GDPR Cross-border Transfers: Draft SCCs and Supplementary Measures
Following the drama of the Schrems II decision, the EDPB has issued new draft SCC’s and some guidance on supplementary measures for Non-EU data transfers. But will they work?
- If you’ve relied on Standard Contractual Clauses (SCCs) to cover transfers of personal data from the EU, they will need to be updated;
- There’s no solution yet for transfers to countries like the US, which might include Australia (whether relying on SCCs, Binding Corporate Rules or other approved transfer mechanisms);
- There’s an expectation that you will be pro-active in assessing jurisdictions where data may be transferred and identifying appropriate supplemental measures if required;
- You will also need to continuously monitor any supplemental measures implemented to ensure they remain adequate;
- You must keep evidence of these efforts as part of your accountability obligations;
- However, it may be that there are no supplemental measures sufficient to provide essential equivalency in which case, data transfers may need to be suspended.
In July 2020, the Court of Justice of the European Union (the “CJEU”) caused a stir when it invalidated the Privacy Shield mechanism for transfer of personal data from the EU to the US. Known as the Schrems II decision, the CJEU’s judgment (conditionally) also upheld the Standard Contractual Clauses (“SCCs”) as a valid mechanism for transfers of personal data to jurisdictions outside the EU.
However, the CJEU also ruled that controllers relying on SCCS for their data transfers outside the EEA are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection for the personal data transferred that is essentially equivalent to that guaranteed in the EEA.
The CJEU ruling allows data exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.
New draft Standard Contractual Clauses (SCCs)
The current SCCs have been om the table for updating for some time, having been approved pre-introduction of the GDPR. The draft new SCCs seek to upgrade the previously approved clauses to bring them in line with the GDPR. They will also cover different types of transfers, in order to cater for “the complexity of modern processing chains”. For the first time, the SCCs will be available not just for controller to controller or controller to processor transfers, but also for the transfer of data from processor to processor (or processor to sub-processor).
The clauses have also been updated post-Schrems II and now contemplate introduction of specific safeguards, in light of the Schrems II case.
Once finalised, there will be a new set of SCCs and all organisations relying on SCCs for transfers of personal data will have to update the contractual terms they are relying on.
The final version of the new SCCs can be expected in early 2021, after which there will be a transition period of one year to allow for the roll out of the new contracts. During this transition period, the old SCCs will remain valid in existing contracts, so long as the parties to the contracts do not change them. However, the new SCCs will have to be used immediately (once approved) for any new data processing agreements and in most cases where introducing changes to existing contracts.
The new draft SCCs include some clarifications. Most importantly they confirm that accessing personal data from a third country will be regarded as a transfer. This could cover, for example:
- Outsourced customer service providers in a non-EU country who access data from the EU located CRM to provide service to customers,
- Accessing data from a cloud storage provider in a non-EU country.
Essentially Equivalent Laws
Whilst the increased flexibility of the new draft SCCs is welcomed, the Schrems II decision made it clear that the SCCs cannot be used without considering the laws of the countries where the data is being transferred. In Schrems II, the CJEU emphasized that before using the SCCs, parties must review the laws of the destination country (and in particular the powers of local security agencies) and consider reinforcing the SCCs with additional safeguards (or supplementary measures).
The biggest issue post Schrems II is trying to identify which country’s laws may be regarded as offering ‘essentially equivalent’ protection to that provided under the GDPR, and what that might mean.
The draft guidance makes it clear that the EDPB expects organisations to assess the laws of the data importer’s country and any impediment to compliance with transfer obligations. In particular, data exporters will have to:
- verify if data subjects rights in the context of international transfers (such as access, correction and deletion requests for transferred data) can be effectively exercised in practice and are not thwarted by law in the third country of destination; and
- verify the presence of any relevant laws, which may require disclosure of personal data to public authorities or give public authorities powers of access, and then verify that any such requirements or powers:
- are limited to what is necessary and proportionate in a democratic society; and
- may not impinge on the commitments contained in the transfer tool the exporter is relying on.
The Recommendations also state that Section 702 of the U.S. FISA “does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary,” meaning that where data importers or any recipients of onward transfers are subject to Section 702 of FISA, additional supplementary technical measures will be required in addition to SCCs or other recognised transfer mechanisms.
If the laws of the transferee country are not ‘essentially equivalent’, then supplementary measures may need to be implemented (in addition to the contractual protections in the SCCs). The purpose of these supplementary measures is to elevate the protection afforded to data in the local country so that it rises to the appropriate level of protection under the EU standards.
Not only do supplementary measures need to be identified, those measures also needs to be properly documented to comply with the GDPR’s accountability principle. The supplementary measures at issue may be contractual, technical, and organisational.
