Date
June 4, 2021
 
Written by
Gary LaFever

New SCCs Impose Joint & Several Liability & Require Surveillance Proof Technical Controls. Are You Ready to Comply? NOW?

Top 5 Takeaways:

  • New as well as existing SCCs require "Surveillance Proof" supplementary measures. This means you cannot wait to migrate to new SCCs and must immediately implement "Surveillance Proof" supplementary measures for processing using SCCs to be lawful. Descriptions of these supplementary measures must be precise and specific and not provided in general terms.
  • GDPR Pseudonymisation is the technical control that protects data during processing. This means if your business desires practical data use - not just when storing or transmitting it - GDPR Pseudonymisation is the technical means to protect data in use (learn more at Pseudonymisation.com). Encryption and prior data obscuring techniques like static tokenisation, key-coding and masking - sometimes incorrectly referred to as "pseudonymisation" but not up to GDPR standards - will NOT protect data at Schrems II standards during processing.[1]
  • Data subjects are third-party beneficiaries and may enforce SCCs in the EU. This means EU data subjects can sue your organisation to enforce SCCs in EU courts. supervisory data protection authorities (DPAs) are not your only risk. You and your partners must take action to show transparency and trust by moving beyond policies and contracts and enforcing new technical controls.
  • All parties in data supply chains are jointly and severally liable for failures to comply. This means data subjects can recover losses directly from you for not only your failure but also the failure of other parties in the data supply chain - leaving it up to you to seek reimbursement for part or all of the cost. From a data subject's perspective, you are now responsible for compliance by all parties in the data supply chain.
  • Failure to implement Schrems II compliant safeguards can disrupt data supply chains. This means if downstream data supply chain parties do not have adequate safeguards, upstream data providers will discontinue data flow rather than damaging their own business.

Requirement for Surveillance Proof Supplementary Measures

When announcing the European Commission's new Standard Contractual Clauses (SCCs), Justice Commissioner Didier Reynders highlighted the need to “guarantee the highest possible level of legal security” for GDPR-compliant international data transfers. He emphasised that companies are required to implement safeguards that prevent the attribution of data to specific individuals without the use of additional information to protect personal data from the risk of foreign government surveillance.[2]

These safeguards must protect against

the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards

by leveraging

contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination[3]

Warranty of Appropriate Safeguards / Data Subjects As Third-Party Beneficiaries

Every EU data exporter must warrant

that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses[4]

Technical and organisational measures must be described in Annex II of the SCCs taking into account “the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner."[5] It is critical to note the separate requirement for GDPR Pseudonymisation definitional purposes that “[i]n case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter.”[6] These are the technical and organisational measures necessary to ensure a “surveillance proof” level of security for the data.

 

Controllers and processors may continue to rely on current SCCs for a transitional period of eighteen months before having to migrate to new SCCs. However, existing SCCs must be supplemented immediately with "surveillance proof" technology controls to ensure that the transfer of personal data is protected in compliance with Schrems II requirements to avoid disruptions to data supply chains.[7]

Joint and Several Liability / Avoiding Disruptions to Data Supply Chains

Clause 12 imposes joint and several liability on all parties in data supply chains. Why is this significant? Because a data subject can recover all of its losses from any one of the multiple parties in a data supply chain - i.e., from the initial data controller/exporter, any co-controller, processor or sub-processor. It would then be up to the data supply chain parties to clarify amongst themselves which party(s) should bear what portion of the liability - but only after the data subject has received a full recovery for “any material or non-material damages”.[8] It is expressly noted that “The data importer may not invoke the conduct of a sub-processor to avoid its own liability.”[9]

If downstream data supply chain parties do not have adequate safeguards, upstream data providers will discontinue data flow rather than damaging their own business.[10] Data is a precious resource for company performance and innovation, and without data flowing freely, critical opportunities for growth and revenue is lost.

If your company was told to halt processing or data transfers, what would be the immediate impact on your business?

89% of the respondents who participated in Anonos’ webinar on “Briefing the C-Suite & Board of Directors on Schrems II Risk Exposure” characterised the results of terminated processing as “catastrophic” or “serious” to their operations. All companies are urged to consider the potential impacts on their businesses in the face of possible enforcement action.

It is critically important that organisations understand that they must implement new “Supplementary Measures” to support SCCs – both old and new – to comply with Schrems II requirements.

Merely updating SCCs without implementing new “Supplementary Measures” is not enough.

What Supplementary Measures Are Required?

In its Schrems II ruling, the CJEU uses the terms "supplementary measures", "supplemental measures", and "additional safeguards" to describe the new additional measures that companies must implement alongside the SCCs. The European Data Protection Board (EDPB), in its Schrems II Recommendations 01/2020, recognises three types of "Supplementary Measures":[11]

  • Contractual Supplementary Measures
  • Organisational Supplementary Measures
  • Technical Supplementary Measures

However, the EDPB highlights that only one of these three supplementary measures protects against government surveillance: Technical Supplementary Measures.

Contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country (where this unjustifiably interferes with the data importer's obligations to ensure essential equivalence). Indeed there will be situations where only technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes[12]

In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) reminds us that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes[13]

This means that global data transfers are unlawful without new “surveillance proof” technical supplementary measures, including processing data in the EU using US-based or affiliated cloud and SaaS providers.

What Technical Supplementary Measures Does the EDPB Recommend?

The EDPB identifies five valid Technical Supplementary Measures:[14]

  • Encryption of data at rest
  • GDPR Pseudonymisation
  • Encryption of data in transit
  • Protected Recipient
  • Split Processing

Of the five Technical Supplementary Measures, GDPR Pseudonymisation is the most effective measure to eliminate the risk of foreign government surveillance over personal data of EU subjects because it Pseudonymises personal data before leaving the EU so that foreign governments cannot re-link the data to specific individuals as they do not have access to additional details needed to do so. This transforms otherwise illegal cloud processing and remote access into lawful processing in compliance with Schrems II by Pseudonymising data before leaving the EU.[15]

The following infographic provides information to help you comply with obligations to adopt "surveillance proof" Schrems II Supplementary Measures using Anonos Data Embassy software satisfying GDPR state-of-the-art requirements for Pseudonymisation.

Download this Infographic in PDF at SchremsII.com/Infographic-SCC

Anonos Data Embassy Quick Start software enables companies to reach a sufficient level of compliance within 48 hours of first contacting us. By beginning to implement Anonos software and supplementary technical measures, you can reassure your partners and customers that your organisation has taken the necessary first steps. To learn more about Data Embassy, go to SchremsII.com/DataEmbassy.

>>If you have any questions, contact me via LinkedIn.

If you have not yet registered for the Final EDPB Schrems II Guidance Webinar, visit www.SchremsII.com/Webinar5. Over 2,000 have already pre-registered.

[1] GDPR Article 4(5) requires that GDPR-compliant Pseudonymisation consists of “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” See also the video discussion on the Ten Truths of Pseudonymisation with Steffen Weiss from the German Association for Data Protection and Data Security (GDD or Gesellschaft für Datenschutz und Datensicherheit e.V.) at www.SchremsII.com/TenTruths.

[2] See More Safeguards in Revamped EU Data Transfer Tools, EU Justice Chief Says

[3] See Section 14(b) of ANNEX to the COMMISSION IMPLEMENTING DECISION.

[4] Id at Clause 8.

[5] Id at Section 8.5 of MODULE ONE: Transfer controller to controller and Section 8.6 of MODULE TWO: Transfer controller to processor, MODULE THREE: Transfer processor to processor, and MODULE FOUR: Transfer processor to controller.

[6] Id at Section 8.6 of MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor. See also Note 1, Supra.

[7] See Paragraph 24 of the COMMISSION IMPLEMENTING DECISION. In the Schrems II ruling, the CJEU notes five times the preference for injunctive relief for failing to comply with international data transfer requirements (see paragraphs 121, 135, 146, 154, and 203(3) of the ruling). See the National Law Review article discussing a 12-hour notice to terminate processing sent by the Portuguese data protection authority to a Portuguese agency relying on SCCs.

[8] Supra, Note 3 at Clause 12.

[9] Id at Section 12(e) of MODULE ONE: Transfer controller to controller and MODULE FOUR: Transfer processor to controller, and Section 12(g) of MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor

[10] Business continuity risks arising from the inability to process data are more significant than the monetary risk from damages or penalties or non-monetary risks from damaged reputation from breaches. See PwC article highlighting that 52% of Fortune 500 companies now include privacy risk disclosures in their annual reports due to auditing considerations regarding an entity’s ability to continue as a going concern.

[11] See Paragraph 47 of EDPB Recommendations 01/2020

[12] Id at Paragraph 48.

[13] Id at Executive Summary on page 2.

[14] Anonymisation was initially included but subsequently deleted from the ANNEX to the COMMISSION IMPLEMENTING DECISION, as highlighted in the unofficial redline by Christopher Schmidt, FIP CIPP⁄E CIPM CIPT CDPO

[15] See German Association of Data Protection and Data Security (GDD) and Anonos Ten Truths of GDPR Pseudonymisation at SchremsII.com/TenTruths

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS