Schrems II: 4 Reasons SCCs Are Not Enough
- Cloud Provider Promises Are Unenforceable
- SCCs Legally Require Supplementary Measures
- EDPB Recommends GDPR Pseudonymisation
- New SCCs Impose Joint and Several Liability
The following are highlights from the Life After Privacy Shield Webinar hosted by the California Lawyers Association.
1. Contractual Commitments by Cloud Providers to Not Reveal Data Are Unenforceable.
Ashley Gorsky, American Civil Liberties Union (ACLU)
Ashley shared that the Schrems II court focused on Section 702 of the US Foreign Intelligence Surveillance Act (FISA), which applies when the US government conducts surveillance inside the US, and Executive Order 12,333 (EO 12333) which applies when the government operates outside the US. She noted that there is no judicial review of surveillance under FISA or EO 12333.
In Schrems II, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield treaty for transatlantic data flows but recognized SCCs as a valid means of ongoing lawful international transfer if Supplementary Measures are put in place that “compensate for the lack of data protection in a third country” by providing protection “essentially equivalent” to that in the EU.
Ashley noted that contractual commitments by US cloud and other technology providers to resist or object to US government surveillance requests are not realistic and are likely unenforceable.
2. Standard Contractual Clauses (SCCs) – Even New Revised SCCs – Are Not Enough.
Christian Hammerl, Moderator and Privacy Lawyer
Christian emphasized that the European Data Protection Board (EDPB) does not recognize a “risk-based” approach to complying with Schrems II and that the situation is NOT “business as usual” because transfers cannot lawfully proceed using SCCs without new Supplementary Measures. This applies even if new, updated SCCs are used: all SCCs require new Supplementary Measures to be lawfully used.
This includes processing in the “clear”, which impacts cloud-based service arrangements.
3. EDPB Recommends GDPR Pseudonymisation as Technical Supplementary Measure.
Gary LaFever, Anonos CEO and General Counsel
Gary highlighted that the EDPB highlights three kinds of Supplementary Measures – Contractual, Organisational, and Technical. The EDPB notes that only Technical Supplementary Measures are effective against surveillance by foreign governments because controls must travel with the data and when “traveling” remain effective. In the case of third countries, this can only be accomplished using Technical Measures because foreign governments are not bound by Contractual or Organisational measures.
The EDPB highlights GDPR-compliant Pseudonymisation as a Technical Supplementary Measure that “travels” with the data to protect it when in use.
4. New SCCs Impose Joint and Several Liability on Parties.
Leo Moore, Partner at William Fry Solicitors
Leo noted numerous matters related to the new revised SCCs and explained that attempts by companies to try to limit their liability in some form in the arrangements between them will no longer be effective. This is because the new SCCs require joint and several liability without reference to any potential limitations of liability between the parties.
>>Click here to access excerpted highlights from Gary LaFever’s webinar presentation.
Click here to access the full California Lawyers Association webinar Life After Privacy Shield – Strategies for Lawful Transfers of Personal Data from Eu Countries to the U.S., including 1 participatory MCLE credit.
The Board Risk Assessment Framework is now available to view and download at https://www.schremsii.com/Board2.
Join the Schrems II Linkedin Group with over 4,800 of your colleagues: https://www.linkedin.com/groups/12470752/
Are you Schrems II Compliant Quiz (in 2 questions): https://www.anonos.com/TakeTheQuiz
This article originally appeared in Linkedin. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS