A recent major ruling in Europe undermines a mechanism thousands of firms use to transfer personal data to the US. This has big implications for sectors such as private banking and wealth management. This publication talks to experts at Clifford Chance.
July’s invalidation of the US Privacy Shield (known as the Schrems II ruling) struck a major blow for firms that had relied upon this data transfer mechanism to comply with GDPR. In this exclusive interview, Dan Silver, partner at Clifford Chance, and associate Brian Yin take a deep dive into the ramifications – particularly for the multitudes of wealth managers outsourcing data-heavy tasks and functions.
Schrems II explicitly upheld Standard Contractual Clauses (SCCs) as a valid transfer mechanism, but charged data controllers with ensuring that data importers can comply with those in light of local law. What does this mean for wealth managers’ due diligence obligations in an outsourcing context?
Dan: Wealth managers that rely on Standard Contractual Clauses (SCCs) to facilitate transfers of personal data from the European Economic Area (EEA) will need to re-evaluate these arrangements to determine whether they are compliant with the Schrems II ruling. While the ruling explicitly reaffirmed the validity of SCCs, the court stated that data exporters had to verify on a case-by-case basis whether the SCCs provide adequate protection for transferred personal data in light of the laws of the recipient country. The court specifically noted the potential impact of surveillance laws in the US, but the ruling suggests that data exporters must take into consideration any laws of recipient states that might diminish the protections and rights afforded to transferred personal data.
Wealth managers who are subject to the GDPR and have outsourcing arrangements with data processors who rely on SCCs to conduct cross-border transfers will similarly need to ensure that these data processors have sufficiently considered the risks imposed by the laws and practices of recipient nations.
There is not yet clear guidance from data protection authorities regarding how data exporters should conduct this case-by-cases analysis. Some regulators have suggested that Schrems II means that companies cannot transfer data to the US in reliance on SCCs at all - at least not without unspecified additional measures. Others have said that companies can continue to rely on SCCs. The European Data Protection Board, which is tasked with providing guidance on consistent application of the GDPR, has said that it will issue additional guidance on these points in the future.
This leaves wealth managers relying on SCCs to transfer data from the EEA to the US and other jurisdictions in a precarious position. The safest (but unrealistic) course is to immediately cease all data transfers out of the EEA and find localised solutions that do not require SCCs. Obviously, this is likely to be impractical. A more reasonable approach is to conduct an entity-specific analysis of the risks associated with transferring data to a particular third party in a particular jurisdiction and determining if additional protective measures are advisable (e.g. by using encryption, pseudonymisation, etc.).
The Department of Commerce is clear it is holding Privacy Shield participants to their obligations for data already collected. Do you agree that there are benefits for data processors in maintaining compliance with it irrespective going forward?
Brian: “Benefits” is probably the wrong word - “obligations” may be more appropriate. Organisations that participate in the Privacy Shield and received data pursuant to the programme may be required to maintain their obligations under the programme, and could even suffer regulatory enforcement action due to non-compliance. In July, the FTC finalised a Privacy Shield-related settlement against a New Jersey medical device maker that had claimed participation in and compliance with the Privacy Shield in spite of allowing its certification to lapse. As part of the settlement, the company was required to comply with the company’s “continuing obligation” under the Privacy Shield to protect personal information collected while participating in the programme or return or delete that information.
Companies that no longer wish to be bound by the Privacy Shield’s obligations must follow the Privacy Shield’s formal withdrawal process. This includes contacting the Department of Commerce and completing a questionnaire to verify whether the company will return, delete, or continue to apply Privacy Shield principles to personal information received while participating in the Privacy Shield. The Department of Commerce will then remove the company from the Privacy Shield list on the Privacy Shield website and instead add the company to the record of organisations that had previously self-certified but have since withdrawn from participation. Notably, however, even this withdrawal does not entirely eliminate a company’s obligations with respect to data collected while participating in the Privacy Shield - including annually affirming to the Department that the company continues to abide by those obligations.
Processor Binding Corporate Rules confer “safe processor” status, but acquiring BCR approval can be a lengthy process costing hundreds of thousands. How does this stack up against a US outsourcing provider opting to establish European operations/data centres? (i.e. how much of a fix is data localisation?)
Dan: Data localisation is a solution, but it can be quite costly, and it may simply not be an option for wealth managers that have US operations. Additionally, a comprehensive data localisation solution would include data repatriation, which can add significant expense and administrative burden. Unless special circumstances suggest otherwise, the more prudent course would likely be to perform a risk-based analysis of existing transfer mechanisms.
In addition, it is important to note that the Schrems II decision is not limited to SCCs - its reasoning appears to also apply to Binding Corporate Rules (BCRs). This is the position various EU authorities have taken. In other words, data exporters who transfer data pursuant to BCRs must also evaluate whether the laws of the recipient’s country permit the recipient to comply with the BCRs. Accordingly, BCRs are not a bulletproof solution in the absentce of further guidance from regulators.