Our Data Privacy Services team collates the most interesting practical ramifications from implementing the new SCCs with our GDPR services customers.
In our latest update of the Data Privacy Periodic Table, we included reference to the EU’s June 2021 release of substantially updated Standard Contractual Clauses (SCC. This was triggered by 2020’s Schrems II ruling.
The new, far more substantial SCCs have been largely welcomed. After all, their main update is to fill in a glaring practical gap (that with hindsight appears incredible to have ever existed) of covering data moving from EU processors, not just controllers. In fact, the general theme of the new SCCs is to ensure they are of more operational use than their predecessors.
For instance, they are structured in a modular fashion, allowing controllers and processors to select custom clauses relevant to their scenario:
- Controller to non-EU controller
- Controller to non-EU processor
- Processor to non-EU controller
- Processor to non-EU processor
They are also deliberately structured to not be so prescriptive as to only cover exporting companies established in the EU, allowing non-EU businesses whose activities come under GDPR’s extra-territorial scope to also use them.
But having now used these in practice for a couple of months, what have we noticed about the new SCCs?
Our Data Privacy Services team has collated three key observations from incorporating the new clauses into contracts and operations for our GDPR services customers around the globe:
The new recommended measures highlight the breadth of skills required – and usually absent – in operational data privacy
One of the most commented-upon changes now in the new Image result for Standard Contractual Clauses is the addition of technical and organisational measures (aka TOMs) that data importers are obliged to have in place. These include ensuring continued data quality, limited data retention, pseudonymisation and ensuring suitable internal IT governance, including user identification and access controls, system configuration, event logging and data minimization.
Many of these sit more naturally in the CIO or CISO’s domain, not with the typical internal privacy lead or DPO. Which creates issues.
Most organizations handling their privacy internally will require their CIO or CISO to verify to their DPO that these measures are in place, and critique if/where improvements are needed. In other words, the DPO’s technical naivety will place the CISO in a position of conflict of interest where they cannot realistically ‘mark their own homework’ objectively and dispassionately.
Granted, this is not a new issue. TOMs such as these have been part of good privacy practice from the beginning. And they have always shone a spotlight on the breadth of skillset required in privacy versus the reality of most privacy leaders’ capabilities.
But now that these TOMs are brought more to the fore, and are destined to become more commonplace (thankfully), we have already noticed internal privacy leaders growing more nervous about their knowledge gaps and leaning on us more openly for support
The strong recommendation for encryption measures has some interesting ramifications
Many of the new TOMs refer to a need for data encryption. The EDPB’s final Recommendations then added that for encryption to remain effective and maintain the privacy of EU data outside the EU, the encryption keys must never be accessible outside the EU.
While this appears sensible and logical at first sight, it has fascinating implications for many technology companies with operations within and outside the EU, especially international US-based SaaS companies.
For many of these organisations, control is very much held from the US HQ, particularly technical control. These TOMs and recommendations would however require relinquishing at least part of that data control to their EU entities for the first time, which as we have seen first-hand with some data privacy services clients, can be not only a substantial technical change but also a dramatic cultural shift.
The new requirement to perform a risk assessment of the data’s destination is highly subjective
The new SCCs require exporters to perform a risk assessment of sending EU data to the importer and of the importer’s own privacy measures and practices.
As with much of what has come with the new SCCs, this is a sensible addition. But it is also highly subjective, and we have seen an enormous breadth in approaches to this requirement, ranging from incredibly detailed and pessimistic to very high level and assumptive.
Our advice has remained consistent with the ethos behind much of our overall service delivery: mitigate against realistic threats, while keeping data subjects’ rights at the core of every decision. This attitude ensures that any requirement for subjectivity is tackled safely and responsibly, without creating either excessive burden on the business or putting adherence at risk.
Overall, the new SCCs are certainly an improvement on their predecessors. The principal welcome addition is the greater accountability and practical action they require. Unlike most legal language in the data privacy world, the new clauses prescribe the need for specific and sensible real-world protections, forcing genuine applied adherence and making a clear statement that paperwork-driven tick box exercise shortcuts will not be tolerated.
With the new SCCs, the EU is making sure that the GDPR retains its status as the model for data privacy legislation globally, not just from a legal perspective but also in its practical protection of data subjects’ rights.