Privacy, Surveillance, and Data Transfers to the United States are hitting the headlines in privacy and security circles. The C-Suite may be hearing about “Schrems II” and wonder what the hoopla is all about. Let’s start at the beginning, with a quick timeline recap and then highlight the fast moving developments in 2020 with a focus on the implications to Third Party Risk Management (TPRM) programs.
The Back Story
In 2013, Edward Snowden revealed the National Security Association’s PRISM program for mass surveillance. This sparked an outcry on the collection and sharing of data with government authorities by the United States. The same year, an Austrian activist named Max Schrems filed complaints to the Irish Data Protection Authority for EU privacy law violations by Facebook USA and alleged transfer of personal information to the NSA. Meanwhile:
- The E.U. Court had already declared the EU-Safe Harbor Framework as not adequate for data transfers under the EU Data Protection Directive.
- The Directive was replaced by the General Data Protection Regulation (GDPR) in May 2018.
- Safe-Harbor was replaced by a framework called Privacy Shield.
- GDPR outlined primary mechanisms for data transfers: Privacy Shield, Binding Corporate Rules (BCRs); and Standard Contractual Clauses (SCCs).
- Facebook shifted to using Standard Contractual Clauses (SCCs) to address data transfers.
Since then, Schrems and his organization have continued advocacy through debate as interpretation decisions have been moving upwards through EU courts. Then, a court decision invalidated Privacy Shield with no grace period.
Got all that? So, What’s Changing?
Below, a timeline outlines the rapid developments that invalidated Privacy Shield.
Now, Let’s talk about Transfers of Data
In order to understand the impacts of this decision for outsourcers and service providers, let’s review a few privacy concepts that are important for understanding GDPR compliance in third party relationships. Within GDPR the Outsourcer is described as the “Data Controller” and the Service Provider is the “Data Processor.” In the United States, especially with regulations like CCPA, we use terminology about the disclosure of personal data. In GDPR the terminology focuses on the approved legal basis for data processing; the transfer of personal data; and the mechanisms to authorize that transfer.
A common misperception of the concept of “data transfers” is that the transfer requires the physical relocation of the data. With today’s virtual servers, cloud computing and digital web, these concepts have evolved quickly beyond this limited concept. In the context of conforming with GDPR, “access” to the personal data that occurs across geographic borders is considered a type of “transfer.” If data transfers are required for operations, then an approved mechanism for the transfer needs to be implemented.
Over 5,000 U.S companies have filed self-certification to the EU-US Privacy Shield Framework, while the number of global companies that applied for approval to EU Data Protection Authorities for BCRs is in the hundreds. Binding Corporate Rules require extensive legal agreements and must be submitted for approval to a DPA, so tend to be used only for larger global companies, or those with significant employee footprints across the EU. It is important to note that the Commerce Department will continue to administer the Privacy Shield program, and that organizations that have already self-certified are still bound to the requirements for data protection. The decision does not relieve participants of their obligations, it simply negates Privacy Shield as an allowable transfer requirement under EU law.
It’s all about Contracts, Due Diligence, & Assurance
Bottom line, the resulting implications of this decision will trigger the immediate need for a focused GDPR Compliance Assessment to address short term actions, while identifying longer term changes to Due Diligence and TPRM Program requirements. Shifting to a contractual approach triggers not only a change in contract terms but should require a third party risk assessment to validate the obligations. Many outsourcing organizations may be onboarding a new vendor and may need to change course on the data transfer solution. For existing relationships, the decision requires a review of your current third party risk register and vendor inventory to identify and quantify impacts.
In a third party risk assessment you are inspecting what you expect. Your goal is to gain assurance that the data processor or service provider is providing adequate protection. In US terminology “adequate protection” sounds an awful like “reasonable security.” However, the US and EU are providing more specific guidance as to what controls are the new table stakes for data protection. Due to the rationale of the invalidation of Privacy Shield, there are specific topics in due diligence that should be addressed. Data Controllers should conduct due diligence of the legal system applicable to the Data Processor to confirm, based on the services provided, the rules for disclosure to or access by government agencies to personal data. Further, the due diligence should identify notification procedures by the processor to the controller for requests for investigative demands of personal data by governmental authorities.
Short term it is all about “Trust, but Verify” to gain assurance on the level of data protection program at your vendor. Here are the top actions to take today to assess the implications of “Schrems II” to your TPRM Program:
Standard Contractual Clauses are more than a piece of paper, or written contract between parties. Using Standard Contractual Clauses is not simply a “contract update” exercise. While SCCs provide specific obligations or expectations between parties, the implementation of execution of what has been agreed upon is assessed when conducting third party due diligence.
In fact, EU member state Data Protection Authorities are allowed to evaluate the adequacy of an outsourcers SCCs. They also have the authority to suspend or ban the transfer of data if factual conditions are not met, or what is considered a material breach of the contract. Outsourcers will not only need to conduct third party assessments but ensure that their process produces sufficient evidence documenting the scope and results of the assessment. Due Diligence documentation and artifacts should reflect the identification and classification of personal data; the nature and purpose of the processing; data governance and compliance measures.
Given the uncertainty and timeline for an agreed upon framework, or ability to achieve accredited external certification to GDPR, it would be prudent for both outsourcers and service providers to document their due diligence, rationales for determining adequacy of controls. This is comparable to maintaining documentation similar to a Data Protection Impact Assessment (DPIA) that can be provided upon request to DPAs.
In the end, it will drive the need for enhanced maturity in TPRM programs with an emphasis on:
• Stronger Data Governance
• Increased Third Party Due Diligence
• External Assurance or Certification Frameworks
• Fourth Party Management compliance
Earlier this year, the Shared Assessments Program released an updated GDPR Guidelines and Checklists paper. This set of General Data Protection Regulation (GDPR) resources provide insights to the Third Party risk community and include background on the regulation and guidance on how to integrate GDPR requirements into TPRM programs. These resources work in conjunction with the Shared Assessments Third Party Privacy Tools, a component in the Third Party Risk Management Toolkit.
In October, Shared Assessments will delve deeply into privacy regulatory changes (including NIST/ISO) in the Navigating Data Governance for Privacy and Third Party Risk Workshop. The workshop will cover evolving third-party risk management obligations, privacy trends, including compliance elements for CCPA that impact vendor management.
These project management resources are now even more helpful to your TPRM project teams as you review the implications of the invalidation of Privacy Shield to your TPRM Program.