Transferring personal data to the United States: towards an impossible solution?

Since 16 July 2020, the transfer of personal data to a country that does not have an adequate level of protection, including the United States, has been questionable and requires to carry out a risk assessment related to such a transfer. Failure to do so can be considered a violation of both the GDPR and the Federal Data Protection Act. How should such a review be conducted?

In order to help companies to act in conformity with these new requirements, the European Commission proposed a new version of the Model Clauses on 12 November 2020. Currently subject to a public comment period until 10 December 2020, this new version should be the only one acceptable one year after publication in the Official Journal, i.e. in all likelihood during the first quarter of 2022.

New version of the Model Clauses

This new version provides in particular that the parties signing the Model Clause must represent and warrant that the applicable law in the country of destination respects the fundamental rights of citizens. The outcome of this assessment must be documented. It is based in particular on the following criteria:

• Do the laws applicable in the country to which the data is transferred ensure that the fundamental rights of citizens are complied with, in particular with regards to the applicable surveillance legislation?

• What types of data are transferred? Is it only business data such as login credentials or is it also consumer data?

• Are these transfers episodic or are they frequent and regular?

• What is the purpose of the processing?

• Has the company that has to process these data been the subject of requests from the authorities requiring the disclosure of these data? If so, how many times?

• The technical and organizational measures put in place, whether during the transfer or at the time of processing by the entity to which the data was transferred.

This assessment is not to be taken lightly, as it may have to be handed over to the authorities if requested.

Recommendations

Assuming that this approach advocated by the new version of the Model Clause remains in the final text, companies will thus have to carry out considerable work to bring themselves into compliance. This work can be broken down into the following steps:

• First of all, make an inventory of the transfers of personal data taking place (whether to affiliated companies or third parties).

• Then check the basis on which these various transfers are made. Where such data are exported to a country whose legislation is considered as having an adequate level of protection or to an entity subject to the GDPR, no further steps should be necessary. If this is not the case, and whatever the legal basis, the following steps should be taken:

• Carry out a documented risk assessment related to such transfer in accordance with the Model Clause referred to above. Recommendation 01/2020 published in November 2020 may also provide a useful basis for work in this area.

• If this assessment leads to the conclusion that certain risks do exist, document the additional measures to mitigate such risks.

• Finally, periodically reassess risks to ensure that the initial assessment remains adequate.

Conclusion

What should one think of this process which, in itself, appears to comply with the new requirements set by the Court of Justice?

• First, that this process is particularly burdensome, as it requires any company making a data transfer to a country that does not enjoy an adequate level of protection – and God knows there are many of them – to make an assessment of the risks associated with such a transfer.

• Second, that this process must be followed for each transfer and each supplier. While certain tools are being developed to help companies assess the surveillance regimes in different countries, they are not sufficient to perform a complete assessment, which must be made in the light of many other criteria requiring a case-by-case approach.

• Third, that he compliance work to document these risk assessments is going to be considerable in 2021, to the point where it is questionable whether it appears realistic, especially, but not only, for SMEs, which will be obliged to benefit from external support to do so and to free up budgets in an economic situation that is already particularly difficult.

• Any failure to comply will be liable to be sanctioned by the competent authorities.

Wilhelm Gilliéron Attorneys Corp. is at your entire disposal to help you ensure your compliance in the most efficient way possible.