Compliance
Advice For Wealth Managers Coping With Privacy Shield Blow

A recent major ruling in Europe undermines a mechanism thousands of firms use to transfer personal data to the US. This has big implications for sectors such as private banking and wealth management. This publication talks to experts at Clifford Chance.
July’s invalidation of the US Privacy Shield (known as the Schrems II ruling) struck a major blow for firms that had relied upon this data transfer mechanism to comply with GDPR. In this exclusive interview, Dan Silver, partner at Clifford Chance, and associate Brian Yin take a deep dive into the ramifications – particularly for the multitudes of wealth managers outsourcing data-heavy tasks and functions.
Schrems II explicitly upheld Standard Contractual Clauses
(SCCs) as a valid transfer mechanism, but charged data
controllers with ensuring that data importers can comply with
those in light of local law. What does this mean for wealth
managers’ due diligence obligations in an outsourcing
context?
Dan: Wealth managers that rely on Standard Contractual Clauses
(SCCs) to facilitate transfers of personal data from the European
Economic Area (EEA) will need to re-evaluate these arrangements
to determine whether they are compliant with the Schrems II
ruling. While the ruling explicitly reaffirmed the validity
of SCCs, the court stated that data exporters had to verify on a
case-by-case basis whether the SCCs provide adequate protection
for transferred personal data in light of the laws of the
recipient country. The court specifically noted the potential
impact of surveillance laws in the US, but the ruling suggests
that data exporters must take into consideration any laws of
recipient states that might diminish the protections and rights
afforded to transferred personal data.
Wealth managers who are subject to the GDPR and have outsourcing
arrangements with data processors who rely on SCCs to conduct
cross-border transfers will similarly need to ensure that these
data processors have sufficiently considered the risks imposed by
the laws and practices of recipient nations.
There is not yet clear guidance from data protection authorities
regarding how data exporters should conduct this case-by-cases
analysis. Some regulators have suggested that Schrems II means
that companies cannot transfer data to the US in reliance on SCCs
at all - at least not without unspecified additional measures.
Others have said that companies can continue to rely on SCCs. The
European Data Protection Board, which is tasked with providing
guidance on consistent application of the GDPR, has said that it
will issue additional guidance on these points in the future.
This leaves wealth managers relying on SCCs to transfer data from
the EEA to the US and other jurisdictions in a precarious
position. The safest (but unrealistic) course is to immediately
cease all data transfers out of the EEA and find localised
solutions that do not require SCCs. Obviously, this is likely to
be impractical. A more reasonable approach is to conduct an
entity-specific analysis of the risks associated with
transferring data to a particular third party in a particular
jurisdiction and determining if additional protective measures
are advisable (e.g. by using encryption, pseudonymisation,
etc.).
The Department of Commerce is clear it is holding Privacy
Shield participants to their obligations for data already
collected. Do you agree that there are benefits for data
processors in maintaining compliance with it irrespective going
forward?
Brian: “Benefits” is probably the wrong word - “obligations” may
be more appropriate. Organisations that participate in the
Privacy Shield and received data pursuant to the programme may be
required to maintain their obligations under the programme, and
could even suffer regulatory enforcement action due to
non-compliance. In July, the FTC finalised a Privacy
Shield-related settlement against a New Jersey medical device
maker that had claimed participation in and compliance with the
Privacy Shield in spite of allowing its certification to lapse.
As part of the settlement, the company was required to comply
with the company’s “continuing obligation” under the Privacy
Shield to protect personal information collected while
participating in the programme or return or delete that
information.
Companies that no longer wish to be bound by the Privacy Shield’s
obligations must follow the Privacy Shield’s formal withdrawal
process. This includes contacting the Department of Commerce and
completing a questionnaire to verify whether the company will
return, delete, or continue to apply Privacy Shield principles to
personal information received while participating in the Privacy
Shield. The Department of Commerce will then remove the company
from the Privacy Shield list on the Privacy Shield website and
instead add the company to the record of organisations that had
previously self-certified but have since withdrawn from
participation. Notably, however, even this withdrawal does not
entirely eliminate a company’s obligations with respect to data
collected while participating in the Privacy Shield - including
annually affirming to the Department that the company continues
to abide by those obligations.
Processor Binding Corporate Rules confer “safe processor”
status, but acquiring BCR approval can be a lengthy process
costing hundreds of thousands. How does this stack up against a
US outsourcing provider opting to establish European
operations/data centres? (i.e. how much of a fix is data
localisation?)
