International data transfers have been the subject of intense debates ever since the Court of Justice issued its landmark judgement of Schrems I, on 6 October 2015. The intensity of the debate was further reinforced since the Schrems II decision one year ago, on 16 July 2020. The decision annulled the U.S. Privacy Shield and severely tightened the rules on the use of standard contractual clauses (“SCCs”).
Schrems II today remains a major cause for concern for organizations. Yet, after rain comes sunshine: in the year following Schrems II, several initiatives have clarified how we should address the decision and ensure compliance. This blog will present a state of affairs for international data transfers and some practical suggestions going forward.
1. A new set of standard contract clauses
On 4 June 2021, the European Commission issued an implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to countries outside of the European Economic Area. It thereby fulfilled its promise to bring the first sets of SCCs, dating from 2004 and 2010, up to speed with the General Data Protection Regulation of 2016. The implementing decision follows an initially published draft of November 2020, which ultimately attracted 148 consultation responses and a joint opinion by the European Data Protection Board and the European Data Protection Supervisor. Many welcome the new SCCs, in particular due to the invalidation of the U.S. Privacy Shield in Schrems II.
SCCs for the 2020s
The new SCCs illustrate the European Commission’s willingness to be pragmatic and to understand the needs of businesses. Global data transfers anno 2020 come in many shapes and forms, often involving several data importers and exporters. The new SCCs take into account such complex processing chains through a modular approach.
In addition to the existing EU controller to non-EU controller (C2C) or non-EU processor (C2P) clauses, the new SCCs provide clauses or “modules” for EU processor to non-EU processor (P2P) or EU processor to non-EU controller (P2C). This for example enables European processors to rely on US sub-processors.
Moreover, the new SCCs allow for a multi-party configuration, in which data exporters or importers can accede throughout the life cycle of the contract (via the so-called “docking clause”) with the agreement of the existing parties. In this regard, the implementation decision contains an Annex which presents a template list of parties taking part in the data transfer agreement.
No more copy-paste: stronger commitments on data exporters and importers
While the new SCCs were not issued as a response to the uncertainty caused by Schrems II, the impact of the decision is ubiquitous. Several clauses incorporate the ruling and impose obligations on data exporters and/or data importers. Such obligations reflect the requirement of a pragmatic and active approach on behalf of both the data exporter and importer.
Firstly, the new SCCs specify the requirement to conduct a transfer impact assessment (so-called “TIA”). Both data exporter and importer are required to document an assessment in which they warrant that they have no reason to believe the laws of the third country prevent the data importer from complying with the SCCs. This confirms the reasoning of the Court of Justice in Schrems II, as the responsibility to guarantee an adequate level of protection lies with both data exporter and importer. The new SCCs provide several elements that parties should take into account when conducting a TIA. The European Commission allows in its new SCCs the consideration of objective factors such as the nature of the transferred personal data or the absence of requests for disclosure from public authorities for the type of data transferred. This might lower the burden to adopt supplementary measures for businesses transferring personal data that are of no interest for the public authorities in the recipient third country. For EU-US transfers, it is generally acknowledged that US surveillance authorities are mainly interested in personal data related to communications. Other types of personal data, such as personal data related to commercial transactions, might therefore require less consideration when adopting supplementary measures.
Secondly, the data importer warrants to undertake a documented review of a request for disclosure and assess the legality by reference to the law in force in the third country. The new SCCs also impose the obligation on the data importer to challenge an access request if it concludes there are reasonable grounds to consider that the request is unlawful under the laws of the destination. In doing so, the data importer should also seek interim measures with a view to suspending the effects of the request.
Thirdly, data subject rights have been tightened. Data subjects are entitled to enforce the new SCCs as third party beneficiaries. To facilitate such right, both data exporter and importer need to exercise an increased level of transparency. They are required to provide a copy of the SCCs upon request of the data subject. In case of a C2C transfer, parties are required to disclose the identity of the data importer, who will also be responsible for the handling of data subject requests. Finally, in the light of Schrems II, whenever a data importer receives a legally binding request from a public authority for disclosure of personal data, it is required to promptly notify the data exporter and, if possible, the data subject.
New SCCs are no “Get Out of Jail Free” card
The adoption of the new SCCs does not exempt parties from the consequences of the Schrems II ruling. Depending on the laws of the third country, the data exporter and importer are still required to undertake supplementary measures, such as encryption or pseudonymisation, to ensure the protection of the personal data. If no adequate level of protection can be guaranteed, the data exporter has to suspend the data transfer and the competent data protection authority can order it to do so.
Both the new SCCs and the Schrems II ruling therefore impose new obligations on data exporters and importers. To a certain degree, parties can however negotiate who will carry the burden of these obligations. For example, the duty to respond to a data subject’s request to receive a copy of the SCCs can be allocated to one of the parties. In addition, parties might want to specify who will bear the costs of implementing supplementary measures or the costs of having to suspend the data transfer.
Transition period of 18 months
From 27 June 2021 onwards, the new SCCs will enter into force and will be available for data exporters and importers to rely on. The SCCs currently in place will be repealed on 27 September 2021. Contracts concluded on the basis of those repealed SCCs will remain valid until 27 December 2022, unless the processing operations are altered before that date, or unless parties decide to amend the existing contract.
2. New Guidance of the European Data Protection Board
On 18 June, the European Data Protection Board published its final guidelines on the implementation of supplementary measures for international data transfers. The final guidelines do not differ significantly from the first version published on 10 November 2020. The EDPB describes the different steps to be taken to assess the validity of international transfers of personal data, which we discussed during our webinar sessions organized in November and December 2020.
The most significant difference when compared to the initial guidelines is the more pragmatic approach the EDPB is taking with regard to the assessment of the laws of the third country. The EDPB confirms that parties can consider the practical relevance of laws in a third country, i.e. the extent to which the laws apply in practice to the transfer of personal data. In addition, parties can take into consideration the practical experience of the data importer with relevant prior instances or requests for access received from public authority. The EDPB thus appears to approach the Commission’s more “risk-based” approach.
3. UK adequacy decision
On 28 June, the European Commission adopted an adequacy decision for the United Kingdom. As a result of Brexit, transfers of personal data to the U.K. were considered transfers outside of the European Economic Area, which significantly complicated the flows of personal data. After the implementation of a transition period post-Brexit, the Commission now ensured personal data can flow freely from and to the UK. The adequacy decision will be subject to a legal review every four years. Unless expressly renewed after four years, the adequacy decision will lapse. It should be noted that, similar to the annulled U.S. Privacy Shield, the U.K. adequacy decision is not untouchable and might be challenged by privacy activists such as Max Schrems. However for now, the adequacy decision enables the avoidance of any interruption of transfers to the U.K.
The implementation of the rules on international data transfers remains challenging, especially after the Schrems II decision. Yet, the past year has brought clarity on how to interpret the ruling.
We recommend organizations to adequately review and map their international data transfers, and the corresponding transfer tools relied upon. Personal data can flow freely to the U.K., or to any other country with an adequacy decision. With regard to SCCs, organizations should review their contractual arrangements with external parties and assess whether these will last longer than the 18 month transition period. If so, parties should take steps to adopt the new set of SCCs, verifying their respective roles as controller or processor, performing a transfer impact assessment and adopting the necessary supplementary measures. Please note that as a result of the Schrems II decision, the adoption of supplementary measures already constitutes an obligation at present.
We happily assist in performing your international data transfer review.