[co-authors: Christopher Wall*, John Rosethal**, Debbie Reynolds***, and Davis Wallack****]
Editor’s Note: On June 22, 2022, HaystackID shared an educational webcast developed to help companies successfully face the accelerating challenges of data protection, privacy, and cross-border transfers. The webcast also highlighted the requirements, roles, and responsibilities that information governance and legal discovery professionals need to successfully navigate the difficulties of cross-border transfers to translate compliance challenges into business opportunities.
This session, led by industry-acknowledged experts in areas ranging from data protection and privacy to data transfer and legal discovery, provided a professional forum for the explanation of the best approaches, protocols, and practices for guiding an organization’s data in a world of shields and Schrems.
While the entire recorded presentation is available for on-demand viewing, provided for your convenience is a complete transcript of the presentation.
[Webcast Transcript] You’ve Got to Move It: Data Protection and Privacy with Cross-Border Transfers
+ Christopher Wall
Data Protection Officer and Special Counsel, Global Privacy and Forensics
+ John J. Rosenthal
Chair, eDiscovery and Information Governance Practice
Winston & Strawn LLP
+ Debbie Reynolds
Founder, CEO, and Chief Data Privacy Officer
Debbie Reynolds Consulting, LLC
+ David Wallack
Lead Privacy and Security Counsel
Hello, everyone, and welcome to today’s session. We’ve got a great presentation lined up for you today. But before we get started, there are just a few general admin points to cover.
First and foremost, please use the online question tool to post any questions that you have. And we will share them with our speakers. Second, if you experience any technical difficulties today, please let us know using that same questions tool, and a member of our admin team will be on-hand to support you. And finally, just to note, this session is being recorded and we’ll be sharing a copy of the recording with you via email in the coming days.
So, without further ado, I’d like to hand over to our speakers to get us started.
Hello, good morning, good afternoon, and good evening to today’s worldwide audience. And I hope everybody’s having a great week. My name is Chris Wall and on behalf of the entire HaystackID team, I’d like to thank you for attending today’s presentation and our discussion titled You’ve Got To Move It: Data Protection And Privacy with Cross-Border Transfers.
Today’s webcast is part of HaystackID’s regular series of educational presentations developed to ensure that listeners are proactively prepared to achieve their cybersecurity, information governance, and eDiscovery goals.
Our expert presenters today include individuals who are deeply involved in areas ranging from data protection and privacy to data transfer and legal discovery. Today, the panelists will share and explain many of the best approaches, protocols, and practices, and most importantly, their experiences for successfully guiding an organization’s data in a world of Shields and Schrems.
So, let me introduce myself to begin with. As I mentioned before, my name is Chris Wall. I joined Haystack earlier this year and serve as Data Protection Officer and Special Counsel for Global Privacy and Forensics, as part of our Global Advisory Team. I also serve as HaystackID’s internal DPO. And as Special Counsel for Global Privacy and Forensics, I help our clients navigate cross-border privacy and data protection. And I also advise clients on technical privacy and data protection issues associated with cyber investigations, data analytics, and of course, discovery. Before joining Haystack, I worked at Ernst & Young where I lead cross-border cybersecurity, forensic, structured data, and traditional discovery investigations.
Next, I’d like to introduce John Rosenthal. In his role as Chair of the Discovery and Information Governance Practice at Winston & Strawn. John represents clients in a vast array of complex antitrust and litigation matters. His practice also involves counseling clients on a variety of trade regulation, trademark, and commercial issues. Chambers USA highlights John’s abilities as a very strong litigator, and he’s lauded for his mastery of material and his depth of intelligence about the market, which is unparalleled. He also acts as eDiscovery counsel for numerous corporations around the world. So, welcome, John.
Next, I’d like to introduce the data diva, Debbie Reynolds. And Debbie is a world-class, world-renowned technologist, thought leader, and advisor, handling global data privacy, cyber risk, and complex cross-functional data-driven projects. Debbie is also an internationally published author, highly sought-after speaker, and a top media presence about global data privacy, data protection, and emerging technology issues. And we’re delighted to have you with us here today, Debbie. So, thanks for joining.
Finally, last but not least, I’d like to introduce my colleague in the industry, David Wallack. David serves as Motive’s Lead Privacy and Security Counsel with significant experience in complex issues involving cyber incident response and mitigation, crisis management, data privacy program implementation using AI, and data privacy and security terms negotiation. David’s work also focuses on international and US data privacy laws. So, David, thanks for joining us today.
Today’s presentation is being recorded for future on-demand viewing. And a copy of the presentation will be available for all attendees once the on-demand version is completed. We expect those items to be available on the HaystackID website soon after we complete today’s live presentation.
So, with that, let’s get started with today’s presentation and discussion on data protection and privacy, and cross-border issues. Can we go to the next slide there, please?
So, for some context, you know us and we’d like to get to know you a little bit purely to tailor our discussion here so we invite all of the attendees, all of you who have logged in so far, to answer the next four questions. And again, these are used solely for purposes of us tailoring our discussion today during the panel discussion.
