The European Data Protection Board (“EDPB”) recently published new guidance on how companies can validly transfer EU personal data to the many countries that have not been deemed by the EU Commission to generally provide an adequate level of data protection – most notably the U.S. (so called “third countries”). The guidance has particularly important implications for companies that transfer data using the EU Commission-approved Standard Contractual Clauses (“SCCs”), given the recent doubts cast by the Schrems II judgment over whether third countries’ laws might in some cases (including for the U.S.) mean that SCCs cannot serve as the legal basis for the transfer. At the same time, the European Commission has published long-awaited draft updated SCCs which, once finalized, may address the CJEU’s concerns and a number of the existing SCCs’ practical limitations.
The SCCs Post-Schrems II
The SCCs are one of the most common ways that entities in the European Economic Area and the UK post-Brexit (data exporters) validly transfer EU personal data to entities in third countries (data importers). The SCCs are European Commission pre-approved contractual terms that companies use whereby the parties commit to follow GDPR-like standards in the handling of personal data.
In July, the Court of Justice of the European Union (“CJEU”) cast significant doubt over whether entities can continue to use SCCs to transfer their data to the U.S. or other third countries with similarly broad government surveillance regimes.
In Schrems II, the CJEU held that while SCCs are a valid transfer mechanism, whether they can constitute a lawful basis for the transfer of personal data to any given jurisdiction without an adequacy decision depends on whether the recipient is in a jurisdiction the laws of which would prevent the use of SCCs from guaranteeing “a level of protection essentially equivalent to that guaranteed within the EU.” If there is anything in the law or practice of the third country that may impinge on the effectiveness of the contractual protection provided by SCCs, then entities will need to supplement the SCCs with additional measures, on a case-by-case basis, to ensure that the data importer can still provide the level of protection required under EU law. If this is not possible, then the transfer of data will be unlawful. You can read our blog posts on the Schrems II decision and its aftermath here and here.
Improving personal data transfer mechanisms – the new guidance & SCCs
On 10 and 12 November respectively, the EDPB, an independent European body consisting of representatives of EU national data protection authorities (“DPAs”) whose purpose is to ensure consistent application of the GDPR, and the EU Commission released new guidance on data transfer mechanisms as well as draft updated SCCs.
- The “Transfer Recommendations” provide guidance on supplementary measures that entities can incorporate into their data transfer mechanisms to further safeguard personal data. While the Transfer Recommendations are not binding, they are persuasive and represent the consensus view of representatives of the DPAs.
- The “Essential Guarantees” contain recommendations on how companies can assess whether the laws in the jurisdiction where the data is being sent permit protections of EU fundamental and data protection rights essentially equivalent to those under EU law. Like the Transfer Recommendations, it is a nonbinding document.
- The EU Commission’s “Draft Updated SCCs” are the long-awaited revisions to the current SCCs, last updated in 2001 and 2010. The Draft Updated SCCs reflect various developments, including the introduction of the GDPR and Schrems II, and address a number of practical issues companies frequently encountered when trying to implement the SCCs in the past – most notably, the absence of processor-processor SCCs. The final SCCs are expected to be adopted in early 2021, and are likely to largely mirror the recent draft.
Taken together, these three documents set the landscape for how data transfer mechanisms, including SCCs, might be able to be supplemented to ensure that the data importer can provide essentially equivalent data protection to that contained in the GDPR, notwithstanding provisions of local law which might undermine those rights. While the EDPB guidance is effective now, the Draft Updated SCCs still need to be finalised and, even then, there will be a one-year transition period to replace the old SCCs. Nonetheless, these three developments are extremely significant for companies that transfer data outside the EEA.
10 key takeaways for companies
1. The Transfer Recommendations contain an overarching framework for analyzing third country cross-border data transfers. The EDPB gives a six-step plan for companies to follow to identify and implement supplementary measures to help safeguard personal data transfers:
- Map out all transfers of personal data to third countries;
- Identify the mechanism used to transfer the data (e.g. SCCs). If you are transferring data on the basis of an adequacy decision, the EDPB says that you can skip to stage six;
- Assess the laws of the third country to identify any provisions that may impact the effectiveness of the safeguards in the transfer mechanism, in particular any surveillance laws. The EDPB’s Essential Guarantees should help with this assessment (see takeaway two);
- Identify supplementary measures – if any – that can overcome the effects of the third country laws identified in step three;
- Implement the supplementary measures and document your approach; and
- Revaluate your assessment on a regular basis.
