The recent Schrems II decision on Standard Contractual Clauses found that, in some situations, data exporters and importers might need to agree additional measures beyond just relying on SCCs. While we’re waiting for the Information Commissioner and EDPB to give more detailed advice on which situations and which measures, here are some themes I’ve spotted in articles and webinars:
- Those additional measures can’t be contractual in nature, because the problem identified in Schrems II was that the US Government was not bound by any contract that a US organisation might enter into;
- The concern still seems to be with personal data that is physically moved to the US, not merely put within the technical reach of US companies. The laws quoted in paragraphs 60-63 of the judgment as giving the US Government power to access data despite contractual protection appear to be limited to particular physical locations;
- Additional measures could be in the form of laws of the foreign state, since these could bind that state’s Governmental authorities. Interestingly the judgment mentions GDPR Article 45(2)(a), which covers “both general and sectoral” laws as something that should be taken into account in an adequacy decision or, now, what I’m thinking of as an SCCplus discussion. Since the US does have a sectoral privacy law covering educational institutions – the Family Education Rights & Privacy Act (FERPA) – this might be something to discuss with the recipient if you are exporting to a US university or college;
- Additional measures could be technological, if they protect against the foreign Government’s legal powers. Encryption has been mentioned as an option. This clearly works best if the exporting organisation controls the encryption throughout, for example if storing encrypted backups on an IaaS cloud server;
- But, as far as I can see, there’s no requirement for a single measure to cover the whole transfer of data. So, for example, you might argue sufficient protection was provided by a hybrid solution that used encryption to technically protect data as it flowed over public networks into (and back from) an enclave that was protected by law.
I’ll update this post as and when there’s any more detailed guidance from regulators.
[UPDATE: not from Regulators, but Chris Pounder has posted a helpful summary of how we used to think about transfers under the 1998 Act. This may be relevant once again]