All right, and the next one. All right, and the next one. Excellent. Well, thank you all for introducing yourselves to us. Okay, that’s just as important. And it does allow us to tailor our discussion a little bit. And I hope all the panelists can see the responses so that we can make adjustments as we need as we go along.
Again, we want to make this time useful to you as participants. And for some context during the discussion today, we plan to talk about movement of data, movement of data across borders, and we’ll focus primarily on EU to US transfers. But we’ll touch on other transfers in other jurisdictions, from other jurisdictions, where applicable. We might also address some security issues and overlaps with information security. But our focus today is going to be primarily on privacy and data protection as it relates to transfers. And we will delve into a lot of security issues here.
This is the agenda we plan to cover today. We will talk quickly, but we’ll try to address the questions as you put them into the text box. And again, we encourage you to ask those questions, and make this as interactive as we possibly can. Let’s go to the next one.
So, we’re going to talk about the contours of the privacy landscape. Now, these are contours – as that slide might suggest – that are rapidly changing. It is a rapidly changing environment. And let’s go to the next one.
And to begin with, I think it might be good for us to lay a little foundation and provide a brief history maybe of the privacy in the US – privacy generally in the US and Europe, to shed some light into why we have different approaches to privacy, and why this is a dynamic area for lawyers and privacy pros around the world.
Of course, in Europe, we have a fraught history with the use of personal information, whether it was race, religion, ancestry, ethnicity, or whatever it might have been where the unfettered collection of that kind of information lead to seizures and concentration camps. So, understandably, post World War II, there was general European mistrust for large aggregations of data by any government or private entity for that matter.
So, in response, Germany and France established some of the first data privacy laws in Europe, regulating how we use all of that data stored in rows and columns. And with that, I’d like to kick off with asking our panelists maybe to walk through the development of that law, or that set of laws and regulations and directives in Europe, beginning – maybe we’ll start with 1995. John or David, Debbie, would somebody like to kick that off and kind of talk about how we got to where we are today, starting there?
John J. Rosenthal
Sure, with the formation of the European Union, what Europe did is recognize that there are certain fundamental, inalienable human rights. Privacy is one of those rights and that’s a fundamental different approach from the United States, where privacy is often ad hoc in a state-by-state basis without – other than some isolated laws, like HIPAA and Gramm-Leach, not a fundamental recognized right under the US Constitution.
In Europe, however, with the formation of the European Union, the first step in that was really the Directive, which was ‘94/’95. That’s the reference number. And it really created a framework for protection of privacy, where recognized data is actually owned by the individual that creates the data.
And the big distinction, I would say, is in the United States, while you may have some control over your truly personal data that you create yourself, maintain yourself. In the United States data you created at work or at the employer, or on the employer systems relatively has little rights of privacy. That’s the exact opposite under the original Directive, and extended under the GDPR, which was recently updated and amended. And there, personal data doesn’t really have to do with whether and where it’s generated. It’s the content of the data itself. And it’s much broader in Europe, where the protections extend to things like your work address, your work email, or your work telephone number, as well as what we would consider more personal and private information in the United States like medical history or credit card information.
And under the terms of that framework, the ultimate data owner has certain rights around that data, including the right to know when its data is processed. And “processed” is a very broad word, essentially meaning touched, used, accessed by the employer or anyone else. And circumstances as to how it’s accessed, when it’s accessed, where it can be transferred, as well as certain rights to revoke the use, even if you’ve previously consented to that use.
So, what we saw under the original Directive was the promulgation of knowing that the EU authority promulgated set rules and regulations. But under that framework, each individual member state had the obligation to create a data protection authority and promulgate its own rules consistent with this framework.
Chris, I don’t know whether you want to—
Yes, no, no. Look, I just wanted to lay a broad foundation here. And I think it’s important. And I’ll ask the panelists too. Just to clarify, John, you mentioned that in Europe, in many other parts of the world, we take the approach or they take the approach that privacy has a much different force than it necessarily does here in the US.
So, for my panelists, where is privacy recognized as a fundamental rights in the US? Is that in the Constitution someplace?
It is not in the Constitution, although we keep on doing our best to try to find it in the Constitution. But no, nowhere in the Constitution does it say, explicitly, that privacy is a fundamental right. So, privacy in the U.S., generally, is created, as John aptly said, either by patchwork legislation or as a rite of contract in the US.
Two different approaches. And arguably, I think, in many parts – well, in many ways we look at the EU’s… at the GDPR as a good thing. But arguably, I think Europe’s privacy hesitancy may have held it back. You could make the argument that Europe has not been able to monetize the internet, monetize user data, and personal data the way that we have necessarily in the US or maybe even China.
Look at how many big tech companies there are in Europe. Not a lot. And you can look at, again, China, Alibaba, Tencent, or some of the largest, most valuable tech companies in recent years, you can see them emerging ahead of Europe.
So, there’s that tension. And again, that’s why we’re having this discussion, I think, is because of that tension and approach to how we use that personal information. We make it available, but we still protect individual users’ rights. That’s the great tension, and that’s why we’re having this discussion today.
John J. Rosenthal
Just to update the framework, so that everybody really understands to the extent they’re not privacy specialists. So, what happened over the last four or five years is that the next version of the Directive was passed in the version of the GDPR. And the GDPR actually goes further than its original one, because originally, the Directive was really limited by territory. It extended these rights and protections inside the European Union zone.
