The EU Responds to Schrems II
The end of 2020 has seen major developments to the data protection rules governing international transfers of personal data by the European Institutions following the Court of Justice of the European Union (CJEU) decision in Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (C-311/18) (Schrems II).
Almost simultaneously, the European Data Protection Board (EDPB) published new Guidance for consultation on Transfer Impact Assessments (TIAs) and the European Commission released new Standard Contractual Clauses (SCCs) in draft.
These changes will have a potentially significant impact on the steps that any organisation transferring personal data internationally needs to take to ensure ongoing compliance with the law, including the steps UK businesses and their international partners need to take to prepare for the end of the Brexit withdrawal period on 31 December 2020.
While businesses will have some time to digest the new SCCs, with a one year 'grace period' for updating existing contracts, businesses will need to prioritise TIAs which are already compulsory under the existing SCCs.
The Guidance in particular will provide practical recommendations for organisations undertaking TIAs as part of their day-to-day business, which for larger organisations are likely to involve efforts on a similar scale as under the international transfer elements of those businesses' GDPR audit and implementation projects. Although the Guidance is helpful, there still remain a number of practical difficulties at this time with implementing these measures.
Many businesses will find these new requirements and tools complex to implement and we will be running a webinar as part of our Data Download series on 1 December to explain the impacts of these recent developments and to provide practical recommendations for compliance. You can register for the webinar here. If you would like to receive a copy of our step-by-step TIA checklist, contact Dr Nathalie Moreno at firstname.lastname@example.org.
In the wake of the Court of Justice of the European Union (CJEU) decision in Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (C-311/18) (Schrems II), the European Union bodies have been working hard on producing guidance and instruments to clarify their requirements for international transfers of personal data.
On 24 July 2020, the European Data Protection Board (EDPB) published a set of Frequently Asked Questions (FAQs) on the implications of Schrems II but fell short of providing practical guidance.
On 11 November 2020, the EDPB issued long-awaited formal guidance for consultation on the assessment of transfers of data to third countries following Schrems II (EDPB Guidance).
In perfect synchronicity, the European Commission published its new SCCs the following day.
The new draft SCCs will be most welcomed on three accounts:
- they have finally been brought in line with the General Data Protection Regulation (GDPR);
- they represent the European Commission's recognition that the previous SCCs did not provide for many of the international data transfer scenarios commonly seen when using modern technologies. As a result, it extends their use to 2 new cases beyond the (i) controller to controller and (ii) controller to processor models to (iii) processor to processor and (iv) processor to controller; and
- in light of the end of the Brexit Transition period on 31 December 2020, the SCCs will finally be able to cover the great majority of the types of data transfers likely to occur between the UK considered as a third country and the EEA. This being said, it will come as a disappointment to those businesses who have just invested in Brexit remediation of contracts under the old SCCs that they will need to start afresh the review and amendments to those contracts in view of the new 4 sets of SCCs.
Although neither set of documents is yet in final form they provide useful guidance for organisations who have been searching since July's CJEU decision for answers in relation to the EU's requirements to legitimise international transfers of personal data.
It is important to note that, while the new SCCs will need to be incorporated into new and existing contracts once adopted by the European Commission (a one year 'grace period' will be applied), TIAs are already compulsory under the existing SCCs. The EDPB Guidance is subject to a public consultation until 30 November 2020 and amendments may well be made to the texts before they are formally adopted.
Meanwhile, the public consultation period for the draft SCCs will run until 10 December 2020, after which point the SCCs will be finalised. The adoption process for the SCCs requires an opinion of the EDPB and the approval of the EU Member States through the EU's comitology procedure. The final SCCs are expected to be adopted in early 2021.
