Following the Court of Justice of the EU's decision in Schrems II related to the Privacy Shield and the SCCs, the content of this post has been updated in Data Privacy Best Practices 11: Update to Privacy Shield and SCCs.
Data Privacy Best Practice #3: Use Model Clauses (or EU's standard contractual clauses) for data exporter-data importer transactions, which have been amended to be GDPR compliant
As discussed in the last blog post, EU personal data may not be exported to any non-EU country (referred to in the EU privacy regulations as non-European Economic Area or “EEA” countries) unless it provides adequate protections for such personal data. Some non-EU countries have obtained such certification.
The U.S. has not.
There are three mechanisms for U.S. companies to meet the adequacy test:
(1) Self-certify under the U.S. Privacy Shield;
(2) Adopt the EU Model Clauses for all contracts with EU data exporters; and/or
(3) Adopt Binding Corporate Rules for your enterprise.
This blog post discusses how to Adopt the EU Model Clauses for all contracts with EU data exporters. So for BizConnect, its customers are data controllers as they decided how the personal data of their employees will be used on the BizConnect platform. BizConnect is also acting as a data processor under the GDPR. Under this scenario, BizConnect’s EU customers are the data exporter and BizConnect is the data importer.
A bit of history: the EU personal data laws date back to 1995 when the EU adopted the EU Data Protection Directive (often referred to as the “95 Directive”), which regulated the protection of all personal data for EU citizens.
This 95 Directive also stipulated that personal data could not be exported outside of the EU (EEA) countries unless those non-EU (EEA) countries provided an adequate level of protection for the personal data.
The EU adopted certain “standard contractual clauses” that if a U.S. company used them in their contract (without modification) with EU companies then those personal data transfers outside of the EU would be deemed valid and legitimate.
Some of the significant obligations imposed by the model clauses include: a) data processor agrees to obtain the data controller’s prior written consent to any subprocessors handling personal data; b) the parties agree that the data subject (the EU user) has third party beneficiary rights; in other words, they are subject to lawsuits under contract law for violating their obligations; and c) the law of the data exporter (the EU data controller in the BizConnect scenario) governs the enforcement of the model clauses. To a U.S. commercial attorney these are not the terms they usually agree to in commercial contracts. Pre-GDPR some US companies tried to avoid the model clauses; however, under GDPR these requirements are applying to the import of EU personal data no matter the method of demonstrating adequacy.
Present Day: The GDPR is replacing the 95 Directive effective May 25, 2018.
The GDPR requires additional obligations and restrictions not covered by the current “standard contractual clauses” or sometimes referred to as “model clauses.” So in other words relying solely on the pre-GDPR model clauses risks non-compliance under the GDPR.
What to do? As most experts are advising, use the model clauses but add some additional clauses to cover these additional requirements. You might ask did the EU promulgate some GDPR model clauses? Unfortunately, no, at least not yet. So in the meantime you need this workaround.
What are the major gaps? They cover these main areas:
1. Duration of processing
3. Responding to data subjects requests
4. Data breach notifications
5. Requirement that the data processor assists the data controller with creation of a data protection impact assessment.
6. Additional audit rights
7. Additional obligations to disclose information regarding onward transfers to additional countries outside EEA
IRSG, a business consultancy group, along with attorneys at global law firms DLAPiper and Clifford Chance crafted an “Example Data Protection Addendum,” which attempts to address the gaps between the GDPR requirements for processor contracts and the 95 Directive’s Model Clauses. This draft DPA was created July 14, 2017.
You can download a Word version of the document at this site.
BizConnect is self-certifying under the Privacy Shield to meet the adequacy test.
If an EU customer insists on the model clauses, then it will ensure that the model clauses include an addendum to cover the gaps as discussed above.
Subprocessors: Whether or not BizConnect relies on the Model Clauses, it needs the prior approval of its EU customers (acting as data controllers) to engage any subprocessors under Article 29 of the GDPR. For example, BizConnect will need to ensure that its EU customer commercial contracts include a list (and approval process for additions) of third party subprocessors such as the web analytics provider(s) used by BizConnect. Many companies have a ten-day notification mechanism for the EU data controller/customer to object to the addition of the subprocessor, and ability of such EU data controller/customer to terminate the contract if it does not agree.
The next post will describe and discuss #4 and #5 best practices:
Carry out an internal Data Privacy Impact Assessment (DPIA); and Consider adopting a Code of Conduct.
All 9 best practices can be found here.