Under the GDPR, though, however, the rights extend globally. So, if you’re an EU citizen or even a resident of the EU, you have global protection of certain of your information, even if it resides in another location.
So, for example, if your employer decides to put its servers in the United States, and you’re sitting in the European Union, you still have the same protections over that data, regardless of the fact that it’s in the United States.
Now, what we see is that most of the countries in the world – with the exception of perhaps China – have really gravitated towards the GDPR framework, and they have some version of this GDPR framework that we’re going to talk about. In the United States, again, we’ve been very slow. And what you’ve seen is these certain states, California in particular, starting to adopt state legislation that mirrors GDPR. And you’ve got a couple of other states starting to do that also.
So, we have this bizarre phenomenon here, where we have a globalized economy, predicated on the transfer of information and data, yet we have these protections that really are designed to limit how that data can be used, and where it can be transferred, and under what circumstances. So, you have a real tension here between globalization of data versus expansion of privacy in various sectors.
Thanks, John. As I mentioned, there are a lot of other countries. John mentioned that there are a lot of other countries who are adopting laws similar to the GDPR, even inspired by the GDPR, including those that we’ve got shown on the slide here and many others. I think, at last count, there were somewhere around 58 countries around the world that have some form of privacy regulation in place, or in the works at the moment.
They’re not all the same. But like John pointed out, many of these are following the GDPR model.
I think there are two camps to really think about here. And that is the consumer rights approach, which is what we have in the US versus Europe and these other countries that are following Europe, with a human rights approach. So, for consumer rights it’s typically your rights don’t kick in unless you’re consuming or there’s a transaction of some sort. So, we have in the US also laws related around certain types of data, certain types of data transactions, and they tend to be more prescriptive. Where in, I think, in a human rights approach they try to have things be more – it’s more talking about reasonableness, purpose, limitation and things like that, as opposed to more prescriptive things like we have CCPA, like put a button on your website that says, “Don’t share my data”.
John J. Rosenthal
That’s a great point. I would add there’s probably a third model, and I would call it the China Model. And the model is really designed as more of a political weapon. So, China has passed a series of seven or eight different kinds of privacy or security laws, where the whole idea is to prevent the movement of the data outside the country. And also, try and stop foreign regulators from conducting investigations having to do with data that – its origins is in China. So, that’s really the third model where it’s really a political and economic weapon, as opposed to a perspective either on consumer or human rights.
That’s a great point. Great point all three of you.
I would agree with that. And it’s also important to remember that the categories of data in China are very vaguely defined. Sometimes it’s simply whatever their regulators deem to be important information, whether or not it is personal information. It can be anything that they just decide they don’t want being exfiltrated from the country.
So, with that context, and that foundation of where we’re coming at this from all of these different perspectives on privacy and how we should protect it, and recognizing the tension, let’s go to the next slide. We want to put this into practical application. And in the next – you can advance there, yes, thank you. Let’s go to the next one.
So, we’ve put together a hypothetical here, and this is in a litigation context, or in a regulatory context anyway where this often comes up. We have a hypothetical situation where let’s assume you’re a law firm, and your client is a German-headquartered company conducting a fraud investigation into employee activity in the US, France, the UK, Australia, the UAE, and China. And your legal team is sitting in Washington DC and in Germany. And you expect that your internal investigation, once it’s complete, you may need to produce documents to regulators in Germany and in the US.
So, where do we start that analysis? I’m going to ask my panelists here. Where would you start the analysis?
I will say start with the places where it’s easiest to obtain data. So, that would probably be in the US. Europe will be less easy to get data. And China will be very hard.
I love how jump right at it. Where are the primary issues? Are there any issues we might want to address before we even start looking at where’s the data going to be the most difficult to remove it, or to export it?
Yes, I would just piggyback on what Debbie just said, just as a starting point. In the US, essentially, in the employment context, employees have little to no expectation of privacy over their data. The hypothetical – no, this is intentional, Chris, is a little bit vague about whether or not there is actually a discovery order or an actual regulatory inquiry.
So, merely having the expectation that you might need to produce the documents after you have completed the investigation may not satisfy any sort of derogation that might be available for transferring documents to establish legal defense and claims.
So, I think the very first place that you probably have to start here is what is your legal basis outside of the US where, again, there’s no expectation of privacy? What’s the legal basis for actually conducting the investigation. And then, as Debbie already mentioned, I think that for something like this, you’d want to try to keep as much of it local as you possibly can.
That’s a good start. And Debbie and David, that’s exactly where we want to start. Look at the legal basis for why we want to get this moved, potentially export this data, and then look at where the most challenging jurisdictions might be. What do we do next?
John J. Rosenthal
To start the investigation, the first thing I want to do is create a heat map. So, I want to look at the various jurisdictions and figure out where I can start. Obviously, in the US, I can start doing some things. In certain of these jurisdictions, you can also start doing certain things in-country, provided you have a legal basis to engage in what they call processing. And also, the first step is typically putting in some kind of legal hold or engaging in some preservation.
