Following the drama of the Schrems II decision, the EDPB has issued new draft SCC’s and some guidance on supplementary measures for Non-EU data transfers. But will they work?
Key take-aways
In July 2020, the Court of Justice of the European Union (the “CJEU”) caused a stir when it invalidated the Privacy Shield mechanism for transfer of personal data from the EU to the US. Known as the Schrems II decision, the CJEU’s judgment (conditionally) also upheld the Standard Contractual Clauses (“SCCs”) as a valid mechanism for transfers of personal data to jurisdictions outside the EU.
However, the CJEU also ruled that controllers relying on SCCS for their data transfers outside the EEA are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection for the personal data transferred that is essentially equivalent to that guaranteed in the EEA.
The CJEU ruling allows data exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.
The current SCCs have been om the table for updating for some time, having been approved pre-introduction of the GDPR. The draft new SCCs seek to upgrade the previously approved clauses to bring them in line with the GDPR. They will also cover different types of transfers, in order to cater for “the complexity of modern processing chains”. For the first time, the SCCs will be available not just for controller to controller or controller to processor transfers, but also for the transfer of data from processor to processor (or processor to sub-processor).
The clauses have also been updated post-Schrems II and now contemplate introduction of specific safeguards, in light of the Schrems II case.
Once finalised, there will be a new set of SCCs and all organisations relying on SCCs for transfers of personal data will have to update the contractual terms they are relying on.
The final version of the new SCCs can be expected in early 2021, after which there will be a transition period of one year to allow for the roll out of the new contracts. During this transition period, the old SCCs will remain valid in existing contracts, so long as the parties to the contracts do not change them. However, the new SCCs will have to be used immediately (once approved) for any new data processing agreements and in most cases where introducing changes to existing contracts.
The new draft SCCs include some clarifications. Most importantly they confirm that accessing personal data from a third country will be regarded as a transfer. This could cover, for example:
Whilst the increased flexibility of the new draft SCCs is welcomed, the Schrems II decision made it clear that the SCCs cannot be used without considering the laws of the countries where the data is being transferred. In Schrems II, the CJEU emphasized that before using the SCCs, parties must review the laws of the destination country (and in particular the powers of local security agencies) and consider reinforcing the SCCs with additional safeguards (or supplementary measures).
The biggest issue post Schrems II is trying to identify which country’s laws may be regarded as offering ‘essentially equivalent’ protection to that provided under the GDPR, and what that might mean.
The draft guidance makes it clear that the EDPB expects organisations to assess the laws of the data importer’s country and any impediment to compliance with transfer obligations. In particular, data exporters will have to:
The Recommendations also state that Section 702 of the U.S. FISA “does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary,” meaning that where data importers or any recipients of onward transfers are subject to Section 702 of FISA, additional supplementary technical measures will be required in addition to SCCs or other recognised transfer mechanisms.
If the laws of the transferee country are not ‘essentially equivalent’, then supplementary measures may need to be implemented (in addition to the contractual protections in the SCCs). The purpose of these supplementary measures is to elevate the protection afforded to data in the local country so that it rises to the appropriate level of protection under the EU standards.
Not only do supplementary measures need to be identified, those measures also needs to be properly documented to comply with the GDPR’s accountability principle. The supplementary measures at issue may be contractual, technical, and organisational.
The EDPB provides a non-exhaustive list of suggested supplementary measures, including:
You may need to combine several measures to ensure the appropriate level of protection. encryption as a technical measure where the recipient in the third country is exposed only to encrypted data.
If you find that no additional measures can ensure an essentially equivalent level of data protection, you may not transfer personal data to that third country.
These recent changes have resulted in significant repercussions for organisations transferring GDPR governed data to a third country outside of the EU. This includes transfers to the US, Australia, and (after the 31stof December 2020) most likely the UK.
If you have not already done so, now is the time to consider the steps below (taken from the European Data Protection Board (EDPB) draft guidance in supplementary measures to the SCCs) to help ensure your continued GDPR compliance.
| 1 | Map your data and all data transfers | This will include mapping all your data transfers and ensuring that the data that you transfer to countries outside the EU (referred to as “third countries”) is relevant and limited to what is necessary, considering the purpose of the transfer. This should also take into account any onward transfers to sub-processors in another third country.
|
| 2 | Determine which GDPR transfer tool to use | Adequacy?: If you transfer personal data to a country that has been declared by the EU Commission as providing an adequate level of protection of personal data (through an “Adequacy Decision”), no additional steps will need to be taken, other than monitoring the validity of the Adequacy Decision.
SCCs and other transfer tools? Absent an Adequacy Decision, you will have to rely on one of the other cross-border data transfer tools provided by Article 46 of the GDPR, the most notable being the SCCs, but may also include binding corporate rules, codes of conduct, certification mechanisms and ad-hoc contractual clauses. Derogations? Besides Adequacy Decisions and Article 46 GDPR transfer tools, the GDPR contains another avenue allowing transfers of personal data in certain situations. Subject to specific conditions, you may still be able to transfer personal data based on a derogation listed in Article 49 GDPR. However, the derogations contained in Article 49 must be interpreted with a narrow scope. In particular, they mainly relate to processing activities that are occasional in nature and non-repetitive.
|
| 3 | Assess the laws affecting data protection in the third country | If the transfer cannot be based on an Adequacy Decision, nor on an Article 49 derogation, you must assess the laws in the third country that may affect the level of protection of personal data, to ensure that the personal data transferred benefits from an “essentially equivalent” level of protection as the GDPR provides. The assessment should focus on laws that affect the exercise of data subject rights and access to data by public authorities for surveillance purposes.
|
| 4 | Identify and adopt supplementary measures | If Step 3 reveals that the third country does not provide an essentially equivalent level of protection as the EU, you must identify and adopt supplementary measures on a case by case basis.
|
| 5 | Formal procedural steps with EU Data Protection Authorities | In some cases, you will need to approve your supplementary measures with the relevant EU supervisory authority (e.g. where the additional measures proposed may directly or indirectly conflict with the original provisions of the SCCs).
|
| 6 | Monitor and re-evaluate the assessment regularly | You must monitor, where appropriate in collaboration with data importers, developments in the third country to which they have transferred personal data that could affect the initial assessment of the level of protection and the decisions that they may have taken accordingly. |
In addition, the EDPB published draft recommendations on the European Essential Guarantees for surveillance measures (the “EEG Recommendations”), which complement the draft SCCs and Supplementary Measures Recommendations. These Recommendations aim to provide guidance on the elements to examine whether surveillance measures allowing access to personal data by either national security agencies or law enforcement authorities in a third country can be regarded as a justifiable interference or not.
We will cover this in more detail in a subsequent post. However, the following may be a useful resource if you are trying to assess the surveillance laws of a third country.
We expect that supervisory authorities will continue to develop guidance around this topic to ensure consistency in the application and enforcement of the GDPR.
But ultimately organisation transferring data subject to the EU GDPR restrictions are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on. If you are covered, you must proceed with due diligence and document the process followed thoroughly, as you will be held accountable for the decisions made under the principle of accountability set out in the GDPR.
The EDPB also recognises that it may not be possible to implement sufficient supplementary measures in every case.
Given there are no “one size fits all’ solutions for third country transfers, we recommend that you urgently assess your EU to non-EU data transfers on a case by case basis and consider whether any further steps should be taken.
Analysis of Schrems II Judgement
Draft Standard Contractual Clauses
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
