In July 2020, the Court of Justice of the European Union (CJEU) delivered its judgment in the so-called Schrems II case. This had significant impacts for any organisation transferring personal data from the EU or UK to any other third country. Our earlier article explaining the immediate impact of Schrems II is here.
What was missing from the Schrems II ruling was any practical guidance for organisations about how to adjust their international data transfers to this new landscape. Now, finally, we have that guidance in draft from the European Data Protection Board (EDPB), the collective body of all EU data protection regulators (which no longer includes the UK Information Commissioner, of course). The EDPB draft Guidance, adopted on 10 November 2020, is here.
In addition, on 12 November 2020, the EU Commission issued a Decision, again in draft, updating the Standard Contractual Clauses (SCCs), the most widely used mechanism for validating data transfers to third countries. The EU Commission draft SCCs Decision is here.
The main purpose of this article is to explain the draft Guidance from the EDPB, what it means for organisations and what else we need to see in order to put international transfers of personal data from Europe back on a surer footing. We will also touch upon the new draft SCCs as part of this. Finally, we will explain the added complication of Brexit in this context for UK based organisations.
What was the CJEU decision in Schrems II?
To re-cap, in Schrems II the CJEU invalidated the EU-US Privacy Shield. This was a mechanism, or “gateway”, established between the EU Commission and the US Government permitting the transfer of personal data by organisations based in the EEA (the EU Member States, originally including the UK, plus Iceland, Lichtenstein and Norway) to businesses based in America which had self-certified their compliance with Privacy Shield rules. The invalidation of this mechanism caused an immediate problem for any personal data transfers which relied on this gateway because it meant that those transfers were unlawful unless an alternative gateway could be found. The EDPB and UK Information Commissioner’s Office (ICO) subsequently made clear that organisations had no grace period to find an alternative mechanism to continue transferring data. Invalidity was immediate.
One of the alternative gateways is the use of SCCs. These are standard form contracts drawn up by the EU Commission which the party exporting the data outside the EEA or UK enters into with the data importer in the third country, in order to give automatic protection for personal data transferring under those clauses. A version of the SCCs was also under challenge in Schrems II, but the CJEU did not invalidate them. However, the CJEU added very important caveats to the use of SCCs which took everyone by surprise.
The CJEU’s ruling in Schrems II in respect of both the Privacy Shield and the SCCs is underpinned by basic principles enshrined in EU law that when personal data is transferred outside the EEA or UK it must be subject to an “essentially equivalent” level of protection to that guaranteed under EU laws. The Privacy Shield gateway did not provide this because, once the data was received in America, it was potentially subject to US government surveillance measures which were simply incompatible in their scope with EU laws, did not provide individuals with sufficient rights to challenge those measures, and were not subject to effective independent oversight. In other words, the EU Commission’s 2016 Decision to enter into the Privacy Shield mechanism with the US Government was fundamentally flawed.
In relation to the SCCs, whilst upholding them, the CJEU said that it was not enough for the data exporter and data importer to include them in their contract. They additionally have to assess whether the SCCs will be effective in protecting the data once transferred to the third country. That requires the data exporter, with the help of the data importer, to review the laws and practices in the third country to assess whether they undermine the effectiveness of the SCCs. If they potentially do, then the exporter and importer have to assess whether “supplementary measures” might “fill any gaps” so that the transferred personal data will nevertheless enjoy “essentially equivalent” protection as required by EU law.
However, the CJEU did not specify how data exporters and data importers are supposed to carry out this assessment and what the supplementary measures might be. This is what the new EDPB draft Guidance seeks to address – how should exporters and importers undertake the verification of third countries’ laws and practices and what might the appropriate supplementary measures be where these are needed?
What has the EDPB now said about the practical measures to take?
The EDPB draft Guidance sets out a helpful six step process as follows, which should be documented by the data exporter (and by the data importer, where applicable) for GDPR accountability purposes:
Data exporters should map all transfers of personal data to third countries, at the same time verifying that they are only transferring strictly what is needed in relation to the purposes for which the data is being transferred.