Fortunately, under the GDPR, it appears – and again, we’re waiting for some of these new regulatory authorities under the GDPR to really articulate because under its predecessor, the idea of you issuing a legal hold was considered processing, and you had to jump through all kinds of consent and notice hoops. It appears, at least from the early interpretations of the GDPR, that legal hold is not going to be viewed as the same kind of processing unless you try and transfer, move, or access the data. If it’s just putting it on preservation, you can do that.
So, what I like to do is create a heat map of where’s the data, and what can I do legally with each of those jurisdictions to start with? And then what do I have to do first to have a basis to process it? And then two, can I look at it locally? And what can I do locally? And then it’s a question of if I need to move it forward from where the jurisdiction it sits in, what’s the framework around that transfer? Can I legally transfer it? And if I can transfer it, what’s the mechanism for transfer? And what kind of notice or other hoops do I have to jump through to comply with that transfer obligations?
Also, you’d want to try to find a legal basis that makes it easier for the organization. Consent is a legal basis and is the one that people like the least because it is the most complex part of the process. Because not everyone has to consent and maybe they may consent to different things. So, you may end up with a very fragmented set of data there’s a bit skewed once you receive it.
But I think looking through what the legal base are also looking to see if a derogation may apply, which means that maybe this is a situation where this data transfer would be something that’s occasional, not done on an ongoing basis, and very limited in scope. So, being able to really look through those legal bases to see which one you could use will be helpful.
Also, it’s important to note that in these other countries outside the US, you have to have a plan in place before you start collecting data. So, you can’t just collect data there and say, “Oh, let’s figure out what we’re going to do with it next”. So, that has to all be worked out before you start touching or processing data.
John J. Rosenthal
Great points. I would add also you may have certain obligations, not only in terms of your employees to provide them or not provide them notice. But there may be notice obligations with the DPA, the local DPA. And in places like Germany, where you have what’s called “Works Councils”, you may have noticed obligations, if you’re in a large company that has a works council. You not only have obligations potentially with the German DPA, but you have an obligation to provide notice to the works council itself.
Right. And this would be part, I think, of the initial privacy impact assessment. And the context of this investigation would matter greatly. If these employees are somehow being investigated as part of a civil litigation and the likelihood of crimes arising out of the investigation or further charges is minimal, that impacts the transfer. If there is a likelihood that there could be further investigations, or possibly crimes charged based on the investigation, that is when you would get into a situation where you would need to speak with the local DPA and get approval for the transfer.
Thanks. And I don’t want to get ahead of ourselves. David mentioned two things, the privacy impact assessment, and the transfer impact assessment. We are going to talk about those a little bit more in detail here. I also want to point out here that we’ve got three panelists representing three different perspectives.
We have John representing outside counsel, we have David representing in-house counsel, and we have Debbie and myself representing outside advisors, third-party advisors. So, when you have a situation like we have in this hypothetical, who is responsible for identifying those issues, and identifying those privacy and data protection requirements. Where does that fall? Does that fall to you, David, as in-house counsel?
Always the controller, it always falls upon the controller. Obviously, it’s great to have outside counsel opinion, and you really want counsel to be as local as possible on issues like these. But at the end of the day, the buck stops with the controller.
John J. Rosenthal
Under these frameworks, there’s the data owner, which is obviously typically the employee inside a corporate with respect to PII, then you have the data controller, which typically is the employer. And then you have processors. Processors are people typically that touch the data and engage in certain activities, like an eDiscovery vendor, a collection vendor, or processing vendor.
It gets very confused here for the following reason is there are certain transfer mechanisms recognized that we’re going to get to between controllers and processors. But there’s also a recent trend, particularly under the GDPR, where there’s a controller to controller transfer. And this is particularly with law firms. So, typically, under the – it’s predecessor to GDPR, you had the data owner, the employee, the controller, the corporation, then its law firm was a processor and the vendor would become a processor.
The more recent trend is, however, to try and make some of the downward people who touch the data actually also controllers. So, many people are – as opposed to entering into a controller to processor agreement with your law firm, they’re entering into a controller to controller agreement with a law firm on the theory that the law firm is actually making substantive decisions about the data and the onward transfer. So, very, very important distinctions, particularly when we look at some of these transfer mechanisms that we’re going to go into.
I just wanted to add that what people need to know whether you’re a controller or processor, both have significant skin in the game. So, I think the idea of previously, the way people thought about this is like, “Okay, the controller has all of the obligation, all of the responsibility. And me as a processor, I’m just doing what the controller told us”. But in these types of scenarios where you’re transferring data, both the controller and processor to controller, controller to processor, processor to processor, they have joint obligations, or things that they have to do together to make sure that the data transfers they do are legal.
I was just going to throw in that in the event that you have multiple entities that are in different jurisdictions that are all part of the same company, that those entities also need controller to controller SCCs in place before any data can even be transferred intracompany. That’s assuming, and obviously, that there are no BCRs in place. But in the event that there are no BCRs in place, you would still need the controller to controller SCCs, for instance, between the UK entity or the French entity and the US entity in order to transfer that data.
So, we got a little ahead of ourselves there. But let’s talk about those transfer mechanisms. So, we’ve decided that we need to move some data from the EU or from one of these other countries that follows maybe the EU paradigm. And previously, we had three options for moving that data, three mechanisms, I should say, for moving that data.
Originally, there was safe harbor, it might morph into Privacy Shield. That of course is no more. That’s currently not an option for us. Next, we looked at – we look at BCRs (Binding Corporate Rules), which you referenced a few times there, David. In your experience, and let me ask our panelists, how often do you see these BCRs in use?
Very few companies use this. So, I think they’re – and I’m being generous – less than 200 companies in the world have Binding Corporate Rules, it’s probably more like to 150 or whatever. So, very few companies have this, go through this process, which means they have to find alternate ways to transfer data. Also, Binding Corporate Rules are for intracompany transfer, it doesn’t cover transfers that happen outside of the company.
John J. Rosenthal
Let me just level-set for people that really aren’t privacy specialists. The first step is you have an issue where you’re going to have to transfer data. So, the first analysis is where’s the data? The second is, do you have a legal basis to actually process the data and transfer it? Assuming you satisfied that, then the question is what’s the mechanism of transfer?
And again, you have these three here, Binding Corporate Rules, which essentially nobody uses. And then you have standard contractual clauses, which are basically form agreements put out by the GDPR, that you really can’t change, that put forth the obligations of the controller and the processor, or the controller to controller, or the processor to processor. And then you have what was originally a treaty between the United States and the GDPR. Because the GDPR – the EU says, you can transfer to any state that has a similar… is recognized to provide similar protections to the GDPR. And then it lists a number of countries that don’t provide such protections. The US is one of those countries.
So, inherently the GDPR says we don’t have – the US does not have enough privacy protections to comply with the GDPR. So, you either have standard contractual clauses or what was going to be this treaty. And the benefit of this treaty was that if you got self-certified under this mechanism, and there was a violation or a potential violation, it was litigated before the Department of Treasury and not before a foreign DPA.
Well, there’s an activist called Schrems in Europe that has – every time some version of the Shield or Sword, or whatever we call it gets past, he files a lawsuit in Europe and gets it invalidated. And we’re now on the third version that literally just came out in the last six months, which would, again, provide a mechanism, an alternative to standard contractual clauses. He’s going to challenge that. Nobody knows whether that will be a valid transfer mechanism.
So, the reality is for 99.9% of us, some version of the standard contractual clauses is really the only actual means to protect yourself with regard to the transfer of personal property outside of a GDPR jurisdiction.
Thank you, John. Very succinct. Well explained. We were jumping around there. So, thanks for level-setting for us all.
Why don’t we talk about those standard contractual clauses? With this latest version of them – I can advance here. Go to the next slide, please. Next one.
With the latest version of the standard contractual clauses, the EU has provided us with these modules. And David, you referenced these. These are standard clauses to be used in specific certain circumstances when you’re transferring from controller to controller, processor to controller, controller to processor, or processor to processor. They try to make it as easy as possible for us to know which clauses to use.
John J. Rosenthal
I would add, Chris, when you say standard contractual clauses, these are literally forms. you go to the GDPR site, you print them out, a lot of people may put their own headers on them. But actually, you can’t change these forms. And if you try and change the forms, you then have to go to the local DPA and get permission for your adapted form. So, the reality is most people do not change these forms.
These are pretty much non-negotiable unless you want to go through the process with your local DPAs (data protection authorities) in each member state. So, these are literally fixed standard contractual clauses.
They’re fixed in the respect that you cannot change the material terms of the SCCs. They’re not fixed in the sense that they need to actually be filled out. And that filling them out is a fairly onerous process, especially with the updated SCCs. And that requires a great deal of articulation and planning by the organization transferring the data.
These clauses get dropped into contracts. So, you can actually add more meat, obviously, to those contracts, as long as they don’t contradict those clauses, and those clauses are not changed.
John J. Rosenthal
And an important thing to note for law firms is that you’re also agreeing to submit yourself to the jurisdiction of the member state for enforcement violations here. For a lot of general counsels of law firms, that creates a lot of heartburn. And I will tell you, personally, I had to have a lot of meetings with our own GC to explain why we had to enter into such things and why we had to agree to those jurisdictional provisions.
So, I have some tips for how to use these standard contractual clauses and where to put them. Typically, where do you see them appear, in what documentation? Typically, in my experience, they show up in a data processing addendum in your contract, either with your outside counsel maybe or with any of your data processors. And usually, that DPA is between the controller and the processor, or between the processor and the sub-processor. Again, anywhere you see one of those modules put into place or put into use.
Let’s go to the next one. We talked about derogations, very briefly earlier. We talked about derogations. And then after we talk about derogations, we’re going to talk about some of those onerous steps that David mentioned here a second ago, associated with using those standard contractual clauses. But if we could, I think this bears mentioning here talking about some of the derogations, or what we refer to in American as “Exceptions”.
So, when did these derogations come into play? Debbie.
Basically, derogations come into play when we can’t fit neatly into other legal bases. And you need – there’s a narrow window of opportunity to do a data transfer. So, the reason why they put this in the GDPR is for people who don’t fit neatly into those other six legal bases.