By then, the UK will have already become a third country, and although it had made commitments to uphold the old SCCs, it is currently unclear whether the UK intends to adopt the new SCCs. Even if the UK does adopt the new SCCs, it seems likely that there will be a period of time between the adoption of the new SCCs by the European Commission and the adoption by the UK of those SCCs, during which time the old SCCs would be applicable in the UK. So in the UK post-Brexit the old SCCs will need to be used, at least initially, to legitimise transfers out of the UK to non-adequate countries (excluding the EEA, which the UK government has declared 'adequate').
And, of course, in the meantime the UK could receive a finding of Adequacy by the European Commission which would remove the need for EEA businesses to put SCCs in place when transferring personal data to the UK. As long as these uncertainties remain, businesses involved in transfers of personal data to and from the UK must perform a careful balancing act between compliance with the new EDPB Guidance and SCCs, and retaining enough flexibility in contracts and procedures if the status or approach of the UK changes.
The EDPB Guidance comprises two documents:
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Supplementary Measures Recommendations); and
- Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (EEG Recommendations).
When transferring personal data (Data) outside the EEA, the exporter will need to assess whether the protection provided by the recipient country is 'essentially equivalent' to EU protections.
The EDPB has recommended a six-step process:
- Know your transfers. Identify, map and record data transfers, including onwards transfers. Verify that the Data being transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred. The EDPB Guidance confirms that remote access such as support services and cloud based storage will both be considered transfers.
- Identify the transfer tool your transfer relies on. If the European Commission has already declared the relevant third country is adequate, no further action is required other than monitoring the status of the decision. Otherwise, the transfer will need to rely on one of the transfer tools listed under Article 46 of the GDPR or an Article 49 derogation and will need to go through a few more steps.
- Assess the circumstances of the transfer including the law or practice of the third country. The relevant third country's laws and practices should be assessed including a substantive legal assessment as to whether they “impinge on the effectiveness of the appropriate safeguards of the transfer…, in the context of your specific transfer”. The EEG Recommendations (summarised below) should be referred to in this assessment.
The context of the transfer should be taken into account in this assessment, including:
- Purposes for which the data are transferred and processed (e.g. HR, storage, IT support);
- Types of entities involved in the processing (public/private; controller/processor);
- Sector in which the transfer occurs;
- Categories of Data transferred (e.g. there may specific legislation for categories such as children's Data);
- Whether the data will be stored in the third country or whether there is only remote access to data stored within the EU/EEA;
- Format of the data to be transferred (i.e. in plain text/ pseudonymised or encrypted); and
- Possibility that the data may be subject to onward transfers from the third country to another third country.
At this stage, it is not clear if the Supervisory Authorities (SAs) will be able to further assist with such substantive legal assessments by publishing for instance a list of "non-adequate countries" with helpful information on the impact their data protection laws may have on data received from the EEA.
- Identify and adopt supplementary measures. If the third country's laws are not deemed essentially equivalent, supplementary measures should be adopted (see below). If supplementary measures cannot be adopted, the transfer should not go ahead without notifying the competent SA). The SA may then either (i) suspend or prohibit the data transfer, or (ii) impose any other corrective measure (e.g. a fine) if the transfer is not halted.
- Take formal procedural steps. Where required by the supplementary measure, the relevant formal procedural steps should be taken. For example, approval from the relevant SA will be needed if the supplementary measures entail modifications to the SCCs. If a transfer tool would be affected by the supplementary measure, you may need to consult or obtain approval from your competent SA. The EDPB is currently considering whether additional formalities will be needed in relation to Binding Corporate Rules (BCRs) and ad hoc contractual clauses.
- Evaluate levels of protection. At appropriate intervals (in particular on the occurrence of any relevant developments in the data importing country), the level of protection afforded to the data transferred should be re-evaluated.
The Supplementary Measures Recommendations contain a number of examples of supplementary measures that can be used in addition to the SCCs. It is important to note that diverse measures (technical, contractual or organisational) may need to be combined to ensure an adequate level of protection to the data. Non-exhaustive examples are contained in its Annex 2.
- Encryption. The strength of any encryption used should take into account the time period confidentiality must be preserved and keys should be held within the EEA or an adequate jurisdiction. The encryption should be properly maintained and verified.
