European Union Privacy Standard Contractual Clauses: Marketplace Trends and Practices
With the amount of data stored in the cloud increasing exponentially every day, the amplified scrutiny of data protection security measures, and the quickly changing landscape of data protection laws, it is no wonder that corporate legal departments are struggling to stay on top of their privacy and security compliance programs. The newest wave of chaos started a little over six months ago with the invalidation of Safe Harbor. The chaos has continued as experts and stakeholders squabble over its replacement, the Privacy Shield.
To complicate matters further, in two years, the EU General Data Protection Regulation (GDPR) will go into effect. As the legal departments of US technology companies engaged in global data imports begin preparing their companies for the changes compelled by the GDPR, they must also solve their current problem of ensuring they can continue to serve EU customers. The pressure to address EU data import issues often comes from clients, often during contract negotiation or renewal stages.
Can corporate legal departments rely upon an in-house compliance program that follows the principles of the Privacy Shield? Will the Privacy Shield be a viable option? Will there be a Privacy Shield 2.0 after the GDPR goes into effect? Most importantly, what can companies do now to thrive, address the concerns of their clients, and pacify the demands of its internal clients?
Corporate legal departments are left walking the tightrope of privacy and security compliance, weighed down by the changes brought by the end of Safe Harbor, the advent of the Privacy Shield, and the looming GDPR.
Interestingly, research into many large technology corporations reveals that publicly available data protection clauses in their terms of service still reference heavy reliance on the Safe Harbor. Is this evidence of denial, an overall "wait-and-see" sentiment, or a "throw everything in your arsenal and see what sticks" approach? Whatever the implication, considering the rapidly changing nature of data protection, it's in everyone's best interest to find an alternative. Currently, the only viable and immediately serviceable option — is to use the European Commission's approved Standard Contractual Clauses ("Clauses"). Unlike the binding corporate rules (BCRs), the Clauses are the closest thing to an off the shelf data export solution and one that can therefore be implemented relatively quickly. Consequently, their use has proliferated in the wake of the fall of the Safe Harbor regime.
Common Themes and Approaches to Implementing the Clauses
Because international technology leaders are increasingly being forced to accept the Clauses when contracting with European business customers or sharing data with their EU subsidiaries to address EU data export compliance issues, it's worth taking the time to explore this option. There is a common perception that the Clauses are rigid and inflexible. Whilst it is true that the Clauses cannot be varied or modified, nothing in the Clauses prevents parties from adding provisions dealing with "business related issues where required, as long as they do not contradict the Clauses" (Clause 10 of the Standard Contractual Clauses). Such terms are typically tactically positioned as "clarifications" of the Clauses.
These "clarifications" are typically addressed by drafting a side letter to the Clauses or by adding an additional appendix to the Clauses. Alternatively, the Clauses can be embedded in the master service agreement (for example, as a separate addendum or exhibit).
Spirit of the Clauses: Carefully walk the line to preserve the rights granted by the Clauses
Most implementers tread carefully in order to preserve the overarching principle of the Clauses — respecting the rights of the data subjects that the Clauses are meant to protect. This means that all clarifications need to be carefully worded to avoid contradicting the Clauses or undermining any rights granted by the Clauses. If the clarifications undermine the rights granted by the Clauses, a company defending their compliance program will be hard-pressed to make a good case that the clarifications are not varying or modifying the Clauses.
Clarifying, not varying: Convert the Clauses into concrete, palatable, and actionable processes
Pondering the difference between "clarifying" and "varying" may send implementers down a rabbit hole that leads to a philosophical discussion about the meaning of life. Most implementers, however, seem to reach some inner peace when it comes to this somewhat uncomfortable distinction.
Most Often Spotlighted Provisions Related to Subprocessors
While any clause can be potentially clarified, implementers of the Clauses are likely to clarify certain clauses more often than others. The single most burdensome issue with the Clauses seems to be its treatment of subprocessors. Therefore, most clarifications are centered around this issue.
Data exporter's upfront consent of subprocessor contract
Practically speaking, most small to mid-sized companies are unlikely to procure consent for the use of its existing subprocessors from each and every one of its EU customers. Most Clauses implementers tend to accomplish consent by providing customers upfront with a list of the subprocessors that will have access to data covered by the Clauses. The list is usually included as an exhibit in the agreement with the data exporter or published online in a way that's easily accessible by the data exporter. The list is then directly referenced in the agreement with the data exporter. Obtaining consent from each and every EU data exporter prior to enlisting a new subprocessor seems to be a more difficult task. To comply, Clause implementers tend to provide a notification method (via their online website or platform) that informs data exporters when a new subprocessor will be integrated into the data importer's services. The notification also provides a window of time within which the data exporter can object to a new subprocessor.
Auditing the facilities of data importers and subprocessors can quickly become an expensive and onerous task. Even if a data importer allowed its own facilities to be audited, forcing their subprocessors into such an audit is highly unlikely. To address this requirement, implementers tend to clarify that the data exporter shall have the ability to exercise this provision through the acceptance of and reliance on the data importer's or the subprocessor's independent third party audit reports, certifications, and other documents of that nature. This eliminates the need for the data exporter to conduct its own on site audits.
Data destruction provisions
Finally, another burdensome clause is the requirement that the data exporter may request the return or destruction of all the personal data (and any copies) that were transferred to a subprocessor. This may be difficult to implement and costly. It may be impossible to delete all copies of all data. Moreover, value offerings of many of these technology companies may rely on the analytics derived from aggregated and anonymized data. One observed method used to deal with this issue is having the data importer expressly clarify that any certification of destruction or return means that the data importer has taken all reasonable, commercially and technically feasible measures to delete all known instances of such data, unless the data is in an aggregated and anonymized form.
Implementing the Clauses as part of your EU privacy compliance program can be a lengthy process. By using the observable themes and provisions pioneered by these technology leaders, the Clauses can usually be implemented within between two to six weeks. Clarifying, not varying, is the name of the game in this process. Keep in mind that the observed compliance approaches are common, but haven't yet been meaningfully tested. Moreover, when developing your EU compliance program, consider including key stakeholders in your company's information security and engineering teams. Finally, be consistent with the original spirit of the Clauses and consider the specific limitations and opportunities of your business and technology.