In the course of the past month the EU has taken three key steps to regularising international personal data transfers, following the disruption caused by the Schrems II decision of the Court of Justice of the European Union (CJEU) last Summer:
- On 4 June 2021, the European Commission (EC) released its updated standard contractual clauses (New SCCs) for use as a gateway in international transfers to third countries.
- On 18 June 2021, the European Data Protection Board (EDPB) adopted its final Guidance on how international transfers can accommodate the requirements from the Schrems II decision.
- Finally, on 28 June 2021, the EC conferred an Adequacy Decision on the UK for personal data transfers from the EEA to the UK.
In this article, we explain the significance of these three developments and the practical steps that now need to be considered. At the same time, we explain why the position for UK based entities continues to remain uncertain whilst we wait for a position to be adopted by the UK Information Commissioner (ICO).
The New SCCs reflect GDPR requirements and also take into account concerns raised by the CJEU in its decision on Schrems II as to whether the SCCs adopted under Directive 95/46/EC (Old SCCs) provided sufficient safeguards for the transfer of personal data to certain countries with wide-reaching surveillance laws (for background on the Schrems II decision, see our earlier article here). Here are some of the key features the New SCCs:
Can you use the New SCCs at all?
Recital 7 of the EC implementing decision (SCCs Decision) accompanying the New SCCs provides as follows: “The standard contractual clauses may be used for such transfers only to the extent that the processing of the importer does not fall within the scope of [GDPR]”. It would appear from this that the EC is taking the position that if the Importer is directly regulated by GDPR then no transfer gateway, such as the New SCCs, needs to be used.
It should be remembered that an Importer could be directly regulated either under the extended concept of “establishment” in the EU under Google Spain type principles recognised under Article 3.1 of GDPR or the specific extra-territorial provisions in Article 3.2 of GDPR.
We are not sure the EC is right on this point. Its position appears to be at odds with the wording of chapter V of GDPR, which deals with transfers to third countries, and fails to take into account the impact of local laws on the Importer which might be contrary to the requirements of GDPR, whether it is applied directly or not. Accordingly, clients may want to act cautiously and adopt a “belt and braces” approach by still using SCCs at least as a fallback position, as well as keeping an eye on any further guidance from the EC on this point. We also explain below the impact that this has on the Six Step Process in the EDPB Guidance (effectively introducing an additional step in that process).
The New SCCs have been available for use for transfers from the European Economic Area to third countries since 27 June 2021. The Old SCCs will still be capable of being used for new transfers until 27 September 2021 (a sensible period, for example, to allow parties who are already negotiating arrangements to use the Old SCCs). However, all transfers relying on the Old SCCs have a longstop date of 27 December 2022 by which time those arrangements much be switched over to the new SCCs. In addition, if the nature of the transfers taking place under the Old SCCs changes before that longstop date, then the switch over to the new SCCs must take place when this happens.
With processing chains becoming increasingly complex, the New SCCs reflect a requirement for flexibility. Whilst the Old SCCs were drafted for controller to controller (C2C) or controller to processor (C2P) transfers, the New SCCs contain modules that can be added or removed depending on whether the transfer is C2C, C2P, or processor to processor (P2P) or even processor to controller (P2C). This is good news as it avoids trying to shoe-horn the Old SCCs into types of transfer relationships which they were not designed for. The New SCCs also contain a docking clause whereby new entities (such as a newly created group subsidiary) can become a party to the New SCCs by completing the appendix and signing the annex (subject to the other parties’ agreement). That again makes them more user friendly.
The New SCCs also reflect additional obligations on controllers and processors prescribed by GDPR. In respect of the requirement to implement appropriate organisational and technical security measures, the parties are required to detail in the Annex the specific measures in place and which transfers the measures relate to.
Where the data importer is a processor, the New SCCs include clauses that also satisfy the requirements of Art 28 GDPR. This should largely negate the need for separate data processing clauses to be incorporated into any overarching agreement. Whilst parties may wish to agree additional safeguards and arrangements as to liability for the costs of audit and assistance, care must be taken that any additional clauses do not contradict the New SCCs or limit the rights of data subjects as these could invalidate the transfer.
The New SCCs also place additional transparency obligations on Importers. These vary depending on the nature of the transfer but can include: informing the data subjects of its identity, contact details and details of its data processing; dealing promptly with data subject complaints; notifying the Exporter if it has reason to believe that it is not able to meet the requirements of the New SCCs; and being able to demonstrate compliance in accordance with the GDPR accountability principle.
Catering for the Schrems II decision
Whilst the Old SCCs were upheld by the CJEU in the Schrems II judgment last Summer as a valid basis for international transfers, the judgment noted that data exporters could not solely rely on the contractual protection provided by the Old SCCs. Exporters were required to assess each transfer on a case-by-case basis to ensure that the transferred data was afforded sufficient protection when received by the Importer.
The New SCCs acknowledge the judgment by requiring the Exporter to warrant that it has used reasonable efforts to determine that the Importer is able, through appropriate technical and organisational measures, to satisfy its obligations under the New SCCs.
The Exporter is permitted to take a risk-based approach and must carry out an impact assessment in each case. The New SCCs set out the factors to be considered including: the laws of the importing country; the purpose of the processing; the type of data transferred; and the number of organisations involved in the processing.
