SaaS Agreements – GDPR – EU-US Privacy Shield Invalid

The EU-US Privacy Shield was declared invalid on the 16th of July 2020 by the European Court of Justice (“CJEU”). The steps SaaS suppliers now need to take depend on their international data flows and the transfer mechanisms they use, which need to be set out in the SaaS agreement. Where SaaS suppliers currently rely solely upon the EU-US Privacy Shield for transfers of personal data to the USA, they must now replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).

EU-US Privacy Shield Invalid

The EU-US Privacy Shield was declared invalid due to concerns about US laws. Mainly that:

  • US law does not sufficiently prevent US intelligence services from accessing and using EU located person’s personal data;
  • no adequate remedies exist for EU located persons to dispute/query/prevent the processing of their personal data by US public authorities.

Can SCCs be used instead?

SCCs are still a valid international data transfer mechanism, but data controllers (SaaS customers) must assess the privacy laws applicable in countries where they use SCCs, if they wish to use, or continue to rely upon, them.

The CJEU stated in their decision that data controllers (SaaS customers) must carry out an assessment of the data protection afforded by each “country” (not the company itself) that personal data is transferred to. This means that the privacy laws of each country to which personal data is transferred by SaaS supplier or SaaS customers must be reviewed, in particular to see if there is access to personal data by public authorities is permitted, i.e. for surveillance purposes. If access to personal data is permitted by local privacy laws in any country then the SCCs may be invalid in individual cases. For example: In the US the Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333 permits US security authorities to access personal data without a court order in some circumstances.

NB/ The same limitations upon relying upon Binding Corporate Rules (BCRs) in third countries also now apply.

NB/ The Swiss-US Privacy Shield is not invalidated by this decision but is no longer “adequate” for the purposes of the GDPR.

Current Guidance from Data Protection Supervisory Authorities

The Irish Data Protection Commission (DPC) has advised:

“In practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis”.

EU supervisory authorities are currently advising that they will be publishing updated guidance in the future:

See: ICO statement of 27th July 2020

See: EDPB FAQs on Ruling of 23rd of July 2020

However, currently there is no definitive advice from local data protection supervisory authorities on how to resolve the issues raised by the CJEU ruling and the use of SCCs and the position remains uncertain until such advice is provided.

Brexit complications

On the 1st of January 2021 the UK will no longer be part of the EU or EEA and becomes a “third country” for data processing purposes. The UK will be subject to restrictions on the flow of personal data from the EU to the UK, unless the UK is awarded an “adequacy” decision by the European Commission before the 1st of January 2021. This is unlikely. If adequacy is not granted, transfers from the EU to the UK will require a lawful transfer mechanism (such as SCCs). However, the above issues with SCCs will then apply to such transfers from the EU/EEA to the UK.

Are you affected by the Ruling?

Any SaaS supplier or SaaS customer who makes any international data transfers that fall within the list below will be affected by the CJEU ruling.

  • transfer of personal data based solely on the EU-US Privacy Shield;
  • use of any suppliers based in the US who process EU personal data;
  • use of data centres located in the US to host EU personal data;
  • use of telecommunications and/or cloud-based services based in the US;
  • use of any suppliers in other non-EEA countries who rely upon SCCs to transfer personal data.

Actions to take now

All SaaS customers (and SaaS suppliers by default) should carry out an international data transfer risk assessment to:

  • identify which US suppliers rely on EU-US Privacy Shield in their SaaS contracts;
  • identify which US suppliers may be subject to US surveillance laws (section 702 FISA and Executive Order 12333);
  • identify all transfers of personal data to entitles located in non-EEA “third countries” and the transfer mechanisms used for the data transfer specified in the SaaS contract;
  • identify where local privacy laws in any “third country” that EU personal data is transferred to conflict with the GDPR, in particular where public authorities are able to access personal data of EU located persons;
  • prepare to implement updated SCCs into existing SaaS agreements and data processing agreements. (The European Commission has indicated it will provide new versions soon);
  • regularly check UK Government & data protection supervisory authority statements on the EU-US Privacy Shield, Brexit and international data transfers for updates and guidance.

Summary

Until full guidance is provided by the various EU Data Protection Supervisory Authorities, the ICO in the UK, the European Commission and the European Data Protection Board (EDPB) it is unclear whether or not SCCs are an acceptable replacement to the EU-US Privacy Shield in the US and other “third countries”.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: