Changing EU Data Transfer Requirements Create New Challenges
Businesses in the maritime industry may not think of themselves as engaged in significant processing of personal data. However, global shipping and logistics companies regularly transport personal data around the globe. This may include passenger data, sensitive employee data and customer business contact information used for fulfillment and marketing purposes, all of which are vital to the operations of the business.
As a result, businesses in the maritime industry need to address compliance with a myriad of quickly evolving privacy laws around the globe, including evolving requirements for employees and business contacts in major ports in California and a newly active agency to enforce Brazil’s recently passed omnibus privacy law.
The requirements relating to cross-border transfer of personal data from the European Economic Area (EEA) to other jurisdictions, in particular the United States, is a particularly acute challenge for the maritime industry. Legal requirements for such transfers have undergone substantial changes in the past 15 months that require global businesses to assess and make changes to data transfer compliance strategies.
The European Union’s General Data Protection Regulation (GDPR) empowers regulators to impose fines of as much as four percent of global annual revenue for cross-border data transfer missteps or step in and halt non-compliant transfers, which could result in significant operational disruption. Accordingly, companies in the maritime industry cannot overlook compliance with regulatory requirements relating to cross-border data transfer.
The GDPR and EU member state national implementing legislation require that companies transfer personal data out of the EEA only to countries that have been deemed by the European Commission to provide “adequate” protection for personal data or through the use of a valid legal mechanism. Only 12 countries have been deemed adequate so far and the United States is not among them. Consequently, most transfers of personal data out of the EEA, including those to the United States, need to rely on some alternative legal mechanism for transfer.
Historically, the most common mechanisms for transfers to the United States were participation in the U.S.-EU Privacy Shield program (Privacy Shield) or use of standard contractual clauses (SCCs). Privacy Shield was used by over 5,400 companies, which all changed in July 2020 when the European Court of Justice (CJEU) invalidated the framework in Schrems II, stating that U.S. surveillance laws did not provide limitations and safeguards necessary to guarantee the protection of EU citizen’s fundamental rights of data privacy.
Moreover, the CJEU upheld use of SCCs for personal data transfers, but only when adequate protections can be guaranteed for the transferred personal data, which may require adoption of additional safeguards not provided by the SCCs. However, the CJEU’s decision left significant questions about when additional safeguards would be needed and, if required, what additional safeguards would be adequate.
Following Schrems II, several data protection authorities released guidance, which were often conflicting. Several data protection authorities stepped in to suspend data transfers, often using logic that made it difficult to see how an organization could safeguard data for a valid transfer in a way that ever satisfied the data protection authority.
Finally, in June of 2021, the European Commission released new versions of the SCCs intended to address both the requirements of GDPR and the Schrems II decision to create a transfer mechanism that could provide for adequate protection of personal data. Almost simultaneously, the European Data Protection Board (EDPB) released final guidance on how to ensure appropriate safeguards for transfers of personal data. Companies are now tasked with implementing these new transfer tools consistent with the EDPB guidance to ensure compliance with GDPR requirements.
New Standard Clauses
The new SCCs became effective June 27, 2021 and the old versions of the SCCs were repealed on September 27, 2021. Now, the old SCCs may no longer be used for new data transfers. Contracts that already incorporate the old SCCs will continue to be valid for 18 months following publication of the implementing decision – until December 27, 2022, provided the processing operations described in the contract remain unchanged.
Consistent with the Schrems II decision and subsequent data protection authority guidance, the new SCCs require parties to evaluate each transfer and document through a transfer impact assessment (TIA) that an adequate level of protection is afforded to transferred personal data. The TIA must be provided to the competent supervisory authority upon request. Additionally, data importers must provide notification to the data exporter of legally binding requests from public authorities for the disclosure of transferred personal data and challenge the request if there are reasonable grounds to do so.
With the old SCCs phased out as a viable data transfer mechanism, businesses should inventory cross-border data transfers of European personal data, including the transfer mechanism used and the identity and posture (i.e., processor or controller) of parties involved in the transfer. Companies should also analyze the new SCCs to determine whether the new terms affect operational processes that have been put in place (e.g., notification of sub-processing) or risk posture (e.g., liability clauses) and determine whether process modifications or risk mitigation actions, such as reviewing insurance coverage, should be undertaken.
Companies should further implement and maintain processes for assessing the adequacy of protection afforded to transferred personal data consistent with the Schrems II decision, data protection authority guidance and the new SCCs. Companies will need to create and maintain documentation of such assessments for each data transfer and, as mentioned above, provide the assessments to data protection authorities upon request.
For cross-border data transfers utilizing old SCCs, companies need to begin the process of replacing old SCCs with new SCCs before the December 27, 2022 deadline. To help facilitate this process, companies should determine if there are events within particular contractual relationships, such as renewal periods, that could be leveraged to replace terms with minimal disruption.
Karen Shin is an associate at Blank Rome. She focuses her practice on a diverse range of data privacy and information security matters, including compliance with various privacy laws and regulations, such as the California Consumer Privacy Act, General Data Protection Regulation, HIPAA, and state data protection and breach notification laws. She previously served as a judicial extern for the Honorable Josephine L. Staton, U.S. District Court for the Central District of California. During law school, Karen served as a staff editor for the UC Irvine Law Review and a research fellow for the Korea Law Center and Lawyering Skills.
Alex Nisenbaum is a partner at Blank Rome. He advises clients on data privacy and information security laws and regulations, including compliance with HIPAA/HITECH; Gramm-Leach-Bliley; the California Consumer Privacy Act; cross-border data transfer; and state privacy, data protection, and breach notification requirements. He is certified as an information privacy professional by the International Association of Privacy Professionals.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.