The deadline to implement the new SCCs pursuant to the EU Commission’s requirement under the GDPR is just months away. Whether you are knee-deep in Transfer Impact Assessments as a result of the Schrems II ruling or have no idea where to begin, you’re not alone.
With the help of experienced internal practitioners, Factor has launched Code Reg: a podcast dedicated to regulatory remediation programs. This season is all about Schrems II/GDPR-related remediation. After each episode, we’ll post a roundup of key insights.
To kick things off, our hosts tackle a question so formidable it takes two episodes to answer fully: with the deadline to implement the new SCCs looming so near, where is the right place to begin now that it’s already too late?
In this recap of episode one, we:
What Is Schrems II and What Makes It Confusing?
Before explaining Schrems II, it’s important to understand the larger context, which began with the General Data Protection Regulation (GDPR).
The GDPR entered into force in May of 2018 and repealed a long-standing data protection law in the European Union, the 1995 EU Data Protection Directive.
“[The GDPR] has imposed significant additional regulatory responsibilities on companies operating in the EU and in the EEA (the European Economic Area), as well as companies that have, I'll say touch points, in European personal data. And the other notable point is the fact that there are additional penalties that were not in existence under the EU Directive that is pretty significant.”
- David Shaw, Data Privacy Subject Matter Expert at Factor
This brings us to July of 2020, when the Court of Justice of the European Union (CJEU) ruled on the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (a case known as Schrems II).
The CJEU ruling invalidated the EU-US Privacy Shield, one of the legal mechanisms to transfer data out of the EU.
As a result, organizations must rely upon and put in place new Standard Contractual Clauses (SCCs), which the court essentially validated as a mechanism for transferring data from the EEA to third countries – meaning any country outside the EEA and which the European Commission does not deem to provide an adequate level of data protection.
“The other development and kind of wrinkle here is that as a result of the GDPR coming into force in May of 2018, the European Commission had to essentially draft new Standard Contractual Clauses. So, they drafted the clauses, and released those clauses in June of 2021, but also in doing so took account of some of the developments and the requirements that were set forth in the opinion by the European Court of Justice relative to the reliance upon Standard Contractual Clauses."
So, with the Schrems II ruling coming hot on the heels of the GDPR, why is it so confusing for some organizations despite what (should be) a similar regulatory response?
The answer may have something to do with Transfer Impact Assessments (TIAs).
“The Court said basically Standard Contractual Clauses are good, you can rely upon them; however, controllers (persons, companies that effectively make decisions with respect to how data should be processed) need to assess the implications legally of the importing country where that data is being transferred.”
As a result, controllers need to undertake a legal assessment with respect to the type of data, the risks to that data, and the risks relative to the jurisdiction where the data is being imported.
Beyond any confusion caused by the need for a Transfer Impact Assessment, the proximity of this ruling to the GDPR—rather than simplifying remediation efforts—may be precisely why Schrems II feels so daunting.
“I think many firms invested to come into compliance with the GDPR, and many firms were hopeful that it's kind of like once and done and you don't have to think about it again. But it was the Schrems II decision that really imposed this additional burden and the EU Commission's release of the new standard contractual clauses.”
With a clearer understanding of how the Schrems II ruling came about and what the implications are, let’s dive into deadlines.
Key Dates for Compliance
The deadline set by the EU Commission to implement the new SCCs is December 27, 2022.
The UK Information Commissioner’s Office (UK ICO) has set a March 21, 2024 deadline for use of the updated UK version of the clauses.
Of course, this doesn’t necessarily mean that an organization will face penalties on December 28, but it does mean there’s a very real risk in the event a supervisory authority looks at that organization’s operations as a result of a loss or misuse of data.
And the penalties are no slap on the wrist – under the GDPR, fines can total up to €20 million or 4% of worldwide turnover (whichever is higher).
For organizations that have yet to tackle remediation, that December deadline is already too close for comfort, so where is the right place to begin at this late stage?
Dive into the Data
As the saying goes, you don’t know what you don’t know. Before anything else, there are some important data-related questions to ask.