Consider what transfer gateway you are relying on for the transfers that you have mapped. There are other gateways that can be used apart from SCCs. If you are relying on a non-contractual mechanism for the transfers (eg an EU Commission “Adequacy Decision” that the country in question sufficiently protects personal data), then you don’t need to go any further in this step-by-step process. However, if you are relying on SCCs (or on Binding Corporate Rules (BCRs) for intra-group company transfers) then you have to proceed to assess these transfers at Step three onwards.
You then need to assess if there is anything in the law or practice of the third country that makes the SCCs (or BCRs) ineffective in protecting the transferred data. This assessment should be specific to the data transferred and its context (e.g. the nature of the data being transferred, to whom, and for what purpose). You should look at relevant legislation in the third country and have regard to the separate EDPB European Essential Guarantees (EEGs) recommendations when it comes to issues of the third country’s national surveillance laws (see further below regarding the EEGs).
If you conclude that the law or practice of the third country makes the gateway relied upon ineffective in protecting the transferred data, but you would still like to make the transfers, then you need to identify and adopt additional supplementary measures to bring the level of protection of the data transferred up to the EU standard of essential equivalence. These measures should be specific to the data transferred and its context and the risks identified at Step three. The supplementary measures can be:
- Technical, most obviously, applying encryption or pseudonymisation techniques;
- Contractual, for example, including obligations for the data importer to notify the data exporter of any requests received from third country authorities, or a duty for the data importer to challenge, so far as reasonably practicable, the exercise of investigatory powers by third country authorities; or
- Organisational, for example, splitting data between different importers to make it unintelligible to them but intelligible to the data exporter when recalled, or putting in place expert-led teams to respond to requests for access to data by third country authorities.
Critically, the EDPB then points out in its draft Guidance that if there are no supplementary measures that can address the fact that the transferred data is at risk then the data exporter should simply not transfer the data. If the data exporter is already conducting transfers then the EDPB says it must suspend or end them, with the data already transferred being returned or destroyed by the data importer. However, we think the data exporter should be very careful here not to put itself in breach of contract with the data importer, and this is particularly the case where the importer does not agree with the exporter’s assessment that transfers must stop. In such a case, the exporter might want to seek the assistance of its Supervisory Authority, ultimately asking it to compel the transfers to stop.
If the data exporter concludes that it can make the transfers then it should make sure it properly implements any necessary supplementary measures. Where this involves supplementing the SCCs then this is permitted, provided that the core provisions of the SCCs are not undermined. If they are, then the Supervisory Authority must be asked to approve the changes.
The final step is to keep the position under review, whether you decide the transfers can take place at Step two (eg you might be relying on an Adequacy Decision which could later be withdrawn) or Step three (eg the law or practice of the third country could change) or Step four (eg more effective technical measures might be developed to deal with the issues raised by the law or practice of the third country or your data importer proves incapable or unwilling to comply with them in practice). The EDPB says this should be at “appropriate intervals”, but for most organisations we would suggest doing this at least annually, as well as on each occasion that the data transfers being made are materially altered or changed if that is sooner (eg a new data importer is put in place, or more or different types of data are being transferred).
How do we assess the laws and practices of the third country?
Step three above requires you to assess if there is anything in the law or practice of the third country that makes the SCCs (or BCRs) ineffective in protecting the transferred data. In an attempt to assist with this, the EDPB has also issued revised guidance on the European Essential Guarantees (EEGs), see here.
The EEGs summarise the elements which need to be assessed to determine whether the legal framework governing access to personal data by authorities in a third country (ie national security agencies or law enforcement authorities) can be regarded as justifiable in the context of EU laws or, as the EDPB puts it, “unjustifiably interferes with the data importer’s obligations to ensure essential equivalence.” Therefore, when assessing the law or practice of the third country, the exporter and importer need to particularly consider the EEGs.
Having said that, the assessment is very complex and is likely to require expert input on the laws and practices adopted in the third country as well as the relevant case law of the CJEU (and European Court of Human Rights) interpreting the underlying EU data protection and privacy laws.