2. The Essential Guarantees provide a structure for assessing whether the laws of third countries provide essentially equivalent protection to personal data to those in the EU. The document lists four “essential guarantees” that third country laws and, in particular, the surveillance laws will need to provide to be essentially equivalent:
- The processing of personal data should be based on clear, precise and accessible rules;
- The processing must be necessary and proportionate with regard to the legitimate objectives pursued;
- An independent oversight mechanism should exist; and
- Effective remedies need to be available to affected individuals.
The EDPB notes that the four requirements are non-exhaustive and do not define all the legal elements that must be considered, but nonetheless represent the “core elements” that should be addressed. It is important that companies document this assessment to meet the GDPR’s accountability principle.
While the Essential Guarantees provide welcome guidance on how to assess the equivalency of third countries, the standard to which this assessment should be conducted is currently unclear. The EDPB states that the assessment should be performed on the basis of “relevant and objective factors and not […] on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.”
In contrast, the EU Commission appears to envisage a more subjective assessment which “take[s] into account the specific circumstances of the transfer”, including whether the data importer expects the local authorities to be interested in accessing the personal data based on past experience. Hopefully this tension will be clarified in further guidance.
3. The EDPB highlights technical measures that companies can implement to bolster their third country data transfers … According to the EDPB, these measures are especially required where the laws of the third country impose obligations on the data importer to allow its public authorities to access the data in excess of what is required in a democratic society. These include:
- Encrypting the data using a state-of-the-art algorithm that is robust against cryptanalysis and “flawlessly implemented”. The EDPB further recommends that the encryption keys are stored within the EEA or a country with an adequacy decision, with the exception of data importers who are specifically protected by the law of their jurisdiction, for example as a result of the application of legal privilege, and that data should be encrypted both during transmission and at rest.
- Pseudonymising the data so that it cannot be attributed to a specific data subject, or be used to single out the data subject within a larger group, without additional information. The additional information should be exclusively stored by the data exporter within the EEA, or a country with an adequacy decision, and should be protected with appropriate technical and organisational safeguards.
The EDPB gives specific examples of situations where it cannot envisage sufficient technical measures. Importantly, for many companies, these examples include transfers of personal data to cloud service providers who need access to unencrypted data to provide their services.
4. … as well as various contractual measures … Annex 2 of the Transfer Recommendations lists a range of contractual measures that companies can incorporate into their transfer agreements to bolster the protection. Examples include clauses requiring:
- The parties to implement certain technical measures before the transfer takes place;
- The data importer to provide the data exporter with certain information on the ability of public authorities to access the data provided to assist the data exporter with its assessment of those laws (see takeaway two above);
- The data importer to certify that it has not purposefully created, and is not legally required to create, a back door that the authorities can use to access the data;
- The parties to review all surveillance requests from U.S. authorities to ensure that they are valid, and use best endeavors to challenge any invalid requests including via the courts;
- The parties to notify affected individuals of any surveillance requests, where legally permitted, to give them the opportunity to challenge the legality of the surveillance request; and
- The data importer to regularly publish a cryptographically signed message informing the exporter that, as of a certain date and time, it has received no orders to disclose personal data (the so-called “Warrant Canary”).
A number of the EDPB’s suggested contractual measures are also contained in the Draft Updated SCCs.
5. … and a number of organizational measures. Examples include:
- Adopting “strict and granular” data access and confidentiality policies and best practices that ensure that personal data is only accessed on a strict need-to-know basis;
- Segregating any personal data that is not strictly necessary to be transferred to a third country; and
- Appointing a specific team, based in the EEA, that is responsible for dealing with requests that involve personal data transferred from the EU. The team should involve experts on IT, data protection and privacy laws and should report to senior legal and corporate management.
6. However, these supplementary measures won’t always suffice. While the contractual and organizational measures may complement and reinforce the safeguards that the SCCs provide, the EDPB suggests that these measures by themselves “do not meet all the conditions required to ensure a level of protection essentially equivalent to that guaranteed within the EU.” Companies may, therefore, need to implement multiple measures and may frequently need to combine them with technical measures too.
