EU Data TransfersThe EU Continues to Weigh In on Cross-Border Data Transfers

The EU Continues to Weigh In on Cross-Border Data Transfers

In the past month, the European Data Protection Board (EDPB) has provided insight into its interpretation of the Schrems II decision by the EU Court of Justice (ECJ) in July 2020.  In Schrems II, the ECJ invalidated the EU-US Privacy Shield, the mechanism allowing for the lawful transfer of personal data from the EU to the US.  The ECJ did uphold the continued use of Standard Contractual Clauses (SCCs) as a mechanism to continue to transfer personal data outside of the European Union (EU), but with a caveat;  

“In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.”

Where the ECJ decision failed to provide sufficient supplementary measures to permit companies’ use of the SCCs in international data transfers, the EDPB released Recommendations 01/2020 (“Recommendations”) intended to provide a framework to address, or at least attempt to understand, the vague “supplementary measures” envisioned by the ECJ.  These Recommendations are open for public comment until December 21, 2020.

These Recommendations, the ultimate goal of which is to determine if the protections provided by a non-EU country are “essentially equivalent” to those provided within the EU, include six key factors:

Measures that supplement transfer tools to ensure compliance with EU level of persona ldata protection.
  1. Know Your Transfers

The first thing a company needs to ask is whether they transfer data internationally.  To answer that question, it is helpful to start with data mapping.  Data mapping helps identify what data companies have, why they have it, and what they are using it for.  In the cross-border data transfer context, it is also important to understand if you are exporting or importing data and what parties you are sending it to and/or receiving it from.  A data map can help you to determine the true risks created by cross-border data transfers.

2. Verify Your Transfer Tool

This factor relies heavily on the valid mechanisms to transfer data under Chapter V of the GDPR.  For example, if the EU Commission has already approved a receiving country under an adequacy decision, then personal data can be transferred lawfully. Alternatively, companies can rely on the SCCs, Binding Corporate Rules, or other mechanisms allowed for under the GDPR.

The SCCs are also subject to revision, with the European Commission releasing revisions on November 10, 2020 for comment.  The SCCs remain valid but are now a user-beware proposition with parties subject to the SCCs clearly required to demonstrate that the protections provided adequately meet the EU data protection requirements.

As such, this step requires companies to delve into the current mechanisms used to transfer data (after mapping those data transfers in step 1) and then identifying the best mechanism to legally conduct the transfer.

3. Assessing the Law of the Receiving Country

When reviewing the intended country receiving the personal data, it is key that a company assess whether the privacy and security measures are adequate to address any concerns.  The Recommendations emphasize that the review “should be primarily focused on third country legislation that is relevant to your transfer.”  This is an important scoping reference; there are many laws that may not align with EU data protection requirements, but the key is whether those laws would impact your transfer.

For example, in response to Schrems II, the Department of Justice, Department of Commerce and the Office of the Director of National Intelligence jointly prepared a white paper entitled, Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (the “White Paper”).  The White Paper made clear that certain legislation in the US that Schrems II took issue with, specifically Executive Order 12333 (“EO 12333”), and (2) Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”), would not apply to most companies transferring data to the US.  As such, under the Recommendations, these laws would not be considered when assessing the receiving country’s laws.

4. Identify and Adopt Supplemental Measures

The Recommendations state that “[t]his step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer.”  Annex 2 of the Recommendations lays out scenarios with corresponding supplemental measures that may be used to alleviate the privacy and legal risks associated with the continued transfer of the personal data.

Ultimately, each data transfer is analyzed, and the appropriate supplementary measures are assessed on a case-by-case basis.  This ties into the first factor, data mapping. Without a deeper understanding of where the data is going, and what is happening to the data once transferred, it is challenging to even start to identify the appropriate supplemental measures.  It is the combination of the appropriate legal transfer tool plus the supplemental measures that allow the transfer to move forward.