In respect to the laws applying to the Importer, the SCCs Decision provides that the assessment can be informed by reliable information on the application of laws in that country including case law and reports by independent oversight bodies, and the existence / absence of requests for personal information and the documented practical experience of the Exporter / Importer which is corroborated and not contradicted by publicly available information. This is important because it means the assessment is not only based on what the laws and practices in the Importer’s country could entail, but what actually happens in practice. This was the position the EC took in the draft version of the EU SCCs published in November 2020 for consultation, but this was contrary to the position adopted by the EDPB in its draft Guidance issued at the same time. However, in the final Guidance issued by the EDPB it seems that it has now come into line with the EC’s view. We explain the significance of this when referring to the EDPB final Guidance below.
The New SCCs are clear that processing cannot take place if local laws prevent the Importer from complying with its contractual obligations; however, the New SCCs also state that laws and practices that respect the essence of the fundamental rights and freedoms which are necessary and proportionate for the reasons set out in Art 23 GDPR (for example, in respect to national security or public interest objectives) should not be considered to conflict with the New SCCs.
If there are concerns over local laws then additional security measures to ensure confidentiality may be applied – if necessary in consultation with the supervisory authority – although the transfer should be suspended by the Exporter if it considers that appropriate safeguards cannot be ensured or if it is instructed to do so by the supervisory authority.
The New SCCs oblige the Importer to notify the Exporter and the data subjects concerned – to the extent possible – that it has received a request from a public authority for access to the data. Furthermore, the Importer is obliged to challenge the request where it has reasonable grounds to do so and document these steps to the Exporter. These are potentially onerous obligations for Importers.
Annex 1 to the New SCCs requires the parties (except for P2C transfers) to identify the competent supervisory authority and the Importer agrees to submit themselves to such authority. The governing law and jurisdiction of the New SCCs must also be that of an EU member state.
EDPB final Guidance
The EDPB final Guidance on Schrems II is largely in line with the draft Guidance it issued in November 2020, including retaining its Six Step Process for evaluating transfers to third countries (for background on the earlier draft Guidance and the Six Step Process, see our earlier article here).
However, there are two particular changes to note, as well as what we consider to be a practical addition to the Six Step Process in light of the EC’s view of transfers to Importers directly regulated by GDPR.
The first change is at Step Three of the Six Step Process. This has been relaxed to align it with the new EU SCCs, where assessments of foreign laws and practices can take account of what actually happens in practice rather than what could happen. This is particularly important because it allows Exporters to take more of a subjective view on whether data is at risk in reality in the hands of the Importer. For example, it means that even a transfer to an Importer subject to Section 702 of the Foreign Intelligence Surveillance Act (a US law specifically called out as problematic by the CJEU in Schrems II) could go ahead if in practice that Importer is never faced with requests for data from the US authorities.
The second key change stems from an increased focus since Schrems II on the use of the derogations for international transfers in Article 49 of GDPR. The EDPB is now much clearer that these derogations are exceptional rather than to be used as an alternative to the other transfer gateways where use of those other gateways proves difficult. So, the EDPB appears to be firmly shutting the door on suggestions that Exporters could rely on the Article 49 derogations much more than they had in the past.
Finally, what we consider to be a practical addition to the Six Step Process stems from the point we have already made concerning the EC’s view that SCCs cannot be used where an Importer is directly regulated by GDPR. What this appears to mean in the context of the Six Step Process is that there is an additional consideration at Step Two. Before getting to the stage where an Exporter determines what transfer gateway can be used, it should first consider whether the Importer is directly regulated under GDPR Article 3 in relation to the data transferred. If the answer is “no” then, according to EC’s view, the process stops there, and the transfers can take place with nothing additionally needed.
Adequacy decision for the UK
Transitional arrangements were agreed alongside the UK-EU Trade and Cooperation Agreement to provide for an “adequacy bridge” allowing the free flow of personal data from the EU (and EEA) to the UK until 30 June 2021. This six month period was used by the EU to assess UK data protection standards with a view to adopting an Adequacy Decision.
Now that the EC has granted an Adequacy Decision to the UK at the eleventh hour, this free flow of personal data from the EEA to the UK can continue. However, the EC has reserved the right to revoke the Adequacy Decision if UK data protection laws diverge from the EU’s laws to the extent that EU personal data is not deemed sufficiently protected by the UK regime.
Whilst the validity of the Adequacy Decision could potentially be challenged in the EU courts, the announcement is obviously good news for UK and EEA organisations involved in data transfers from the EEA to the UK. Note also that the UK had already deemed the EEA to be Adequate, so the flow of data continues both ways.
The UK position more generally
The New SCCs cannot be used for transfers from the UK to third countries. UK Exporters must continue to use the Old SCCs. UK Exporters should also continue to follow the EDPB draft Guidance issued in November 2020.
Although it is not absolutely clear whether the UK agrees with the EC’s view that transfers to Importers directly regulated by the UK GDPR do not need a transfer gateway, the ICO has previously indicated that this is its view as well. Again, though, because of doubts about this, we would still suggest the use of the Old SCCs as a fallback position.
The ICO has said it proposes to publish shortly new UK SCCs for consultation with a view to them being formally adopted later in 2021. At the same time, it is hoped that the ICO will issue its own Guidance similar to that produced by the EDPB. In the meantime, it might be possible that the ICO will endorse the new EU SCCs and the final EDPB Guidance as a temporary measure, but we have no indication of this so far.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2021