In accordance with the GDPR, you must provide “appropriate safeguards”. Most of the time, your North American service provider will have met this need by inserting in the depths of the annexes to its general conditions the standard contractual clauses proposed by the European Commission. These model clauses have recently been updated. But, contrary to its original vocation, this new version worries more than it reassures. And this, especially since the violation of the related GDPR obligations can be sanctioned by a fine of up to 20 million euros or 4% of global turnover, in addition to the bad press that a public sanction of the CNIL can cause.
To fully understand the crux of the matter, we need to take a quick look back.
Little flashback
Until recently, transfers of personal data between the European Union and the United States were governed by an agreement between the American Department of Commerce and the European Commission called “Privacy Shield”, successor to “Safe Harbor”.
But, following the shattering revelations of a certain Edward Snowden on the American surveillance program PRISM, the Austrian activist Maximilian Schrems obtained its invalidation by the Court of Justice of the European Union (CJEU). And for good reason, the application of the American law in matters of intelligence made the Safe Harbor and the Privacy Shield quite simply ineffective.
Luxembourg judges have nevertheless validated the legal mechanism of standard contractual clauses of the European Commission. This validation was all the more timely since, in the absence of a Privacy Shield, these clauses became – in very many cases – the only “appropriate guarantee” for transfers from the EU to the United States.
Thus, for judges, it is the responsibility of the controller located in the EU (i) to verify on a case-by-case basis that the legislation of the third country receiving the data respects the level of protection required by European law and (ii) to put in place “additional measures” if this is not the case.
Verification of the legislation of the third country
The new standard clauses of the European Commission published last June formalize this obligation for the data exporter to check whether the legislation, but also the practices, of the recipient country allow it to fulfill its obligations with regard to the GDPR.
Coming back to our initial hypothesis, when you use an American Saas solution, it is therefore up to you to verify by your own means (by documenting your research) if the United States law allows compliance with the obligations of the GDPR, before entering into contractual clauses. types with your recipient.
However, as seen above, the CJEU found that United States intelligence law did not allow compliance with the regulations on personal data.
Therefore, and in the absence of “additional measures”, companies may legitimately question whether they are violating the GDPR when transferring data to the United States.
Additional measures
The most secure solution would therefore seem to avoid any data transfer to the United States.
However, certain “additional measures” of a technical, contractual or organizational nature making it possible to preserve the confidentiality and security of data against access by American public authorities may be put in place. It is up to you, as the exporter of personal data, to do this. In this regard, the European Data Protection Board (EDPS) recommends, for example, the use of particularly robust encryption techniques or even strict pseudonymization. And we cannot recommend enough that you contract these technical measures or check that they appear in the contractual documentation in order to give them the necessary legal and binding force.
Of course, if the third party located in the United States must have access to the data in the clear to accomplish a task, then no encryption or pseudonymization measure seems really effective. In this case, the EDPS even considers that there is, for the time being, no sufficient “additional measure”.
To conclude, if you need to use a Saas solution that transfers personal data to the United States, then we recommend that you:
- think twice;
- to check which “appropriate guarantee” is used by your provider – these will most likely be standard contractual clauses of the European Commission;
- to verify if American law and practices are still problematic, and to document your research;
- where appropriate, to put in place technical, contractual and organizational “additional measures” in order to preserve the security and confidentiality of data;
- to reassess at regular intervals whether laws and practices in the United States remain the same and whether the “additional measures” taken are still appropriate.
Thomas Livenais, partner lawyer, Inlo Avocats
–
