Your CRM may well be with a ‘local’ provider but where is it hosted?

Your responsibility for International Transfers

The idea of the buying and selling of goods, engaging with service suppliers and hosting providers internationally, is as natural to a business as river water flowing downstream. Data flowing back and forth from those bought and sold goods, services and hosting is a natural occurrence however, and this is where we have to get our feet wet….

If you host, store, transfer people’s information to countries outside the EEA, you must do so knowingly and comply with GDPR Chapter 5 – which protects the privacy and rights of an individual’s personal information.

This means the businesses exporting and importing ‘customer data’ must provide appropriate safeguards to ensure there is a regulated approach to the international transfer of data. One element of this safeguard process is to introduce an Agreement that sits alongside your standard Supplier Contract/SLA. A standardised and ready-made “standard contractual clause” (SCC) is a go to mechanism, as an easy-to-implement tool to transfer data internationally.

What it means for your business

This comes down to a matter of due diligence. The SCC is a contract that protects customer data but also you as a business. The obligation to perform due diligence on the data importer, ensures that they should be of reputable nature and will not use the data given in confidence for questionable practices or perhaps sell on that data to people who should not have access to your customer’s data. The SCC aids to keep your good business name as a creditable upholder of the values of your customer.

Why is an SCC so well regarded?

Well, in 2020, the European Court of Justice (CJEU) invalidated the Privacy Shield legal framework for regulating transatlantic trade of personal data between the EU and US. This came about from the Schrems II case, brought against Facebook. As a result, businesses reverted to the tried and tested SCC. If an SCC can meet the legal expectations of the EU and US, this standardised form will aid in your international data transfers to most other non-EEA countries.

“Reverted”? The old way? So, going backwards?

Not quite. On 4 June 2021, the European Commission adopted two new sets of standard contractual clauses. The final deadline for phasing out the old standard of SCCs and completing the transition to the new SCCs is 27 December 2022. After 27 December 2022, relying on the previous SCCs to legally transfer personal data outside of the EU will no longer be possible. Businesses that still need to update their contracts will face the risk of non-compliance with GDPR.

Is the SCC around to stay?

After Privacy Shield was invalidated, discussions continued between the EU and the US. On 25 March 2022, Joe Biden and Ursula von der Leyen announced an “agreement in principle” regarding a much-improved Privacy Shield 2.0. However, this is only a political announcement. European and American ideals differ somewhat, which the respective lawyers will have to debate. To give a loose example, even a seemingly simple word such as “proportionate” will come into disrepute. When you see that a European’s large meal in a McDonald’s “restaurant” equates to small portion sized meal in the US, how greatly would the American’s idea of a “’proportionate’ response” to a company’s mishandling of data, differ from the European’s perspective?

One can only imagine the magnitude of work that is at hand. Of course, once an agreement is reached and a written document can be produced, (still yet to be produced), it can easily be challenged in the CJEU, further delaying its implementation.

The SCCs will still be around after whatever the politicians put in place between the US and EU as they are necessary and satisfactory for other international transfers of data and will still hold relevance for USA/EU transatlantic trade.

On this side of the pond, the UK, for the moment, has received a positive adequacy agreement with the EU regarding compliance with GDPR, but this could be reviewed in the future, should the UK government do away with regulatory standards, in their never-ending quest to find those sunlit Brexit uplands.

3 Actions to take away

1. The deadline for phasing out the old standard of SCCs and completing the transition to the new SCCs is 27 December 2022. If you are yet to update your SCC, there is still time!

2. The‘standard’ format to a SCC, gives you clear structure to each parties commitment to security, protection and privacy. . If needs be, get in contact with a data protection expert to advise you on getting it right the first time.

3. Respect your customer, perform your due diligence! Have confidence that the importer of your customer’s data, will treat it accordingly to the legal framework in place.

If you are working with suppliers, applications, hosting providers and not clear if you need to take action before December 27th 2022, get in touch for a free confidential chat privacy@mddm.ie