5. Formal Procedural Steps

Once a path forward is determined, the companies transferring the personal data must execute formal documentation of such transfer and comply with the requirements of the chosen transfer tool.

6. Accountability

A key component of all data protection requirements under the GDPR is documentation and accountability.  The Recommendations make clear that accountability requires active participation by all parties involved in the transfer:

“The right to data protection has an active nature.  It requires exporters and importers (whether they are controllers and/or processors) to go beyond an acknowledgement or passive compliance with this right.”

A “set it and forget it” approach is not permissible: the company must continue to monitor legal and regulatory developments in the recipient country to continue to confirm that the legal tool used to transfer the personal data and the supplementary measures remain valid.

Recommended Next Steps

While the Recommendations are still under consideration, they do point to a need for deeper analysis of both your data flows and the reason for those data transfers.  For many companies, the inclusion of SCCs to all agreements has become routine.  But, those agreements, and the legal tool to transfer data under those agreements, need to be addressed on a case-by-case basis, with an understanding of the legal requirements and the corresponding risks.

Octillo’s Global Data Privacy Team works with clients to assess their current infrastructure to further evaluate bases for international data transfers, including the use of DPAs, SCCs and on the development of Binding Corporate Rules.  Team Octillo includes Certified Information Privacy Professionals (CIPP/US) and (CIPP/E) and Certified Information Privacy Managers (CIPM) as certified by the International Association of Privacy Professionals as well as attorneys with substantial experience navigating the ever-changing international privacy landscape.  

Watch the full video blog.

*Attorney advertising.  Prior results do not guarantee future outcomes.

Subscribe to the Beckage Newsletter.

Privacy ShieldFTC Privacy Principles Offer Guidance to Companies In Light of Schrems Decision

FTC Privacy Principles Offer Guidance to Companies In Light of Schrems Decision

The invalidation of the Privacy Shield by the recent Schrems decision has left businesses scrambling as to their data transfers abroad.  The FTC can be looked at as a source of guidance for businesses grappling with data transfers in this uncertain landscape.   

In July, the European Union Court of Justice (CJEU) issued the Schrems II (C-3111/18) decision, invalidating the EU-US Privacy Shield Framework.  The EU-US Privacy Shield was a mechanism used to allow United States businesses to transfer and store European Union personal data in the United States.  The ruling in this case renders the United States an inadequate country without special access to Europe’s personal data streams.  However, while the Privacy Shield has been declared invalid, the CJEU ruled international data flows under the General Data Protection Regulation (GDPR) can continue under EU Standard Contractual Clauses.  The continuation under the Standard Contractual Clauses calls into question the future of international data flows between the United States and the European Union.  

Despite the Schrems II decision invalidating the Privacy Shield Framework, here in the United States, the Federal Trade Commission (FTC) will continue to hold companies to its principles.  With broad civil enforcement authority to promote consumer protection and competition in the commercial sphere, the FTC will hold companies accountable for violating international data commitments to protect data transfers across the Atlantic Ocean, despite the framework being rejected, including adherence to the following principles:  

  1. Notice of participation, types of data collected, and purposes for the data collected. 
  1. Choice of individuals to opt out or consent to types of data being collected. 
  1. Companies taking accountability for onward transfers of personal data collected by third parties while complying with Notice and Choice Principles. 
  1. Companies taking reasonable and appropriate security measures to mitigate risks associated with maintaining personal data collection. 
  1. Ensuring data integrity and purpose legitimation to confirm data is reliable and compatible for collected purposes. 
  1. Ensuring individuals have access to the personal data organizations hold. 
  1. Incorporating robust mechanisms to ensure company compliance and recourse for individuals who fall victim to noncompliance procedures. 

FTC commissioners agree that there should be a national data privacy law regarding online privacy and that there is increased attention on the need for broader data privacy policy that would allow the FTC to impose civil penalties, adapt with changing technology, and to hold non-profits and carriers accountable under the Privacy Shield Framework that were previously beyond the FTC’s enforcement powers.  The FTC has broad civil enforcement authority to promote consumer protection and competition in the commercial sphere.  