So, a derogation says that in exceptional circumstances, you may be able to transfer data as long as it meets the test of these things they talked about. So, you may be able to get consent of an individual, it has to be in public interest. The transfer – it can’t be something that’s done on an ongoing basis. So, you may be able to use a derogation if you think that this transfer may be either limited in scope or limited in duration. And that you have a contract between the data subject and the controller. Is that right?
John J. Rosenthal
I would say the interesting thing about this is that under the predecessor, the Legal Claims Provision was construed by the GDPR regulator, or the prior regulator as not including US litigation. So, the fact that you might have a loss of the United States was not a legal basis from which to engage in the transfer.
Now, there was a lot of heartburn around that. And everyone believes that Legal Claims Provision under the GDPR, unlike the directive, would allow extra territorial litigation, and everybody is operating in that way. Here’s the really unfortunate thing about the practice of privacy, it is a constantly changing and evolving world. And every time we think we have something set, or we think we know how GDPR or the DPAs are construing the framework, they throw a wrench into the monkey works.
So, that is the way everybody is acting at this point. But it would not be surprising in the next year or two that we see someone out of the GDPR say that a legal claim would not include an extraterritorial legal claim, like one in the US.
Let’s go to the next one here, talk about DPAs real quickly. We mentioned DPAs, not typically where you’re going to see these. That’s where you’re going to see the standard contractual clauses included. And we talked about who typically needs one. Are there circumstances where you would consider not putting in place one of these data processing addenda, where between a controller to processor, a processor to processor? Are there any instances when you would not want to use one of these?
John J. Rosenthal
There are five or six exceptions. I don’t have them at hand. But for example, I think there’s an auditors exception. They are very limited exceptions. The reality is in the context of a regulatory investigation, or a piece of litigation, you’re going to need one.
And I always recommend that companies that have to do data processing, so you’re touching data of other individuals, that you have some type of documentation ready to go that explains what your process is for handling data. So, if you ever get into a situation where you have to create a data processing addenda, you have that information already ready to go that you can put into a contract or to a document, that you can edit to have it fit your situation.
And again, this is essentially a rider that goes along with any contract between a controller to processor, or a processor to another processor, for example, that outlines how you’re going to process the data and it includes those SCCs if you’re using SCCs. Anybody else want to add anything else on DPAs. Confusing with our term of DPA here in another sense.
I would only say, with the DPA that, you do need to be careful that you do not create privacy rights through them that do not otherwise exist. So, if you are fortunate enough to – and we’re getting away from the hypothetical, which I think clearly probably mandates the use of DPAs and SCCs. But for instance, if you were, say, operating in a B2B environment or you were claiming an exemption over employment data under particular privacy regulation, you would want to be careful that the DPA did not create rights of privacy where they otherwise don’t exist in a regulatory sense.
So, that would be my only caution with merely entering into DPAs because it sounds like it’s good housekeeping or good due diligence. They often are and I’m not advocating against them. I’m just saying that you need the right DPA for the right situation. And the language needs to reflect what the regulatory scheme is that you’re operating under for that transfer.
Excellent point. Thanks, David. But one of the things you mentioned earlier, all three of our panelists, is when we use these new standard contractual clauses – which again is probably the most popular or most used transfer mechanism –using the new SCCs, you must conduct a TIA, a data transfer impact assessment for every one of those transfers. And David, I think this is what you were referring to when you talk about some of the onerous questions. And some of the onerous analysis you’ve got to undergo when making one of those transfers. Is that right?
Yes, that’s right. So, the new SCCs have something that’s called Annex 2 which is technical and organizational measures, including technical and organizational measures to ensure the security of data. Some examples of what companies might do to ensure the safeguarding of data now, post-Schrems II to or things like pseudonymization, encryption of personal data, measures for user identification and authorization, measures for protecting data during its transmission and storage. If you are logging events, for all of your systems, are you using multi-factor authentication? What steps are you taking to minimize data?
These go on and on and on and on. And these can be very, very difficult for most lawyers unless the lawyers have very deep technical backgrounds to fill out. They generally require getting cross-functional buy-in from IT, security, your platform. As much as your outside counsel will absolutely have expertise on maybe some of the methods that they are seeing other clients fill these out, unless they really know your tech stack and how data moves around. It’s going to be difficult for anybody outside of your organization to actually fill them out.
So, they require a tremendous amount of planning, they can’t just be filled out one time. They have to be filled out every time there is a unique transfer. There is an enormous expenditure of calories internally and making sure that these are filled out correctly, and that they’re filled out on an ongoing basis.
And I’d like to tell organizations these documents or these assessments should be operational, not aspirational. So, it shouldn’t be what you wish you were doing. It should be actually what you’re doing, how you’re protecting data, what the transfer looks like today, what technical organizational measures that you have in place right now. So, you shouldn’t really add in things in there that you’re not doing. You’ll end up in some jeopardy there.
Well, I feel like we’re talking around this a little bit. We’re talking about these assessments. And I think we need to make it clear to the participants on this webinar anyway, that there is no formal template, there is no formal assessment that the EU has provided that you’ve got to go through. For every one of these transfers, as David pointed out, you’ve got to assess the risk to personal information that you anticipate transferring. And that includes your company’s policies in the event of the data loss, or in the event of a request from law enforcement or some other regulatory body.
