The General Data Protection Regulation (GDPR) changed the landscape of data privacy and placed individuals at the center of data protection. It imposed restrictions on cross-border transfer of personal data and provided the mechanisms that can be utilized for such transfers. This was done to ensure that any transfer of personal data outside the European Union (EU) region was sufficiently protected.

Under the GDPR, Standard Contractual Clauses (SCCs) and EU-US Privacy Shield are the most widely used mechanisms for transfer of personal data. These transfer mechanisms were challenged by activist Maximilian Schrems, a lawyer and privacy activist on the grounds that personal data, in transfer or when stored in the US, could be accessed by intelligence agencies.

On July 16, 2020, the Court of Justice of the European Union (CJEU) published its decision in the matter of Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (Schrems II case). This was a landmark judgement that had an impact on the cross-border data transfer mechanisms utilized by several large organizations.  The judgement concluded the following points: 

• Confirmed the validity of the SCCs used for data transfer between EU and non-EU countries subject to the requirement that the business verifies on a case-by-case basis that the personal data being transferred under the mechanism is adequately protected
• Abolished the EU-US Privacy Shield as a data transfer mechanism for transferring personal data from the EU to the US due to its inability to protect European Economic Area (EEA) data subject's personal information from the U.S. surveillance laws

The Schrems II judgement is relevant to EU based organizations as well as organizations that collect data of EU citizens, regardless of a physical presence in the EU. This judgement will also have an impact on organizations in the US and worldwide as it relates to international data flows.

On June 4, 2021, the European Commission (the Commission) published the final version of the Standard Contractual Clauses new SCCs governing international transfer of personal data.

Need for Schrems II compliance

The Schrems II judgment and the new SCCs significantly change the data transfer mechanisms currently utilized by organizations for cross-border data transfer. Today, cross border transfers are an essential part of the global economy with data being transferred from the EU across the US as well as other third countries. Schrems II will apply to all organizations irrespective of whether they are headquartered in the EU or outside if they are involved in transfer of personal data outside the EU region.

Some examples of services impacted due to Schrems II include cloud storage, telecommunications, software-as-a-service, digital platform providers, and business process outsourcing. For example, any telecommunications company providing roaming services to EU resident travelling to any third country such as US or India will fall within the purview of Schrems II due to exchange of personal data between EU and the third country. Similarly, IT services providers, contact centers and outsourcing of business processes often require transfer or access of personal data from EU region to third countries such as India and China. Any company providing services that requires cross border transfer of personal data would require to be compliant to Schrems II and execute new SCCs as a data transfer mechanism.    

According to privacyshield.gov, close to 4,000 companies rely on EU-US Privacy Shield as a data transfer mechanism, which has been abolished by Schrems II.

DIGITALEUROPE’s Schrems II Impact Survey Report[1] has provided the following implications -

• The vast majority of companies using SCCs (75%) have their headquarters in Europe, with US-headquartered companies coming in a distant second (13%)
• Over half of SCC users transfer data to close business partners or non-EU subsidiaries (57% use controller-to-controller SCCs), while almost all transfer data in order to outsource processes or services
• Almost everybody transfers to the US, but six out of ten transfer data to Asia or the UK, South America, the Middle East and Africa

Timelines for Schrems II compliance

The new SCCs come into effect from June 27, 2021 (see Figure 1). Organizations will have 18 months until December 27, 2022 to execute the new SCCs into existing contractual arrangements involving international transfers and re-negotiate contracts with customers, vendors and sub-contractors. Organizations have been provided a limited period of three months until September 27, 2021 where they can still utilize old SCCs while entering into any new contracts. However, such contracts will have to be updated with the new SCCs within the stipulated timelines of 18 months.

Figure 1: Timelines for Schrems II compliance

Changes required as per the new SCCs

In the new SCCs, the Commission has substantially updated the SCC terms. 

• Modular approach

The new SCCs provide a modular approach for new types of data transfers. The older version of SCCs only covered controller-to-controller and controller-to-processor transfers. However, considering the complexities associated with different transactions, the new SCCs additionally cover processor-to-processor (P2P) and processor-to-controller (P2C) transfers..

These provisions are depicted in Table 1.                                      

Table 1: Provisions - old and new SCCs

Given below are some examples of this approach

•  Processor to Processor (P2P) model – Processor A is based outside of the European Economic Area (EEA)/EU and appoints Sub-Processor B from non-EEA/EU region to perform the services contracted with the Controller. Under the pre-Schrems II model, the obligations agreed between the Controller and Processor A would flow down to Processor B through the Controller to Processor model. As per the new SCCs, the Controller and Processor A are required to execute the new SCCs using controller-to-processor model, whereas, Processor A and Processor B are required to execute the new SCCs using processor-to-processor model.
• Processor to Controller (P2C) model - This model addresses the complexities associated with a relationship where the Controller is based within a non-EEA/EU region and the Processor is located in the EEA/EU and there is transfer of personal data from non-EEA/EU region to EEA/EU region.
   