Data security and privacy continue to be a major part of ongoing antitrust investigations on technology platforms.  Europe is determined to provide strong privacy protections, hinting that data security is one of its key priorities relating to the exponential growth in data collections. Although the Privacy Shield is no longer a viable mechanism to comply with EU data protection requirements, the US is not relieved of its prior obligations.  

We encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they accurately describe their privacy practices, including with regard to international data transfers.  

At Octillo, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States.  Octillo works with clients to review current policies and assess data security practices.  Our team can help implement a plan to address any related data privacy legislation and be the appropriate legal counsel to help your company better understand the legal implications surrounding transatlantic data information transfers.  

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our Newsletter.

New York City at SunriseDoes the GDPR Apply to Your US-Based Business?

Does the GDPR Apply to Your US-Based Business?

Does the European Union’s General Data Protection Regulation (GDPR) apply to your non-EU company? State-side, this is the million-dollar question that many US based companies are still grappling with today – some 8 months after the GDPR’s enactment.  

Long-promised and much-awaited Guidance from the European Data Protection Board (“Board”) on the territorial scope of the GDPR is here and attempts to provide clarification to that question.  

As adopted by the Board, the Guidance explains that the GDPR applies in situations where the “Establishment Test” or the “Targeting Test” is met – explained below.

The Establishment Test

The Board confirmed that the processing of certain personal data does not have to occur within the EU for the GDPR to apply.  Indeed, the “geographical location [of processing] is not important for the purposes of Article 3(1) with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question.”

What is required, as per the Guidance, is that the entity be a processor or controller that is established in the EU and that the processing occur within the context of the activities of that establishment.

Establishment is a threshold of GDPR applicability.  So, what is establishment?  GDPR Article 3 defines establishment as “any effective and real exercise of activities”through “stable arrangements” in the EU.  Art. 3.  The Guidance further interprets the concept of establishment by citation to pre-GDPR case law from the Court of Justice of the European Union (CJEU) which found “establishment” where a company:

      – Had (a) a website in the Hungarian language for the purpose of advertising in Hungary; (b) a representative in Hungary serving as a point of contact between that company and the data subjects; (c) a Hungarian postal address and a letter box; and (d)a bank account intended for the recovery of debts. See Weltimmo v. NAIH;

      – Processed personal data where such processing was “inextricably linked to” and carried out “in the context of … activities” of the company’s subsidiary which was located in an EU member state. See Google v Costeja (Google Spain).

Got it?  Not quite.  The Guidelines also provided a handful of helpful case studies, including the following theoretical:

A China-based e-commerce website conducts data processing activities exclusively in China. The same company has established an office in Berlin to implement commercial prospection and marketing campaigns towards EU markets.

Does the GDPR apply?  Yes, according to the Guidance, the activities of the Berlin office are inextricably linked to the processing of personal data carried out by the Chinese company, insofar as the commercial prospection and marketing campaign towards the European Union markets notably serve to make the service offered by thee-commerce service profitable.

Lest application of the GDPR feel like a law school exam, there is a second test for applicability – the Targeting Test, which the Guidance also helps to clarify.

The Targeting Test

The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union where the processing activities are related to: (a) the offering of goods or services to data subjects in the European Union (regardless of whether or not payment is required); or (b) the monitoring of the data subjects’ behavior as far as their behavior takes place within the European Union.

Let’s break that down.    

In the European Union

The Guidance confirms that the “in the EU” portion of the test does not require citizenship or residence in the EU.  Any data subject located in the European Union is entitled to the rights and privileges afforded by the GDPR, regardless of whether that subject is an EU citizen or resident of a member state.  