For example, the EDPB suggests that where data is transferred to certain U.S. entities, the transfer will only be lawful if additional supplementary technical measures are implemented.
If the companies cannot ensure essentially equivalent data protection, even when multiple supplementary measures are implemented, then the transfer of personal data should immediately cease, and new transfers should not commence.
7. The EU Commission’s Draft Updated SCCs provide for greater flexibility in the data transfer arrangement … The Draft Updated SCCs contain two key amendments to reflect the fact that data is being transferred in increasingly complex, nonlinear ways.
- First, whereas the previous SCCs could only be executed by two parties, the Draft Updated SCCs contain a “Docking clause” which allows additional parties to “tag onto” the transfer agreement and become bound by it. This reflects the fact that data transfers usually involve multiple entities. Many groups of companies had already implemented master data transfer agreements using the SCCs, executed by multiple legal entities, and the Draft Updated SCCs provide certainty over the approach and make it easier to do this in the future.
- Second, there will now be four permutations of the SCCs which can be adopted depending on the role and the function of the entities involved in the data transfer. In particular, the SCCs now contain clauses that can be added to tailor the agreement to a processor-(sub)processor transfer, and a processor-controller transfer. Previously, the SCCs only covered situations where the data exporter was also a controller. This is an important development for GDPR-covered processors acting on behalf of non-GDPR covered controllers
8. … and have been drafted to become a one-stop-shop data processing agreement. Subject to incorporating any supplementary measures, the Draft Updated SCCs are a one-stop-shop data processing agreement which includes the GDPR-mandated provisions for controller-processor data processing agreements. This will be a welcome development for many companies as it ends the previous situation where the controller-processor SCCs did not fully meet the requirements of Article 28 of the GDPR and, therefore, had to be supplemented by a further data processing addendum.
9. Despite the new guidance, the risk of enforcement remains unclear. To date, regulatory action since the Schrems II judgment has been extremely limited. This is perhaps unsurprising given that historically there has been very limited cross-border transfer-related enforcement or litigation, with any penalties usually being “added on” to enforcement action for other breaches (see, for example, the UK ICO’s penalty against Equifax Ltd.). Indeed, the ICO has recently stated that it “continue[s] to apply a risk-based and proportionate approach to [its] oversight of international transfers” despite the Schrems II judgment.
That said, data privacy not-for-profits have lodged complaints against entities which they allege continue to illegally transfer personal data to third countries. In September, None of Your Business lodged complaints against 101 entities which it claims illegally transfer personal data to the U.S. (read a summary in our European Data Protection Roundup – although three of the complaints have since been dropped). This, coupled with increasing levels of data protection-related litigation in certain key European jurisdictions, suggests that private legal action may present the bigger risk for companies transferring data to third countries.
10. The new guidance is also helpful for companies that wish to continue transferring data from the EU to the UK post-Brexit. The UK left the EU on 31 January 2020, with a transitional deal in place until the end of this year. This means that from 1 January 2021 the UK will be considered a third country, and entities subject to the GDPR will only be able to transfer personal data to the UK if a valid data transfer mechanism has been implemented.
It is hoped that the European Commission will grant the UK an “adequacy decision”, meaning that data can continue to flow freely into the country. To do so, the Commission will need to be satisfied that the UK provides an “essentially equivalent” level of data protection as under EU law. There are several uncertainties over the UK’s adequacy prospects, the most problematic being that in October, the CJEU declared UK surveillance laws to be incompatible with EU law. While the judgment specifically relates to certain UK surveillance laws that have since been repealed, the current laws contain effectively the same problematic provisions.
Consequently, companies wishing to transfer personal data from the EU to the UK once the transition period expires might want to prepare a set of SCCs, which comply with the requirements in the Transfer Recommendations, that can be implemented on 1 January 2021 if an adequacy decision has not been reached by then. Companies may also want to incorporate any additional terms from the Draft Updated SCCs as they see fit to bolster the protection the current SCCs provide, though we note that the Draft Updated SCCs may not be finalized by 1 January 2021 and are, therefore, subject to change.
To subscribe to the Data Blog, please click here.