There are examples of these assessments out there that you can get from various sources on the internet, of course, but there is no standard. I think it’s important, though – well, it’s mandatory that you conduct one of these assessments for every transfer, but it’s important that that assessment be comprehensive, and that you’re covering all of your bases. And you need to be satisfied when you’re doing one of these assessments that you have covered all your bases.
Yes, and I’m sorry if I wasn’t clear there because I am speaking to Annex 2 of the SCCs which filters into the assessment. The likelihood of infringing the rights of a data subject, or having a high likelihood of the impact of the rights of the data subject is now really heavily tied into what supplementary measures you’re taking to protect the data. So, they are inextricably intertwined now.
John J. Rosenthal
So, again, at the risk of confusing everybody, I do think we’ve got to lay out this framework again. You’re transferring the data, you have to have a legal basis to transfer. And then once you go to transfer the data, you have to have a mechanism to transfer.
One of the mechanisms is the standard contractual clause. A subsection of the standard contractual clause requires you to lay out your security protocols around the handling and use of the data. That is related but a separate requirement from these transfer impact assessments. The transfer impact assessments really weren’t promulgated by the GDPR or by the E.U. It was promulgated by the International Court, under its Schrems analysis, where it imposes obligations at the time of the transfer. Separate and apart from any standard contractual clauses, you need to analyze the impact that the transfer has on the person’s privacy and whether you’ve taken adequate procedures to protect.
The confines of what is an actual acceptable TIA, really, have not been passed on by either the GDPR’s central body or by the individual DPAs, and that’s going to continue to unfold. There are a lot of pundits out there that have published what they think these transfer impact assessments should look like.
But what I think you’re going to see, in the next year or so, is some standardization around what these impact assessments are and mean. And there’s probably going to be some more litigation, unfortunately, where regulators look at these and determine whether or not the impact assessment was adequate or not.
The best practice is I would – you need to look at the transfer, you need to look at these elements that are out there, some of which we’re going to go over, and you need to document that you actually undertook this analysis. So, that if you’re called on the carpet by a regulator, you have evidence that you actually took this seriously, and that you conducted an analysis.
Thanks, John. So, these are some examples of some of the things you might want to inquire into and address during your TIA, your transfer impact assessment.
Some of the background details – and again, this is not a comprehensive list. These are just sample parts of your assessment.
I’m going to ask outside counsel here. What’s the risk if I don’t conduct a TIA with each transfer? And the reason I ask is because I’ve been polling some of our clients recently, and this is a new idea for many of them. New even since September.
John J. Rosenthal
I would say the short-term you risk is medium because I don’t think there’s clear regulatory framework in place as to what is actually required when it’s required. Long-term, we’re going to have to do these and I think they will become somewhat standardized. Attention going to be here is, obviously, you’re engaging in a transfer, and you’re going to want to have a TIA that says that when you look at this and weigh everything, that it favors the transfer. That’s a real tension here in the United States, particularly when one of the focuses of the TIA, at least from the European courts’ perspective is to what extent is the US Government or a state government going to get access to the data? And that’s difficult for most of us to predict or control.
That is the real concern with all of these assessments, the underlying concern anyway.
All right, looking at our time, let’s talk about finally what happens with this data. We’ve walked through finding a legal basis for the transfer, recognizing the mechanism we’re going to use for the transfer, putting the SCCs in place, conducting our TIA.
Ultimately, when we think about our data flow analysis, and where the state is going to go, and where the data is ultimately going to wind up, we need to look at what are called onward transfers. Where that data will finally end up. If it’s going from the EU, for instance, to the US, that’s fine. But where’s it going to wind up within the US? Is it going to be, for instance – in our hypothetical there – is it going to be produced to US regulators, state or federal regulators, to civil litigants? Where’s it going to be produced? Let’s talk about those onward transfers and some of the considerations we need to make before we make any of those onward transfers.
At any of the steps before, for instance, in our hypothetical, before we make a document production, for instance, let’s consider all of those. Onward transfers are part of our TIA, our transfer impact assessment. We do need to consider those as part of our TIA, of course. But what are some of the other things we want to consider with respect to onward transfers?
John J. Rosenthal
So, certainly, with any onward transfer, whether it’s under standard contractual clause or not, one of the things you want to do is try and minimize the data before you transfer it and do that locally. Can you call the data down before you transfer it? Because you want to do to be proportional as possible and not transfer more than you have to. You have to make sure that you have protections in place from a security standpoint. Another thing that they urge is can you anonymize the data or pseudonymize the data? Anonymizing means you redact or blank out or change from John Smith to ex-employee? Pseudonymization is close to that. But under anonymization, you really don’t know who you – or what information you blacked out, versus under pseudonymization, what you do is replace as opposed to John Doe, it’s Employee 1, or that kind of information. It’s also sometimes referred to as “Masking” and then the key is, who controls that key code? Do you control it? Or do you pass that on? A lot of issues around that.