Offering Goods and Services

To determine whether your non-EU company is offering goods and services to data subjects located in the EU, the Guidance provides a series of factors for consideration:

     – paying a search engine operator to facilitate access to consumers in the EU;

      – mentioning contact details to be reached from a Member State;

      – using a top-level domain name other than that of the third country where the processor or controller is established;

      – offering the delivery of goods to Member States;

      – using a language or currency other than that generally used in the trader’s country;

      – offering a description of travel instructions from one Member State to the place where the service is provided;  

     – identifying international clientele in various Member States.

This Guidance, plus an earlier Recital of the GDPR, make clear the goods and services part of the Targeting Test remains highly fact-sensitive and subjective.

Monitoring Behavior

The Guidance provides most clarity when it comes to the monitoring behavior grounds of the Targeting Test.  There are numerous methods to monitor online activities including, most notably, the use of first-party cookies.  The use of cookies, or the “online collection or analysis of personal data of individuals in the EU” does not automatically constitute “monitoring” under this test. Rather, the collection must be for purposes of profiling or analyzing the behavior of that person. Specifically, and citing back to an earlier Recital, the Board states that to constitute monitoring, the purpose of the collection should be to “profil[e] a natural person, particularly in order to make decisions concerning her or him or for analy[z]ing or predicting her or his personal preferences, behaviors and attitudes.”  Indeed, the use of the word monitoring“implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.”   Thus, it could be argued that the GDPR would not apply to a non-EU based company that “inadvertently” tracks EU-based persons through website cookies provided that information is not used for profiling and behavior monitoring.  

The Board clarified that other types of technology involving personal data processing, such as wearable and smart devices, may also be a method by which monitoring behavior subject to the GDPR can occur.  In sum, there are no hard and fast rules here.  A case-by-case assessment needs to be performed in order to establish whether “monitoring” is performed.

While some unanswered questions remain, the Guidelines set out to clarify the criteria for determining the applicability of the GDPR to your US-based company.  The attorneys at Octillo Law PLLC are fully equipped to help companies big and small navigate the territorial scope issues surrounding GDPR applicability and help reduce your risk and exposure under the new law.

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Octillo: or

circuit boardThe Importance of an Incident Response Plan

The Importance of an Incident Response Plan

As recent news headlines confirm, data breaches continue to be a threat to companies regardless of size. From reputational harm, disruption to your daily business, to significant monetary penalties and litigation, the potential consequences of a data breach are significant. It is more important than ever that companies evaluate their cybersecurity readiness plan, from policies and procedures to privacy concerns under the GDPR to ensure they are ready if a breach occur. While there is no one-size fits all approach to preventing data breaches, there are many best practices companies can employ to help minimize the risk of being breached. From regular conducting risk assessments and inventorying of the data that you collect to developing and testing your incident response plan, preparation is the name of the game. One component of your data security program, an Incident Response Plan, is an important step you should have in place to help mitigate and contain an incident if one occurs.

What is an Incident Response Plan?

An Incident Response Plan sets forth the company’s procedure for identifying, reporting and responding to an incident should one occur. It ensures that everyone is on the same page if a data breach happens. At a minimum, here are some key elements that an Incident Response Plan should include:  

   1) Policy scope and definitions.

   2) Identify Incident Response Team Members and outline roles for each.

   3) Outline procedures for identifying, reporting and responding to an incident.

   4) Set forth the legal obligations for reporting and notice to potentially impacted persons.

   5) Identify how often the Incident Response Plan will be reviewed and updated.

   6) Post-incident analysis procedures.

Developing an Incident Response Plan is not the end of the road, however. Your Incident Response Plan is a living and breathing document and the best way to know if it actually works is to test it consistently. Simulated cyber incidents that force your company to work through the procedures in your plan must be tested, gaps fixed, and improvements made. Simulated incidents with counsel are ideal to help identify legal risks along the way and help put the company in a legally defensible position.

It is very important to have your Incident Response Plan reviewed by Legal Counsel to ensure it satisfies your legal obligations under various state, federal and international laws. Octillo attorneys are fully equipped to help you navigate this process and help reduce your risk and exposure should a data breach occur.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.