DATA PRIVACY COMPLIANCE BEGINS WITH AN UNDERSTANDING OF THE JARGON USED

Paul M. Robertson, Esq. and Melanie J. McCauley, Esq.

This is?Part 3?in a series on global data privacy compliance.

In an earlier article, we advised that those seeking to comply with international data privacy law should look first to the EU’s General Data Protection Regulation (the GDPR).?But GDPR compliance is easier said than done!?And perhaps the only thing harder than eventual compliance is cutting through the GDPR's often prolix, opaque, and jargon-filled landscape in the first place.

Although definitions are often provided at the end of a how-to manual, they are provided up front here because a basic understanding of key historical turning points and frequently-used terms of art will make the discussion that follows more accessible. Below, then, is a primer of some of the key events and terms.??

?1.?????????????????Relevant Laws

A.???????????????The 1995 EU Data Protection Directive (the EU Directive) (Directive 95/46/EC) was the EU’s initial attempt to apply the deeply-rooted European principles of personal privacy to the growing volume and complexity of electronic data. Generally speaking, the Directive required entities to: (1) collect, process, and retain data in a manner that was not “excessive” in relation to its collector’s purpose; (2) maintain “adequate” privacy protections; and (3) provide its data subjects with the right to access, correct, and, in certain circumstances, remove their data. It also restricted the manner in which companies could transfer personal data to “Third Countries,” the term used to refer to any jurisdiction located outside of the EU. The Directive, which was in some respects aspirational in nature, was superseded in 2018 by the GDPR.

B.????????????????The 2018 EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is conceptually quite similar to the Directive it replaced. Like the Directive, the GDPR: (1) provides for individual control over one’s personal data; (2) regulates the collection, processing, and retention of personal data; and (3) constrains the export of data outside of the EU unless GDPR-like “adequate protections” can be guaranteed. In comparison to the Directive, the GDPR defines “personal data” more inclusively, requires greater uniformity among the member “states,” establishes stronger enforcement mechanisms, and creates greatly-elevated financial and equitable penalties.

C.????????????????The European Economic Area (EEA) consists of the 27 EU members states plus Iceland, Norway, and Liechtenstein. By agreement, the GDPR applies to the entire EEA. For the sake of convenience, the more familiar term “EU” will be used in this chapter, but the reader is reminded that the GDPR also applies more expansively to the entire EEA.

2.?????????????????Relevant Governmental Bodies

A.???????????????The Article 29 Working Party (WP29) was established under the Directive to promote the consistent application of data privacy law among member states by, among other actions, providing advisory (but not binding) guidance. WP29 was replaced by the GDPR’s European Data Protection Board (EDPB), and no longer exists.

B.????????????????The European Data Protection Board (EDPB) was established by the GDPR to replace WP29. It functions similarly to its predecessor, charged with fostering cooperation and consistency, albeit with greater authority to resolve disputes and issue binding decisions.

C.????????????????The Court of Justice of the European Union (CJEU) is the EU’s chief judicial authority and the final authority on the interpretation of EU law, including the GDPR.

D.???????????????The European Commission is the EU’s executive branch.

E.????????????????Data Protection Authorities (DPAs), aka Supervisory Authorities (SAs), are public authorities that act to implement and enforce the GDPR within each EU member state. They were first established, as “DPAs,” under the 1995 Directive, and continue as “SAs” under the GDPR. The terms are now used somewhat interchangeably. There is one DPA (or SA) for each EU member state. Among their responsibilities, DPAs monitor in-country GDPR compliance, address consumer complaints, and certify proposed BCRs.

F.?????????????????Supervisory Authorities (SAs). See DPAs, above.

3.?????????????????Relevant GDPR Terms

A.???????????????An Adequacy Decision or Adequacy Determination is, with respect to a country outside of the EU (a so-called “Third Country”), a formal determination by the European Commission that the country provides an “adequate” level of data protection – that is, a level of protection that is generally equivalent to that offered by the GDPR. With respect to a proposed set of Binding Corporate Regulations, it is a determination by the relevant DPAs that a company’s proposed code of conduct, if followed, will provide an adequate level of GDPR-like protection.

B.????????????????Data Subject is an individual to whom personal information refers. (GDPR ch. 1. Art. 4.)

C.????????????????Data Controller is a person or entity that determines the purposes and means for which personal data is processed. (GDPR ch. 1. Art. 4.)

D.???????????????Data Processor is a person or entity (other than one employed by a Data Controller) that processes personal data for a Data Controller. (GDPR ch. 1. Art. 4.)

E.????????????????Third Country means a jurisdiction outside of the EU. Under the GDPR, personal data may be transferred from the EU to a Third Country only if there are formal assurances (through a BCR, an SCC, or otherwise) that the data will be provided with “adequate,” GDPR-like privacy protections. (GDPR ch. 5. Art. 45.)

