Privacy, Technology and Perspective
New Risks under the GDPR. Beginning this Monday, September 27th, those who transfer European personal data to the U.S. will face new, material risks. In this post, we’ll explore how the new “Standard Contractual Clauses” (SCCs) intended to protect European personal data simultaneously pose a risk to those who rely on them to import personal data from the European Economic Union (along with the UK and Switzerland).
Overview: The EU’s General Data Protection Regulation (the GDPR), in effect since May 25, 2018, requires certain measures in order for the personal data of EU residents to be transferred to the U.S. for processing. The European Commission doesn’t deem American privacy protections “adequate,” and since compliance with the other “lawful bases” for transfering personal data from Europe is far harder than one might expect, most American businesses who “control” or “process” European personal data must enter into SCCs in order to export personal data from Europe. For those American businesses with European customers or employees, essentially the U.S.-based company pledges to comply with European privacy rules.
As we wrote about earlier this summer, on June 4, 2021, the European Commission adopted new SCCs, which impose on companies additional obligations relating to data transfers, including the obligation to conduct a transfer impact assessment and, depending on a party’s role in the transfer, to implement additional security measures and to update internal privacy practices. You can read about the new SCCs and their background by clicking on the following link:
Joint and Several Liability: By now, most U.S. data “controllers” and “processors” have grown accustomed to requiring their processors or sub-processors to comply with the requirements of the GDPR and its U.K., Swiss, and other equivalents. Many have entered into data protection addenda (DPAs) with their processors and sub-processors, which spell out these requirements and commit to compliance with them.
But the new SCCs may increase the legal risks and liabilities under the GDPR and local EU laws associated with cross-border data transfers, and result in material increased compliance and operational costs. They are clear in requiring U.S. data “controllers” and “processors” to “remain fully responsible” with their sub-contractors under the terms of their agreements with them, and also upstream to data subjects and contracting counterparties in Europe. Where more than one party is responsible for breaching an SCC obligation, all will be jointly and severally responsible. Under Clause 12(g) of the applicable Modules, none can “invoke the conduct of a sub-processor to avoid its own liability.”
For the exact language, click on the following link to the SCCs themselves, and compare Clauses 9 and 12 across the four “modules:”
… which means, in effect, that data exporters and importers are about to be insurers: In effect, “remain[ing] fully responsible” with one or more others, not to mention “joint and several liability,” means that your company will now be an insurer of your processors’ and sub-processors’ performance. While you will be entitled to indemnification under the new SCCs and maybe your own DPAs, most technology providers insist on including caps or limits in the DPAs to their own liability, and even without caps, indemnification rarely seems to end up protecting nearly as much as an indemnitee might hope. This is hardly an encouraging word, at a time when alternative risk-management steps (like cyber-insurance) are becoming harder to get and more expensive by the minute.
No Exclusions, No Limits on Coverage: The new SCCs don’t allow changes to joint-and-several liability among covered controllers, processors, and sub-processors. In effect, controllers and processors are now insurers of their processors’ or sub-processors’ compliance with European privacy requirements (which are probably the strictest in the world), with no flexibility to limit what they’ll “exclude” and no ceiling on their “coverage” (exposure) for their processors’ or sub-processors’ perfidy or goofs.
No Negotiations or Changes: This is because the substantive provisions of the SCCs are set in stone. In SCC-speak, the word “Standard” means that while parties are free to expand or enlarge protections for data subjects, they cannot limit or restrict what the SCCs require. The word “Contractual” is even more painfully ironic, for the SCCs constitute substantive requirements of law to which the parties must pretend that they’ve “agreed” — having no more “contractual” choice than they have about “agreeing” to obey traffic signals in a European city.
The new SCCs come in four different varieties, depending on whether the agreement is processor-to-processor, controller-to-processor and so on, but they’re consistent on this point. In each variety, Clause 2 (“Effect and Invariability of these Clauses”) is clear that the SCCs “may not be modified” (except as to deal-specific information in the Appendices) and the parties may not “contradict, directly or indirectly” any of them in the underlying deal documents.
Public Companies are Starting to Warn of this Exposure in New S-1’s: American data controllers and processors often rely on dozens of processors or sub-processors with various specialties. Even with indemnification rights, joint and several liability for any of their data-related acts or omission – with no limitations— threatens to overturn most of the controllers’ and processors’ risk analysis and to shove their profitability projections way, way down. Publicly traded companies are beginning to warn investors of this in their S-1’s, in attention-grabbing language. In just one example:
These data protection and privacy-related laws and regulations are evolving and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions…This could result in increased costs of compliance and limitations on [the Company] and its service providers and other third parties it works with. This CJEU decision or future legal challenges also could result in [the Company] being required to implement duplicative, and potentially expensive, information technology infrastructure and business operations in Europe or could limit its ability to collect or process personal information in Europe, and may serve as a basis for its personal data handling practices, or those of its service providers or other third parties it works with, to be challenged. Any of these changes with respect to EU data protection law could disrupt [the Company’s] business and otherwise adversely impact its business, financial condition and operating results.
See the following link for the filing:
https://www.sec.gov/Archives/edgar/data/0001820566/000119312521274355/d188548ds4.htm (emphasis added)
Our Predictions: Eventually, we expect European law will evolve to allow for customary and reasonable privacy and risk-management steps by American controllers and processors, in dealing with their sub-processors and other service providers, while allowing nations on both sides of the Atlantic to manage their own police and national security needs. Happily, U.S. and European negotiators have announced that their meeting to discuss a successor system to an alternative transfer mechanism, like the former Privacy Shield — set to begin in Pittsburgh on Monday the 27th but temporarily derailed by the recent French-submarine contretemps — is back on.
A Privacy Shield successor that the European Court of Justice will ultimately enforce, however, probably won’t come easily or soon, for Europe’s root “privacy” issue isn’t only with American Big Tech. Irony notwithstanding (the GDPR allows plenty of “derogations” which allow their member states’ to manage their individual security needs), Europe’s issue is largely with American national-security and intelligence systems, which famously don’t extend America’s constitutional protections to Europeans and will surveil whomever, wherever, and however they deem necessary in order to protect American national security.
Our Recommendation: In the short run, we suggest that American controllers and processors handling European personal data immediately:
(1) re-visit your processors’ and sub-processors’ data-handling practices, insurance, and DPAs, make sure they align with the requirements of the new SCCs, and strengthen those commitments as much as possible;
(2) consider your disclosure obligations (to lenders under loan covenants, to public markets, etc.) and file S-1s or make other disclosures accordingly; and
(3) realize that your company’s business activities which involve transfers of personal data outside of the EEA (both intra-group and to third parties) and will require ongoing monitoring of the latest legal and regulatory developments and as such, your company may suffer additional costs, complaints and/or regulatory investigations or fines, and/or changes to the manner in which the company operates that can harm the business, financial condition and results of operations. Sadly, until American and EU negotiators agree on a survivable successor to the Privacy Shield, the requirements of Europe’s new SCCs may simply make their business in Europe too risky and therefore unprofitable.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