• Technical and organizational measures
  
  Annex II of the new SCCs requires companies to provide extensive information about the technical and organizational measures they have in place.

• Assessment of local laws
  
  As per Section 3, Clause 14 of the new SCCs, the data exporter and data importer are required to conduct an assessment of the local laws of the importing country to which the data is being transferred and document such assessment for review of supervisory authority on request. The parties are required to warrant that they have no reasons to believe that the laws and practices in the importing country will prevent the data importer from fulfilling its obligations under the new SCCs. The data importer is required to inform the data exporter in case it becomes subject to laws that restrict the data importer from performing its obligations under the new SCCs. 

   ·  Legal requests from public authorities

Under Section 3, Clause 15 of the new SCCs, the data importer is required to notify the data exporter, as well as data subjects wherever possible, if it receives a legally binding request from any public authority, including judicial authority for disclosure of personal data. Additionally, it should notify the data exporter if it becomes aware of any direct access by public authorities to personal data transferred under the new SCCs.

     The new SCCs make it imperative for the organizations to conduct a thorough due diligence of their contractual relationships with vendors, customers and sub-contractors; perform a risk assessment of the local laws and practices of importing countries and implement supplementary contractual, technical and organizational measures to ensure compliance. Hence, there is a need for a structured approach to meet the requirements within the timeline of 18 months provided under the new SCCs. 

Key challenges companies face

Organizations now have to re-work their strategies to address the new Schrems II guidelines. The key challenges with respect to Schrems II compliance include: 

• Implementation of the new SCCs as data transfer mechanism within the timeline stipulated by the European Commission
• Additional safeguards or technical measures to be adopted for transfer of data
• Thorough risk assessment and due-diligence of the destination country local laws and regulations
• Detailed assessment of sub-processors, suppliers and vendors
• Re-draft and re-negotiate previous contracts with  their suppliers and vendors
• Take into considerations new obligations imposed on data controllers and data processors
  

Wipro’s Schrems II compliance solution

How Wipro can support in Schrems II compliance:

Wipro’s Enterprise Legal Management Solutions (ELMS) practice helps organizations in ensuring contractual compliance to the revised data privacy regulations. Our team of data privacy experts support organizations in contract review and negotiation process to ensure that the contractual relationships with vendors are compliant with the latest regulations.

Schrems II compliance solution:

Wipro has developed a “Schrems II compliance solution” - to assist organizations to be contractually compliant with the CJEU Schrems II ruling which invalidated and abolished the EU-US Privacy Shield and specified multiple requirements that the organizations must meet before processing personal data outside the EEA.

The four steps in the solution include:

• Due diligence
• Risk assessment
• Contract analysis
• Contract negotiation

Figure 2 outlines how the Schrems II contract compliance solution can be implemented.

Figure 2 : Implementation of the Schrems II compliance solution

Achieving Schrems II compliance

The Schrems II judgment is essentially a milestone towards the protection of privacy and security of personal data and international data transfers.

Organizations now have to be vigilant enough to conduct risk assessment of laws of the destination countries as provided by Schrems II and implement the new SCCs, wherever required, before transferring personal data to third countries.

They need to ensure that all internal and external stakeholders are aligned to the highly regulated confines of Schrems II. Then they must re-assess all the data transfers undertaken by the organization and invest in precise due-diligence of data privacy laws of importing countries. Ensuring a robust contractual mechanism covering all the new Schrems II obligations, while taking all technical and organizational measures as added protection for data transfers will facilitate compliance.

If you are interested in learning more about how Wipro is helping our clients achieve Schrems II compliance, we should talk. Contact us.

‘Enterprise Legal Management Solutions (ELMS) practice is not a law firm and its services or solutions do not constitute legal advice’.

Varsha Bhat
Head – Enterprise Legal Management Solutions (ELMS) Practice, Knowledge Services - Wipro

Varsha Bhat leads the Enterprise Legal Management Solutions practice within Wipro. She has over 20 years of experience in US litigation, corporate legal and HR. She has completed Juris Doctor (J.D.) from Robert McKinney School of Law, Indianapolis, Indiana, USA. Varsha heads the Center of Excellence for legal practice and is involved in business development, strategizing and planning.

Ashvini Laud
Senior Manager - Enterprise Legal Management Solutions (ELMS) Practice, Knowledge Services - Wipro

Ashvini is an attorney with over 15 years of experience in the legal outsourcing industry. She has been responsible for service delivery of projects in the area of end-to-end contracts management, compliance to the General Data Protection Regulation, legal content enrichment and legal research. In her current role, Ashvini is responsible for designing solutions to address customer requirements and bringing in transformation and innovation within the legal function.

Adwait Bhanage
Assistant Manager - Enterprise Legal Management Solutions (ELMS) Practice, Knowledge Services- Wipro

Adwait has around 10 years of experience in contract lifecycle management, due diligence, legal consultations, and risk management in the corporate legal process environment.  He has drafted and negotiated various contracts, developed ‘Risk/Insurance Playbook’, and has successfully delivered data privacy projects for clients.