On the pseudonymization, anonymization thing, I would just jump in and say that in all of my experience, and whether regulatory inquiry or US litigation, I have never heard of an opposing party agreeing to anonymization or pseudonymization because of lack of context. I think it’s great in almost every other transfer, but when it comes to satisfying US discovery obligations, I have yet to hear of any actual use of either technology.
John J. Rosenthal
I would say I’ve had some limited success, but it’s very difficult to do. I think masking with a code is probably the most success I’ve had. But again, I’m not sure for most European regulators’ standpoint, that would pass muster.
I understand where you’re coming from. I was going to say the same, John. I’ve had limited success in a handful of matters where we’ve been able to pseudonymize or anonymize the data. To your point, David, too often it takes away the context of – well, the real value of any document production you’re making.
John J. Rosenthal
Here’s the fundamental problem from my perspective, when you get to litigation or regulatory process is, the Government as well as most opposing parties are not going to agree to standard contractual clauses. They’re not going to want to take on that liability, and the view is they don’t have to. So, you don’t have a transfer mechanism, which gives you complete protection. So, then you’re in this risk/reward situation. Do I risk antagonizing the court or the regulator? Or do I risk antagonizing the foreign privacy regulator? And this is a tough decision for clients. And it’s now a tough decision for law firms and vendors that become either controllers or processors and have liability under these agreements.
So, the question is, are there other mechanisms that you could at least argue provide some level of protection, like a protective order that you can at least argue to a regulator that you took some steps to protect it? Or do you force yourself into a situation where you have to get a compelled disclosure from a US regulator or court in order to argue to the regulator that you didn’t have any choice and you were faced with a compelled order?
Debbie or David, anything you want to add there?
I agree. I think the best way that you can approach this, definitely have a risk-based framework to look at this. But then trying to limit the data that you need to capture is probably the best first step through this whole process.
That brings us to the top of the hour. We really wanted to track the data from – or the transfer of data through the whole process. And we’ve got there at least through the end of our protocol –through production.
I want to give our audience a chance to ask any additional questions. I know we had two and I think we addressed those primarily. Panelists, I think you can see those questions. I think that’s all that we had. If we have other questions, we’re going to give a minute here for our audience to ask them here.
There is one question. It looks like it involves exclusions from GDPR in an EU country, for example, if the investigation is criminal or involves national security.
This would be the time where you would invoke a convention. And you would look to that as your transfer mechanism, particularly if it was between cooperating law enforcement agencies.
John J. Rosenthal
Here’s the problem, there is a process where particularly a US regulator can get the documents directly from a foreign regulator. It’s called the MLAT process. And often the regulator – and this is something I deal with all the time, on a weekly basis. A regulator comes to me, a federal regulator, and says, “I want the data”. I’m going to say, “Well, I need something additional than the standard FOIA protection, because the standard FOIA protection really isn’t enough to cover you”. And they’re like, “Well, I’m not going to do that. I’ll just go to the foreign regulator using MLAT process”.
One, you typically don’t want to do that, because now you have the foreign regulator involved, and you could now spark a secondary investigation in Europe or somewhere else that you didn’t want. But the reality is, to some extent, the US regulator is bluffing because the foreign regulator is going to insist that as part of that MLAT, that the US regulator take on some of these protections anyway, that that they’re telling you, we won’t agree to.
So, for example, they may require pseudonymization, or additional protections, or additional safeguards. We get back down to this risk/reward analysis here where you can protect yourself at the time of the transfer, you can protect yourself with an onward transfer to a vendor or a law firm. It becomes this gray area once you actually have to do the transfer to an opposing party or regulator here. And unfortunately, there is no perfect transfer mechanism at that point that protects you. You really have to figure out what’s the best way I can minimize the data? What protections can I put around that? What arguments do I have with a foreign regulator that I took reasonable steps and really didn’t have a choice at the end of the day?
And then we have another question, which is my favorite question, which is “Can SCCs be incorporated in the DPA by reference?”
I do see this from time to time. I do not recommend it for exactly the reason actually stated in the remainder of the question, which is “How about the organizational and technical measures that need to be specified?” And I think that that’s where you get in trouble merely incorporating SCCs by reference into a DPA.
I see that too, on occasion, where you have “We’re going to use these SCCs, I’m going to just direct them to the Europol website”. It becomes just pro forma at that point. I agree that it’s better to incorporate them into a document itself.
Did we address all of them? I think that’s all.
Well, I thank all of you, our panelists, for joining today. And I thank all of you who have – we recognize that your time is valuable as both panelists and our participants in this webinar for taking time out of your busy schedule today.
And we hope you have the opportunity to attend our next monthly webcast currently scheduled for July 22nd of 2022. And that upcoming webcast will feature an expert presentation and discussion on the Committee on Foreign Investment in the US. That’s CFIUS compliance. And it’ll be led by a cross-functional team of compliance experts across the industry for multiple industries. So, we hope you can attend that informational presentation. You can learn more about that upcoming webcast and review our extensive library of on-demand webcasts on our website at haystackid.com.
So, again, I thank you our panelists, and I thank all of you for participating today. And I hope you have a great rest of your day.
This concludes today’s webcast.
** Winston & Strawn LLP
***Debbie Reynolds Consulting, LLC