The four European Essential Guarantees relevant to this assessment are:
- Processing should be based on clear, precise and accessible rules. This includes the following principles: the circumstances and conditions under which a surveillance measure may be adopted should be clear and precise and subject to detailed rules; and the legal basis for accessing and using personal data should include a definition of the categories of people that might be subject to surveillance, a limit on the duration of the exercise of the powers, the procedure to be followed for examining, using and storing the data obtained, and the precautions to be taken when communicating the data to others;
- Necessity and proportionality with regard to the legitimate objectives pursued needs to be demonstrated. In other words, do the third country’s laws and practices adequately balance the rights of individuals with the objective being pursued (eg national security concerns)?
- An independent oversight mechanism regarding the exercise of these powers should exist, whether that is judicial or another independent body whose decisions are binding on those exercising the powers;
- Affected individuals must have an effective remedy to satisfy their rights when they believe they have not been respected.
In light of all of this, are there any particular transfers which are clearly problematic?
Yes, there are. The EDPB Guidance specifically points out that the CJEU held in Schrems II that the level of protection of the programs under Section 702 of the US Foreign Intelligence Surveillance Act (702 FISA) is not “essentially equivalent” to the safeguards required under EU law. Therefore, if the data importer (or anyone else the data importer may transfer the data to) falls under 702 FISA then, inevitably, the conclusion at Step three is that laws applying to the data importer cannot be equivalent to EU laws. You then proceed to consider additional measures at Step four. However, the EDPB draft Guidance then provides two examples where it concludes that there are currently no effective technical measures that can be used to cure this. The first example is a cloud service provider which needs access to the personal data in the clear (ie without encryption or pseudonymisation) in order to perform its obligations to the exporter. The second is an intra-group situation where the importer in the third country again needs access to the data in the clear (eg to provide HR services or customer support to individuals based in the EU or the UK), but is again subject to public authorities in the importer’s country having a level of access to the data going beyond what is necessary and proportionate in a democratic society. This is obviously going to be problematic for a lot of exporters and importers.
Could you explain the key points from the new draft SCCs?
The new draft SCCs really address three key things. First, they modernise the SCCs. The existing three sets of SCCs (two for controller-to-controller transfers and one for controller-to-processor transfers) were all issued by reference to the now superseded 1995 EU Data Protection Directive and were broadly recognised as being not fit for purpose in the GDPR era. So, they have been updated to incorporate GDPR concepts (such as Article 28 controller-to-processor contractual terms and with strengthened rights of redress for individuals whose data are being transferred). Second, they accommodate more types of organisational relationships (including processor-to-controller and processor-to-sub-processor transfers). Third, they deal with the issues raised by the Schrems II ruling in areas such as exporters and importers giving more granular assurances about the impact of third countries’ laws on the SCCs and how third country authorities’ requests for access to transferred data should be handled. We will be issuing a more in-depth article on the new SCCs at a later date (acknowledging they are now published for consultation and may change).
Taking all of this into account, should we be starting to make changes now?
In relation to the new draft SCCs, the answer is “no”. It is important to be aware of them but bear in mind that they are only in draft. They are subject to public consultation until 10 December 2020 and then the EU Commission will take time to consider the feedback it has received. Given the comments so far on the draft SCCs, we expect that there may well be a number of changes. We would expect to see the EU Commission publishing final versions of the new SCCs under a formal EU Commission Decision in early 2021. As matters stand, there will then be a grace period of up to one year for data exporters and data importers to switch from the old SCCs to the new ones. However, most importantly, until the new SCCs are approved, they are not a lawful gateway for transfers. Pending their formal adoption, you should continue to use the existing SCCs, including for new transfers. We suggest you expressly build in flexibility in any contracts for new transfers by including a provision for the existing SCCs to be replaced by the new ones at a time of your choosing.
In relation to the EDPB draft Guidance on Schrems II, these are open to public consultation until 21 December 2020. We do not anticipate that they will change radically. For example, we expect that there might be other suggestions in areas like the technical measures to take at Step four. However, we do not think you should wait to start implementing the steps suggested. Indeed, they reflect the practical approach many exporters and importers have been adopting in the last few months to deal with the implications of the Schrems II ruling.
