In the past week the European Data Protection Board (EDPB) released its long-awaited recommendations on supplementary measures for data transfers (Recommendations) following the decision of the CJEU on 16 July 2020 in ‘Schrems II’ (Data Protection Commissioner v Facebook Ireland Limited Case C-311/18). On the following day, the European Commission issued equally long-awaited draft standard contractual clauses (New SCCs) for data transfers outside the European Economic Area (EEA), and a further set of SCCs for use in transfers within the EEA (EEA Controller-Processor SCCs). The Recommendations and both sets of SCCs are subject to short consultation periods, although the EDPB has said that its Recommendations take effect immediately.
By way of a brief reminder, over several years the Schrems litigation has challenged the legal bases relied on by Facebook to transfer personal data from Ireland to the U.S. In 2015, this resulted in the EU-U.S. Safe Harbor being invalidated and this year, its successor, the EU-U.S. Privacy Shield was similarly struck down by the CJEU. The Court confirmed that SCCs remain a valid instrument for transferring personal data from the EU/UK to non-EU/UK countries that are not deemed to provide an adequate level of protection for personal data. Where countries are not deemed adequate, organisations must undertake a case-by-case assessment to determine whether there is an adequate level of protection for personal data transferred in reliance on the SCCs.
The Recommendations aim to assist data exporters to identify and implement supplementary measures where the importing jurisdiction does not ensure an adequate level of data protection. They set out the following six step process:
- Map the relevant data transfers and ensure the transferred data is adequate, relevant and limited to what is necessary.
- Identify a data transfer mechanism. Unless the recipient country is recognised by the European Commission as ‘adequate’, this will generally be SCCs or binding corporate rules.
- Assess the legal system of the recipient country to determine whether it undermines the safeguards of the transfer tool, in particular in relation to access by public authorities to EU personal data. Access by public authorities must be proportionate and limited to what is strictly necessary, and EU individuals must have rights of redress. Schrems II determined that the U.S. does not satisfy these requirements and, accordingly, transfers to the U.S. require supplementary measures. The EDPB also published Essential European Guidelines to assist with this assessment.
- Consider supplementary measures if the legal assessment reveals that the recipient country’s legislation undermines the effectiveness of the transfer mechanism. The identification of supplementary measures appears to be a risk-based assessment, although this is not entirely clear. Relevant measures will typically be technical (e.g., encryption), contractual or organisational. Where supplementary measures cannot ensure appropriate protection, the data transfer may need to be suspended or terminated.
- Address formalities to implement any supplementary measures.
- Keep data transfers under review as part of the accountability obligation.
The Recommendations include examples of transfers in which effective measures (primarily technical measures) are available, and two scenarios in which the EDPB said that ‘no effective measures could be found’. These two scenarios will be familiar examples: transfer of data to a cloud or other service provider who has ‘access in the clear’ to data, and ‘remote access to data for business purposes’, which seems to indicate much intra-group processing, including a global HR database. There is very little context for these case studies and they are not explained in detail. Nor is there any risk-based assessment. Anecdotally, the scenarios have been widely criticised as too conservative, and lacking context.
The Recommendations are open for consultation until 21 December 2020 and feedback may be submitted here. Again, anecdotally, organisations appear keen to ask the EDPB to clarify that the assessment of supplementary measures should be risk-based, to emphasise that contractual and organisational measures may be sufficient in the absence of technical measures, and to provide more context for the scenarios it has given.
As a separate but clearly related exercise, the European Commission has released the New SCCs (and draft implementing decision). These are long overdue, and replace the current clauses which are based on the old Data Protection Directive (EC 95/46). In a departure from the old clauses, the New SCCs are modular in structure and accommodate the following types of transfers:
- Controller-to-controller
- Controller-to-processor
- Processor-to-processor
- Processor-to-controller (addressing the well-known gap where an EU processor sends personal data to a controller based outside the EU, as under Art. 3(2) GDPR).
The modular approach and emphasis on detail means that exporters and importers will need a clear and documented understanding of their data flows. Gone are the days when parties could execute generic clauses without detailed knowledge of the underlying data. The clauses also incorporate Schrems II supplementary measures.
The existing clauses will expire twelve months after the New SCCs are approved, meaning that all transfers which currently rely on the old clauses will need to be re-documented using appropriate modules from the New SCCs. While the clauses can be incorporated into other contracts, as for the old clauses, the New SCCs may not be amended and take precedence over conflicting clauses. In some contexts, careful drafting will be required to preserve existing contractual safeguards, for example, in relation to liability.
Formal adoption of the New SCCs requires an opinion of the EDPB and a positive vote by the European Parliament through the comitology procedure. Accordingly, approval is not expected before early 2021, meaning that the New SCCS will not form part of retained EU law and will not be immediately available in the UK. It is not clear what the UK will do, but it seems highly likely that the UK will adopt broadly similar clauses, particularly if the UK receives (or seems likely to receive) an adequacy determination from the European Commission.
Overall, while these New SCCs are long overdue, it will be a big undertaking for organisations to replace existing clauses. The SCCs are open for public consultation until December 10, 2020, and feedback may be submitted here.
Finally, and for completeness, the European Commission has also released draft standard contractual clauses to be used between controllers and processors in the EEA. These are for organisations that rely on third parties in the EEA to perform certain data processing activities on their behalf. Article 28 of the GDPR requires data controllers to put in place an agreement when outsourcing data processing activities to a data processor and sets out the data protection obligations that must be addressed. With these EEA Controller-Processor SCCs, the European Commission seeks to provide organisations subject to the GDPR with a standard data processing agreement that meets the requirements of the GDPR. Unlike the New SCCs, the use of the EEA Controller-Processor SCCs will not be mandatory, however, the EEA Controller-Processor SCCs give a clear signal of the level of detail that the European Commission expects to see in these data processing agreements.
The draft EEA Controller-Processor SCCs are open for public consultation until December 10, 2020, and feedback may be submitted here.