The EDPB provides a non-exhaustive list of suggested supplementary measures, including:
- Technical measures: such as forms of encryption, however encryption keys must be kept beyond the reach of relevant public authorities. Another technique may be seudonymization where that does not permit re-identification of data (i.e. by using key-coding or applying other pseudonymisation techniques, where the key is not accessible to authorities).
- Additional contractual measures: such as obligations to implement the technical measures discussed above, transparency obligations regarding the level of access available to government authorities in the recipient jurisdiction and the measures taken to prevent access to personal data, and reinforced power for the data exporter to conduct audits of the data importer. Non-EU transferees may also be required to review the legality of any access requests received by them and to challenge such requests where appropriate.
- Organizational measures: such as adoption of internal policies with clear allocation of responsibilities for data transfers and operating procedures in the event of an access request, transparency and accountability measures including documentation of access requests, and ensuring data minimization.
You may need to combine several measures to ensure the appropriate level of protection. encryption as a technical measure where the recipient in the third country is exposed only to encrypted data.
If you find that no additional measures can ensure an essentially equivalent level of data protection, you may not transfer personal data to that third country.
What do you need to do?
These recent changes have resulted in significant repercussions for organisations transferring GDPR governed data to a third country outside of the EU. This includes transfers to the US, Australia, and (after the 31stof December 2020) most likely the UK.
If you have not already done so, now is the time to consider the steps below (taken from the European Data Protection Board (EDPB) draft guidance in supplementary measures to the SCCs) to help ensure your continued GDPR compliance.
|1||Map your data and all data transfers||This will include mapping all your data transfers and ensuring that the data that you transfer to countries outside the EU (referred to as “third countries”) is relevant and limited to what is necessary, considering the purpose of the transfer. This should also take into account any onward transfers to sub-processors in another third country.
|2||Determine which GDPR transfer tool to use||Adequacy?: If you transfer personal data to a country that has been declared by the EU Commission as providing an adequate level of protection of personal data (through an “Adequacy Decision”), no additional steps will need to be taken, other than monitoring the validity of the Adequacy Decision.
SCCs and other transfer tools? Absent an Adequacy Decision, you will have to rely on one of the other cross-border data transfer tools provided by Article 46 of the GDPR, the most notable being the SCCs, but may also include binding corporate rules, codes of conduct, certification mechanisms and ad-hoc contractual clauses.
Derogations? Besides Adequacy Decisions and Article 46 GDPR transfer tools, the GDPR contains another avenue allowing transfers of personal data in certain situations. Subject to specific conditions, you may still be able to transfer personal data based on a derogation listed in Article 49 GDPR. However, the derogations contained in Article 49 must be interpreted with a narrow scope. In particular, they mainly relate to processing activities that are occasional in nature and non-repetitive.
|3||Assess the laws affecting data protection in the third country||If the transfer cannot be based on an Adequacy Decision, nor on an Article 49 derogation, you must assess the laws in the third country that may affect the level of protection of personal data, to ensure that the personal data transferred benefits from an “essentially equivalent” level of protection as the GDPR provides. The assessment should focus on laws that affect the exercise of data subject rights and access to data by public authorities for surveillance purposes.
|4||Identify and adopt supplementary measures||If Step 3 reveals that the third country does not provide an essentially equivalent level of protection as the EU, you must identify and adopt supplementary measures on a case by case basis.
|5||Formal procedural steps with EU Data Protection Authorities||In some cases, you will need to approve your supplementary measures with the relevant EU supervisory authority (e.g. where the additional measures proposed may directly or indirectly conflict with the original provisions of the SCCs).
|6||Monitor and re-evaluate the assessment regularly||You must monitor, where appropriate in collaboration with data importers, developments in the third country to which they have transferred personal data that could affect the initial assessment of the level of protection and the decisions that they may have taken accordingly.|
European Essential Guarantees for Surveillance Measures
In addition, the EDPB published draft recommendations on the European Essential Guarantees for surveillance measures (the “EEG Recommendations”), which complement the draft SCCs and Supplementary Measures Recommendations. These Recommendations aim to provide guidance on the elements to examine whether surveillance measures allowing access to personal data by either national security agencies or law enforcement authorities in a third country can be regarded as a justifiable interference or not.
We will cover this in more detail in a subsequent post. However, the following may be a useful resource if you are trying to assess the surveillance laws of a third country.
We expect that supervisory authorities will continue to develop guidance around this topic to ensure consistency in the application and enforcement of the GDPR.
But ultimately organisation transferring data subject to the EU GDPR restrictions are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on. If you are covered, you must proceed with due diligence and document the process followed thoroughly, as you will be held accountable for the decisions made under the principle of accountability set out in the GDPR.
The EDPB also recognises that it may not be possible to implement sufficient supplementary measures in every case.
Given there are no “one size fits all’ solutions for third country transfers, we recommend that you urgently assess your EU to non-EU data transfers on a case by case basis and consider whether any further steps should be taken.
Analysis of Schrems II Judgement