs.
Key challenges companies face
Organizations now have to re-work their strategies to address the new Schrems II guidelines. The key challenges with respect to Schrems II compliance include:
Wipro’s Schrems II compliance solution
How Wipro can support in Schrems II compliance:
Wipro’s Enterprise Legal Management Solutions (ELMS) practice helps organizations in ensuring contractual compliance to the revised data privacy regulations. Our team of data privacy experts support organizations in contract review and negotiation process to ensure that the contractual relationships with vendors are compliant with the latest regulations.
Schrems II compliance solution:
Wipro has developed a “Schrems II compliance solution” - to assist organizations to be contractually compliant with the CJEU Schrems II ruling which invalidated and abolished the EU-US Privacy Shield and specified multiple requirements that the organizations must meet before processing personal data outside the EEA.
The four steps in the solution include:
Figure 2 outlines how the Schrems II contract compliance solution can be implemented.
Figure 2 : Implementation of the Schrems II compliance solution
Achieving Schrems II compliance
The Schrems II judgment is essentially a milestone towards the protection of privacy and security of personal data and international data transfers.
Organizations now have to be vigilant enough to conduct risk assessment of laws of the destination countries as provided by Schrems II and implement the new SCCs, wherever required, before transferring personal data to third countries.
They need to ensure that all internal and external stakeholders are aligned to the highly regulated confines of Schrems II. Then they must re-assess all the data transfers undertaken by the organization and invest in precise due-diligence of data privacy laws of importing countries. Ensuring a robust contractual mechanism covering all the new Schrems II obligations, while taking all technical and organizational measures as added protection for data transfers will facilitate compliance.
If you are interested in learning more about how Wipro is helping our clients achieve Schrems II compliance, we should talk. Contact us.
‘Enterprise Legal Management Solutions (ELMS) practice is not a law firm and its services or solutions do not constitute legal advice’.
Head – Enterprise Legal Management Solutions (ELMS) Practice, Knowledge Services - Wipro
Varsha Bhat leads the Enterprise Legal Management Solutions practice within Wipro. She has over 20 years of experience in US litigation, corporate legal and HR. She has completed Juris Doctor (J.D.) from Robert McKinney School of Law, Indianapolis, Indiana, USA. Varsha heads the Center of Excellence for legal practice and is involved in business development, strategizing and planning.
Senior Manager - Enterprise Legal Management Solutions (ELMS) Practice, Knowledge Services - Wipro
Ashvini is an attorney with over 15 years of experience in the legal outsourcing industry. She has been responsible for service delivery of projects in the area of end-to-end contracts management, compliance to the General Data Protection Regulation, legal content enrichment and legal research. In her current role, Ashvini is responsible for designing solutions to address customer requirements and bringing in transformation and innovation within the legal function.
Assistant Manager - Enterprise Legal Management Solutions (ELMS) Practice, Knowledge Services- Wipro
Adwait has around 10 years of experience in contract lifecycle management, due diligence, legal consultations, and risk management in the corporate legal process environment. He has drafted and negotiated various contracts, developed ‘Risk/Insurance Playbook’, and has successfully delivered data privacy projects for clients.