Dan: Data localisation is a solution, but it can be quite costly,
and it may simply not be an option for wealth managers that have
US operations. Additionally, a comprehensive data localisation
solution would include data repatriation, which can add
significant expense and administrative burden. Unless special
circumstances suggest otherwise, the more prudent course would
likely be to perform a risk-based analysis of existing transfer
mechanisms.
In addition, it is important to note that the Schrems II decision
is not limited to SCCs - its reasoning appears to also apply to
Binding Corporate Rules (BCRs). This is the position various EU
authorities have taken. In other words, data exporters who
transfer data pursuant to BCRs must also evaluate whether the
laws of the recipient’s country permit the recipient to comply
with the BCRs. Accordingly, BCRs are not a bulletproof solution
in the absentce of further guidance from regulators.
It’s thought that around a third of participants signed
up to the Privacy Shield to transfer human resources data. Do you
see multinational wealth and asset managers comprising a
significant proportion of these? What solutions can they
seek?
Brian: Multinational wealth and asset managers that are based in
the US - or that otherwise have significant operations in the US
- are likely to be caught in the limbo created by the
invalidation of the Privacy Shield. For these companies, the
immediate next step should be to identify all transfers reliant
on the Privacy Shield (whether internal or through service
providers) and implement alternative mechanisms - most likely
SCCs, given the cost and burden of BCRs and data
localisation.
It seems inevitable that both SCCs and BCRs are going to
be subject to challenge on the same grounds as Privacy Shield
(mass surveillance and lack of judicial redress for data
subjects). Long term, is a political solution
likely?
Dan: Yes - while the Schrems II decision was a clear shot aimed
at US surveillance laws, all indications suggest that US and EU
authorities want to maintain lawful mechanisms for cross-border
data flows. Indeed, EU and US authorities have already stated
that they are committed to finding a practical solution for
cross-border data transfers. For example, on August 10, the
European Commission and US Secretary of Commerce issued a joint
statement announcing that they had begun discussing an “enhanced”
EU-US Privacy Shield framework that would comply with the Schrems
II decision. More generally, the European Commission has
recognised that international data flows are “indispensable” for
European companies to maintain their competitiveness.
It is important to note that this is an election year, and the
global pandemic continues to push all other priorities aside. So,
any legislative fix is likely to be delayed until at least 2021.
However, companies can take some comfort in the fact that
aggressive enforcement activity may not be imminent. If the past
is any indication, data protection authorities will try to give
companies time to respond to the decision. When Safe Harbor, the
predecessor to the Privacy Shield, was invalidated in 2015,
European data protection authorities did not initially pursue
enforcement action to give companies the chance to adapt.
However - the Schrems II decision did not establish a formal
grace period and data protection authorities have rejected calls
for explicit delays in enforcement, so asset managers should act
promptly and not rely on any grace period that data protection
authorities appear to be providing.
Some see Schrems II as the “canary in the mineshaft” for
an international data transfer crusade by the EU (the UK possibly
being next on the block). How do you see this theme playing out
in the years to come given the internationalised nature of this
sector?
Brian: China seems to be a more deserving target than the UK.
But, while there may be some local data protection authorities
that wish to reduce or eliminate cross-border data flows, it is
unlikely that this will be the dominant view. As noted above, US
and EU authorities have already said that they are committed to
finding a solution to address the gap created by the invalidation
of the Privacy Shield, and the European Commission has recognised
that international data flows are necessary for European
companies to compete globally.
The US isn’t party to the Common Reporting Standard (the
mechanism under which 102 countries exchange bank account details
to weed out tax cheats), but is, itself, very keen to look into
the financial affairs of US taxpayers. How do these two issues
dovetail?
Dan: The Schrems II decision reveals deep scepticism of US
government surveillance practices - and perhaps more generally of
US exceptionalism. The extraterritorial reach of US public and
private law has become increasingly controversial, and Schrems II
can be viewed as a backlash against this perceived encroachment
on European sovereignty.
However, for years observers speculated that, with the passage of
the GDPR, the US would be likely to follow suit and implement a
comprehensive national privacy and cybersecurity law. Yet, four
years later there has only been limited progress.
By keeping privacy issues in the forefront, the Schrems II
decision may help slowly change US attitudes towards privacy, and
ultimately affect the balance between privacy rights and national
security protections. But it would be wrong to expect imminent
change. In the near term, major privacy reforms in the US are
unlikely and we can expect a more nationalist response, at least
under the current administration.