A Europe-based vendor management system provider recently inquired about the risks of enabling a client to track its contingent worker population in all the countries it operates in — from the US to China and many countries north and south of the equator. Aside from cyber security, the main risk is that personal data shared across the world risks breaching laws set up to protect the personal data of workers when it is transferred from one jurisdiction to another.
Five years have passed since the European Union’s General Data Protection Regulation, or GDPR, which set the benchmark for many of the countries that have since passed laws on data protection. For clients and all those involved in the worker supply chain, it is wise to have an understanding of the legal requirements when transferring personal data between countries.
The GDPR provides citizens in Europe with a level of protection for their personal data that is not always matched elsewhere. A case in point is the US, which, until July 2023, was deemed lacking in providing adequate legal protection for its citizens’ data by the European Commission on account of invasive US surveillance programs. President Biden introduced safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. As a result, the EU Commission has now declared the latest EU-US Data Privacy Framework ensures an adequate level of protection.
Such adequacy decisions are not given out lightly. To date, the EU has only recognized Andorra, Argentina, Canada (commercial organizations only), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the UK, the US (commercial organizations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.
For countries not on that list, other precautions must be taken, and these generally take the form of standard contractual clauses, or SCC. These are pre-approved model template clauses which should be used in contracts between the controller of the data and any processors who will be handling it on their behalf in a country outside the EU that is not deemed to have adequate protection. Under the GDPR, a controller determines the purposes and means of processing personal data — i.e., they collect the personal data in the first place and direct the processor on how to handle it. If the personal data is to be transferred from the EU to a country that does not have an adequacy decision, these clauses should be used as a risk mitigation strategy.
When receiving worker data from a staffing agency, the client becomes a controller as it determines what to do with that data. When the data is put into a VMS that may be hosted outside the EU, the VMS provider becomes a processor. The contract between the client and the VMS provider should use the model clauses appropriate to a controller-processor relationship.
Incidentally, the staffing agency is also a controller, and if they are in the EU and sending data on workers to an overseas client based, for example, in Singapore, the contract between the staffing agency and client should contain the model clauses appropriate for a controller-controller relationship.
The EU was the first jurisdiction to develop such standard contractual clauses, but other countries have also developed their own model templates to suit their own data protection laws. For example, the Cyberspace Administration of China, is developing its own model templates for transferring non-sensitive personal data relating to its citizens outside of China.
The use of SCCs is voluntary, but with a global supply chain, staffing firms and clients using MSP and VMS providers as well as other potential data processors should consider adding such clauses to commercial contracts as standard to provide the level of protection for workers’ data that so many jurisdictions now require.