INTA News
INTA Provides Tips for Transferring Personal Information from the EU
Published: April 14, 2021
Tara Aaron-Stelluto Aaron | Sanders PLLC Nashville, Tennessee, USA Data Protection Committee—Best Practices Subcommittee
Susan Natland Knobbe, Martens, Olson & Bear, LLP Irvine, California, USA Data Protection Committee—Best Practices Subcommittee
Are you still working to master the new requirements of transfers of personal information from the European Union to other jurisdictions, following the recent changes in privacy protections and the end of standard contractual clauses (SCCs)? INTA has some tips for you to keep in mind.
The Association recently held a webcast on this topic. Now available on demand, it discusses the practical challenges and potential solutions to the latest developments.
On recent and upcoming developments, the transfer of personal data from the EU to other jurisdictions has become more complicated after a decision by the Court of Justice of the European Union (CJEU) in 2020 known as Schrems II. That decision not only invalidated the EU-U.S. Privacy Shield affecting U.S. companies, but also restricted SCCs, one of the main cross-border data transfer mechanisms utilized by companies worldwide.
In early 2021, the European Commission (EC) and the European Data Protection Board (EDPB) issued a joint opinion on draft-revised SCCs. The final versions are expected to be released in the second quarter of this year, with a one-year implementation period. This may help inform companies on how to deal with the challenges they currently face in transferring data from the EU to the United States and elsewhere.
The EU-U.S. Privacy Shield had been a commonly used mechanism to transfer the personal data of EU data subjects from the EU to the United States. Under the Privacy Shield, U.S. companies could self-certify that they would comply with the data protection regulations that govern the protection of EU data subjects’ personal information. The CJEU found, however, that the Privacy Shield neither prevented U.S. intelligence agencies from mass-collecting the personal data of EU data subjects nor provided effective judicial redress.
But the Schrems II decision went farther. It also severely impacted SCCs, the other often-used mechanism to transfer personal data from the EU to third-party companies outside the EU. While SCCs are still an approved mechanism, companies must now conduct due diligence in order to rely on these clauses, not only for the United States but for any jurisdiction not already deemed by the EC to have “adequate” data protection laws.
In particular, it is no longer sufficient to rely solely on SCCs. Companies considering transferring data outside the EU now also need to conduct a risk impact assessment, especially in the context of any right of access to personal data by public authorities in the country to which the data is transferred.
Specifically, companies should use the same elements prescribed in the EU’s General Data Protection Regulation (GDPR) and applied by the EC in assessing the relevant data protection laws of the target country when determining if that country’s laws can be deemed “adequate” to protect EU subjects’ personal data. To date, the EC has granted adequacy findings to only 13 countries.
The EDPB recently set out further guidelines with respect to the use of the SCCs. It spelled out “supplementary measures” that companies must employ, absent a finding of adequacy, either by the EC or through an impact assessment properly conducted by the company.
Supplementary measures, according to the EDPB, consist of “contractual, organizational, or technical measures.” But given the restrictions already in place in the context of the SCCs, it is difficult to imagine that additional contractual or internal organizational measures would have much impact.
Technical measures appear to be the one supplementary measure that may meaningfully diminish the risk to EU data subjects (and therefore of a fine from the supervisory authorities). Adequate technical measures primarily consist of encryption, pseudonymization, and anonymization. Anonymization takes data outside of the definition of personal data under the GDPR although several supervisory authorities have expressed concern that it is difficult to fully achieve anonymization.
In making impact assessments and deciding whether to use supplementary measures, companies should consider the same parameters used by EU supervisory authorities to levy fines for improper processing of data under the GDPR. This can help companies minimize the risk of any fines being levied, or perhaps at least the amount of such fines.
These parameters include the purpose of the processing (is it business critical or merely convenient); the categories of data, particularly if they are “special” categories under the GDPR; the amount of data and the frequency of data transfers; and the documenting of any mitigation measures taken by the company.
To go deeper, check out INTA’s webcast entitled “The End of the Privacy Shield: What Brand Owners Need to Know,” featuring European and U.S. analysis as well as an in-house perspective.
Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest.
© 2021 International Trademark Association
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
To find out more please see our Cookies Policy and Privacy Policy.
These cookies are used to identify a user’s browser as the visitor goes from page to page on the Site. These are session cookies, which means that the cookie is deleted when you leave the Site. It is an integral piece of the Site software and used to let the server know which users are on the Site at any given time and make certain parts of the Site easier to use.
|
|
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
These cookies are used to collect information about how visitors use our Site. The cookies collect information in anonymous form, including the numbers of visitors to the Site, where visitors have come to the Site from, the pages they visited and how they have interacted with tools on the Site like search and embedded media players. We use the information to compile statistical reports of our users’ browsing patterns so that we can improve the Site.
|
|
Please enable Functionality Cookies first so that we can save your preferences!
These cookies are used to deliver advertising relevant to the interests of visitors to our Site. They are persistent, which means they will remain on your device after you leave the Site.
- Facebook (Ad Pixel)
- Google (Ad Pixel)
- LinkedIn (Ad Pixel)
- Quattro Anonymous
Please enable Functionality Cookies first so that we can save your preferences!