We recognise of course the practical difficulties in taking the steps suggested by the EDPB draft Guidance, particularly at Steps three and four. We would suggest organisations focus first on business critical functions that are underpinned by personal data transfers, such as core IT infrastructure, CRM systems and third party e-commerce platforms. Although we are not aware of any action being taken by regulators at the moment to require transfers to stop, claims have already been lodged with regulators by privacy advocates against a wide range of organisations. For example, NOYB, which is connected with Max Schrems, launched 101 complaints with regulators in 30 European countries in August 2020. Organisations should not therefore be complacent.
We know that large technology companies are being engaged by a wide range of their customers on these issues, so it is important to begin contacting those providers and starting a dialogue with them referencing the approach adopted in the draft EDPB Guidance.
The end of the Brexit transition period is fast approaching, so what is the impact of this for international data transfers from and to the UK?
This is a very good question and it adds a layer of additional complication, particularly for UK based organisations, with the UK having already left the EU and the Brexit transition period expiring on 31 December 2020.
The first issue is that from 1 January 2021, the UK will become a third country under the EU GDPR in terms of personal data transfers. Therefore, transfers from the EU to the UK will need to have a gateway to validate them. The most straightforward gateway would be an EU Commission Adequacy Decision for the UK. The UK has applied for an EU Adequacy Decision, but this has not yet been granted. It may be granted if a UK-EU trade deal is struck, but there is no guarantee of that, and time is running out. In any event, the grant of an Adequacy Decision is now complicated by a decision of the CJEU on 6 October 2020 in the Privacy International case, in which the CJEU declared certain UK national surveillance laws incompatible with EU laws. Although those UK laws have been superseded by the UK Investigatory Powers Act, this decision still casts doubt on whether the EU Commission will grant the UK an Adequacy Decision (the EU Commission probably does not want to be told again by the CJEU that its Adequacy Decisions are invalid, as occurred with the Privacy Shield). Without a UK Adequacy Decision, then SCCs seem the most likely gateway for data transfers from the EU to the UK from 1 January 2021. It would be prudent to start the process of implementing them now, including following the six step EDPB process. Steps three and four appear potentially problematic due to UK national security laws but, at the moment, they are not subject to the difficulties caused by more definitive views from the CJEU on 702 FISA regarding EU to US transfers.
Note that the UK will adopt all of the existing EU Commission Adequacy Decisions and in addition the UK will declare that the EU is a safe place to transfer personal data, and therefore no other gateway will be required for UK to EU transfers. This will be reflected in a UK-specific version of the GDPR (known as the “UK GDPR”) which is planned to take effect on 1 January 2021.
The next issue is whether the proposed EDPB Guidance will apply to transfers from the UK to third countries after 31 December 2020. The answer is “yes” if the Guidance is finalised by then, but arguably “no” if it is not. However, the UK’s stated position is that it wishes to continue to be aligned with the GDPR for the moment and it seems unlikely that the ICO would not follow the approach of the EDPB. However, we wait to see. The ICO has issued a statement saying it is considering the EDPB’s draft Guidance and will be considering whether it needs to publish its own guidance in due course. Remember also that the EDPB Guidance offers guidelines, it does not definitively establish the legal position. However, in our view, it would be foolhardy to ignore it (whether before or after the end of the Brexit transition period).
In relation to the new SCCs, these are very unlikely to be finalised before the end of 2020. If they are not then, strictly, the UK would continue to use the old versions of the SCCs as the EU Commission Decision on the new versions would not apply in the UK. Again, however, we expect the UK would want to be aligned with EU law and practice at least for now and so the new SCCs are likely to be adopted in the UK as well.
There is obviously more to come. We will keep you informed as the EDPB finalises its guidance and other developments occur, such as specific guidance being issued by the ICO for UK based organisations as well as the EU Commission issuing final versions of the new SCCs.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2020