Changing EU data transfer requirements create new challenges
Companies in the maritime sector may not consider themselves to be engaged in significant processing of personal data. However, global transport and logistics companies routinely transport personal data around the world. This may include passenger data, sensitive employee data, and customer business contact details used for fulfillment and marketing purposes, all of which are essential to the operations of the company.
As a result, businesses in the shipping industry must comply with a myriad of rapidly changing privacy laws around the world, including ever-changing requirements for employees and business contacts at major California ports. and a newly active agency to enforce omnibus privacy recently adopted by Brazil. law.
The requirements for the cross-border transfer of personal data from the European Economic Area (EEA) to other jurisdictions, in particular the United States, pose a particularly acute challenge for the shipping industry. The legal requirements for such transfers have undergone substantial changes over the past 15 months that require global companies to assess and make changes to data transfer compliance strategies.
The European Union’s General Data Protection Regulation (GDPR) empowers regulators to impose fines of up to four percent of global annual revenue for cross-border data transfer missteps or to intervene and stop non-compliant transfers, which could cause significant operational disruption. Thus, companies in the maritime industry cannot ignore compliance with regulatory requirements relating to cross-border data transfer.
The GDPR and the national implementing legislation of EU member states require companies to transfer personal data outside the EEA only to countries that have been considered by the European Commission to provide “adequate” protection for personal data or through the use of a valid legal mechanism. Only 12 countries have been deemed adequate so far and the United States is not one of them. Therefore, most transfers of personal data outside the EEA, including those to the United States, must rely on some other legal transfer mechanism.
Historically, the most common mechanisms for transfers to the United States were participation in the US-EU Privacy Shield (Privacy Shield) or the use of Standard Contractual Clauses (SCC). Privacy Shield has been used by more than 5,400 companies, all of which changed in July 2020 when the European Court of Justice (CJEU) struck down the Schrems II framework, declaring that US surveillance laws did not provide for limitations and guarantees necessary to ensure the protection of EU citizens. fundamental data privacy rights.
In addition, the CJEU has confirmed the use of CPS for transfers of personal data, but only when adequate protections can be guaranteed for the personal data transferred, which may require the adoption of additional safeguards not provided for by CPS. However, the CJEU ruling left important questions as to when additional safeguards would be needed and, if necessary, what additional safeguards would be adequate.
Following Schrems II, several data protection authorities issued guidelines, which were often contradictory. Several data protection authorities stepped in to suspend data transfers, often using logic that made it difficult to see how an organization could protect data for a valid transfer in a way that never satisfies the data protection authority. .
Finally, in June 2021, the European Commission published new versions of the SCCs intended to meet both the requirements of the GDPR and the Schrems II decision to create a transfer mechanism that could ensure adequate protection of personal data. Almost simultaneously, the European Data Protection Board (EDPB) issued final guidance on how to ensure appropriate safeguards for transfers of personal data. Companies are now responsible for implementing these new transfer tools in accordance with EDPB guidelines to ensure compliance with GDPR requirements.
New standard clauses
The new SCCs came into effect on June 27, 2021 and the old versions of the SCCs were repealed on September 27, 2021. The old SCCs can no longer be used for new data transfers. Contracts which already integrate the old CCPs will remain valid for 18 months after the publication of the implementing decision – until December 27, 2022, provided that the treatments described in the contract remain unchanged.
In accordance with the Schrems II decision and subsequent directives from the Data Protection Authority, the new SCCs require parties to assess each transfer and document through a transfer impact assessment (TIA) that a level of adequate protection is afforded to the personal data transferred. The TIA must be provided to the competent supervisory authority upon request. In addition, data importers must notify the data exporter of legally binding requests by public authorities for disclosure of the transferred personal data and contest the request if there are reasonable grounds to do so.
With the old SCCs being phased out as a viable data transfer mechanism, companies should identify cross-border data transfers of European personal data, including the transfer mechanism used and the identity and location (i.e. – say processor or controller) of the parties involved in the transfer. Companies should also analyze new SCCs to determine whether the new conditions affect the business processes that have been put in place (e.g., sub-processing notification) or risk posture (e.g., liability clauses) and determine whether process changes or risk mitigation actions, such as a review of insurance coverage, should be undertaken.
Companies should furthermore implement and maintain processes for assessing the adequacy of the protection afforded to transferred personal data, in accordance with the Schrems II decision, the directives of the Data Protection Authority and the new SCCs. Companies will need to create and maintain documentation of these assessments for each data transfer and, as mentioned above, provide the assessments to data protection authorities upon request.
For cross-border data transfers using old SCCs, companies should begin the process of replacing old SCCs with new SCCs by the deadline of December 27, 2022. To facilitate this process, companies should determine if there are any events within particular contractual relationships, such as renewal periods, which could be exploited to override the terms with minimal disruption.
Karen shin is a partner at Blank Rome. She focuses her practice on a wide range of data privacy and information security matters, including compliance with various privacy laws and regulations, such as the California Consumer Privacy Act, General Data. Protection Regulation, HIPAA and state laws on data protection and breach notification. Previously, she served as a judicial clerk for the Honorable Josephine L. Staton, United States District Court for the Central District of California. While in law school, Karen was Editor-in-Chief for UC Irvine Law Review and Associate Researcher at the Korea Law Center and Lawyering Skills.
Alex Nisenbaum is a partner of Blank Rome. He advises clients on data privacy and information security laws and regulations, including compliance with HIPAA / HITECH; Gramm-Leach-Bliley; California Consumer Privacy Act; cross-border data transfer; and state requirements for confidentiality, data protection and breach notification. He is certified as an information privacy professional by the International Association of Privacy Professionals. While in law school, he was editor-in-chief of UCLA Law Review.
Top image: European Court of Justice (International Transparency / CC BY-NC-ND 2.0)
The opinions expressed here are those of the author and not necessarily those of The Maritime Executive.