4.?????????????????Transfer Tools

A.?????????????????Defunct Cross-Border Transfer Tools and Related Case Law

i.???????????????The EU/US “Safe Harbor” was a U.S.-EU data transfer system that allowed for data to be transferred from the EU to the U.S. in compliance with the EU Data Protection Directive. The Safe Harbor protocol, established after negotiations between EU and U.S. authorities, provided a means for companies to transfer data out of the EU after self-certifying that they had adopted a proscribed set of EU-like “adequate” protections for personal data. The CJEU invalidated the Safe Harbor system in its 2015 Schrems I decision.

ii.????????????????Schrems I (Maximillian Schrems v. Data Protection Commissioner, CJEU No. C?362/14 was a 2015 CJEU decision invalidating the EU/U.S. “Safe Harbor” system based upon a finding that transfers made to the U.S. were not being provided with GDPR-like, “adequate” protections of privacy.

iii.????????????????The EU-U.S. Privacy Shield (Privacy Shield) replaced the “Safe Harbor” system. Like the Safe Harbor system, it provided a means for companies to transfer data out of the EU after self-certifying that they had adopted a proscribed set of EU-like “adequate” protections for personal data. The CJEU invalidated the Privacy Shield system in its 2020 Schrems II decision.

iv.???????????????Schrems II (Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, Case C 311/18) was a 2020 CJEU decision invalidating the EU/U.S. “Privacy Shield” system based upon a finding that transfers made to the U.S. were not being provided with GDPR-like “adequate” protections of privacy.

b.?????????????????GDPR Article 46 Transfer Tools

i.???????????????Binding Corporate Rules (“BCRs”) are formal, binding, intra-company data protection protocols. (GDPR ch. 5. Arts. 46(2)(b) and 47.) BCRs may be used by a “group of undertakings” or a “group of enterprises engaged in joint economic activity.” (See GDPR ch. 1. Art. 4(20) and ch. 5. Art. 47.) Generally used by large multi-national companies engaged in multiple types of data processing exercises, they provide a GDPR-compliant means for transferring personal data from the EU to Third Countries that have otherwise not been approved as providing “adequate” protection. BCRs must be based upon a framework of GDPR-like standards and protections, which were first expressed in writing by WP29. A company’s proposed BCRs must go through a time-consuming DPA review and approval process, and are thus seen as a less attractive option for small to medium sized businesses.

ii.????????????????Standard Contractual Clauses (SCCs) are formal, binding, inter-company data protection protocols. (GDPR ch. 5. Art. 46(2)(c) and (d).) Like BCRs, they provide a GDPR-compliant means for transferring personal data from the EU to Third Countries that have otherwise not been approved as providing “adequate” protection. Unlike BCRs, they (1) are typically used to address a more limited scope of transfers, with different SCCs being adopted for different types of transfers; and (2) can be adopted verbatim from the written standards provided by the European Commission and thus require no formal post-adoption approval process. (GDPR ch. 5. 46; GDPR ch. 10. 93(2).) For these reasons, they are particularly important for small to medium-sized businesses. As will be addressed in greater detail in subsequent parts of this series, the European Commission issued new SCCs on June 4, 2021, to adjust the forms to the changes wrought by the adoption of the GDPR and the CJEU’s ruling in Schrems II.?

(Of note, not only may SCCs be adopted verbatim, they in fact may not be modified, other than to “select the appropriate Module(s) or to add or update information in the Appendix.”?Parties may, however, add clauses “provided that they do not contradict” the standard term, nor “prejudice the fundamental rights or freedoms of data directly or indirectly.” (See Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), C/2021/3972, Annex, Sect. 1, Clause 2.)

iii.???????????????Codes of Conduct are a bit like SCCs and BCRs, except that rather than being used by a single company (BCRs) or a set of companies engaged in a contractual relationship (SCCs), they allow companies within the same industry or engaged in similar types of processing to create a common, industry-specific, set of data protection protocols. Their utility continues to evolve, such that although the GDPR theoretically allows for a DPA-approved Code of Conduct to provide the basis for data transfers to Third Countries, one has not yet been approved for that purpose. (GDPR ch. 4, Arts. 40 and 41 and ch. 5, Art. 46(2)(e).)

iv.????????????????Certification provides another theoretical means for companies to demonstrate compliance with GDPR-like “adequate” privacy protections, through DPA approval of data protection protocol adopted by the company. (GDPR ch. 4, Art. 40. ) Pursuant to the GDPR, data transfers from the EU to the U.S. may take place based upon an exporter’s and importer’s “certification” status. To date, however, no such certification has been approved.

v.?????????????????Ad hoc contractual clauses provide another inter-company means to effectuate GDPR-compliant data transfers from the EU to Third Countries that do not otherwise provide adequate protection. (GDPR ch. 5, Art. 46(3)(a).) ?Such contracts or clauses may be entered into in addition to, or in place of, SCCs.

vi.???????????????Supplementary Measures are formal steps (and, in particular, technical steps) that have been provided by the EDPB for a company to use in addition to a chosen Article 46 transfer tool, as a means to enhance the likelihood that a data subject is provided with GDPR-like “adequate” protections. (See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, June 18, 2021.) The goal of a Supplementary Measures is to thwart attempted surveillance by the governments of Third Countries. Data encryption is an example of a “Supplementary Measure” that may be used to “impede or render ineffective access by [Third Country] public authorities.” (See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, June 18, 2021.)

c.??????????????????The GDPR Article 49 Transfer Tool - The Special Case of a "Derogation"

A Derogation means, literally, an exception, and thus transfers made pursuant to a GDPR “derogation” are excused from compliance with the GDPR. (GDPR ch. 5, Art. 49.) Article 49 derogations include transfers that are made with the data subject’s explicit consent, to perform a contract with the data subject, or to protect the data subject’s legal interest. (See generally Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25 May 2018.) A more complete list will be provided in subsequent parts of this series. Derogations are sanctioned only for “occasional and non-repetitive transfers,” are not meant for ongoing or bulk transfers, and are increasingly disfavored by EU authorities. (See EDRP’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020.)