“What a company that is six months away from the regulatory deadline needs to grapple with pretty quickly is: What is their current data hygiene? What's been their posture to understanding, collecting, collating their contracts, their contract data? How have they been storing that data? How well do they know their vendors? I think [this] is a topic that will also instruct how they can start to think about remediation to get to some form of compliance.”
- Karl Dorwart, Head of Life Sciences, Healthcare and Consumer Staples Practice at Factor
Therein lies a key component of where to start when it’s already too late: looking at infrastructure to understand how complicated it’s going to be to assess the impact of the remediation. That begins with understanding the data within contracts and the hygiene—the storage method, organization and extraction process—that's been built up prior to this regulatory requirement.
By looking first at where your contracts are stored, understanding how quickly the data housed there can be assessed and knowing where counterparties are situated, it’s easier to prioritize relationships and establish an approach.
Getting Tactical: Budget and Bandwidth
Once an organization has looked at its data and can grasp the scope of its remediation effort, there are a host of new considerations to explore, but they first boil down to two larger questions: who is going to do the work and who is going to pay for it?
“If you don't have the people, you're going to have to get the budget. And we have seen companies that struggle with, what is this going to cost them? And have they planned for it? If they haven't planned for it, who's going to own the budget? So, those conversations should start right away. Is this a legal issue? Is this a compliance issue? Is this a company issue? Someone has to pay for it internally, and that can hold up the remediation effort.”
Even when an internal team is willing and able to spearhead the remediation effort, they may find the scope of their project is simply too large and additional help is necessary.
“If you're going to have to cull through thousands or tens of thousands of contracts, you're probably going to need help to do that. And if you need help, you're going to need (or you're going to want) to rely on some other technologies that can cull that data, that can analyze at the clause level, that can start to pull information and get it into a digestible format.”
Because the remediation effort will require resources and alignment from the entire organization, and because the vendors who will be contacted during the process often double as customers, it’s important to engage with the rest of the business early in process.
With a grasp on data hygiene, internal buy-in and available budget, it’s finally possible to decide on the best outreach approach.
The 3 Outreach Approaches
The outreach options can essentially be broken into three categories: a blanket or shotgun approach, a targeted approach, or a hybrid approach.
“If you're not confident about the data that you have or the engagement that you can receive from your business to help shore up or clean up that data, you may have to do more of a shotgun type approach where you're sending something a bit more generic to all of the counterparties who could be relevant. You do risk some embarrassment or … raising concern with clients and service providers that you don't know exactly what data they have or are handling. At the same time, it is important for folks to remember that this is affecting all businesses, large and small.”
- Coque Dion, Global Delivery, Life Sciences at Factor
While this blanket approach is sometimes the only option, other organizations will be able to explore a targeted strategy.
“A more targeted approach [works] if you have the project management in place and the data that you need, or at least an outline of where the data is and how to get to it (and you have time and budget). An effective project management individual or group of individuals can work with the business to understand those relationships and avoid those situations where you're reaching out saying to a client or counterparty, ‘I don't know what data you have.’ So if you have the appropriate management in place and decent data, a more targeted approach could certainly work.”
Lastly, for organizations that don’t fall squarely within either camp, there’s a hybrid approach option.
“These things can happen in parallel. If you don't have good data hygiene, you can begin to explore the relationships in parallel to a targeted outreach approach.”
Ultimately, the reality is that no approach offers a surefire means of reaching compliance by December 27, but making (and documenting) an effort is still important.
“Having that kind of well-documented, thoughtful approach to a remediation effort—even though you may not be in that full compliance stage by the requisite deadlines—having the ability to explain that you've spent the money, you've undertaken great initiative to comply, while it may not completely mitigate the risk (or the risk of penalties, in particular) it certainly facilitates the discussion and helps companies maintain good relations, if you will, and goodwill with their supervisory regulators.”
For even greater insight, listen to the full conversation wherever you get your podcasts and subscribe for more Schrems II/GDPR-related remediation insights throughout the season.