- Pseudonymisation. The exporter can pseudonymise the data held, so the Data cannot be attributed to a specific data subject. The data exporter should retain sole control of the algorithm or repository enabling re-identification using the additional information. This additional information should be held exclusively by the data exporter and kept separately.
- Protected recipient. The data can be sent to a protected recipient who is exempt from government access (e.g., to jointly provide medical treatment for a patient, or legal services to a client).
- Split processing. Where data is being jointly processed (using multi-party computation) between two or more independent processors, the data is split in such a way that no single processor can reconstruct the Data in whole or in part.
- Technical obligations. Contractual obligations that specific technical measures must be put in place before a transfer of data can occur.
- Transparency. Placing transparency obligations on the data importer, including the proactive disclosure of law enforcement or government requests and access.
- Specific obligations. Clauses can provide for the contractual obligation of the data importer to take specific action, such as reviewing and challenging requests by a public authority or informing a public authority of the incompatibility with the SCCs.
- Data subject rights. Enhanced contractual rights for a data subject can include certain actions requiring the data subject's consent or a subject being notified of a government request.
- Internal policies. Internal policies and regulations for the transfer of data can be adopted, which clearly allocate responsibility and highlight reporting channels.
- Transparency and accountability. Internal measures can include documenting requests from and responses to public authorities and publishing transparency reports.
- Organisation measures. Organisational measures, such as strict data access and confidentiality policies and best practices monitored under regular audits and enforced via disciplinary measures, and data minimisation methods can be put in place.
- Standards and best practice. Adoption of standards and best practice, such as strict data security and data privacy policies based on EU certification or codes of conduct.
ASSESSING THIRD COUNTRIES' LAWS
In addition to the Supplementary Measures Recommendations, the EDPB has provided recommendations on how to assess whether a country's surveillance laws interfere with privacy rights granted by EU law. If the surveillance laws do interfere with privacy rights, it must be determined whether such an interference can be justified. The four EEG Recommendations are:
- Clear, Precise and Accessible. Processing should be based on rules that meet these criteria. Any interference must be justified by law, which must clearly define the scope of any limitations on fundamental rights;
- Necessity and proportionality. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- Independent oversight mechanism. Data subjects should be able to have recourse to binding decisions that they can rely on by an independent and impartial mechanism such as a judge or another independent body (e.g. administrative authority); and
- Redress rights and notification. Individuals must have an effective remedy to satisfy their rights when they consider that they are not or have not been respected. They should be notified when their Data is accessed by a public authority, e.g. under surveillance laws, although the EDPB recognises that such notification may need to be delayed or even avoided to avoid jeopardising the purpose of the authority's tasks, and subject to adequate safeguards.
The EEG Recommendations are designed to be a framework to undertake the assessment under Step 3 above.
THE STANDARD CONTRACTUAL CLAUSES
The European Commission released its draft of the new SCCs on 12 November 2020.
Organisations relying on the existing SCCs in contracts will benefit from a transition period of one year from the new SCCs' adoption to revise existing contracts. This 'grace period' will end if the contract is otherwise revised within that year. It should be noted that businesses' obligations in relation to supplementary measures (i.e. as covered by the Supplementary Measures Recommendations) are not subject to this 'grace period'.
The new SCCs include four 'modules' to be used by businesses, depending on the transfer scenario concerned, namely:
- controller-to-controller transfers;
- controller-to-processor transfers;
- processor-to-processor transfers; and
- processor-to-controller transfers.
For the first time, the new SCCs do not require the data exporter to be established in the EEA. Therefore, non-EEA entities can also sign the SCCs as data exporters. This provides a solution to the previous gap for non-EEA controllers and processors who transfer EEA data to other non-EEA third parties.
The SCCs now include a warranty by the data exporter that "it has used reasonable efforts to determine that the data importer is able to satisfy its obligations under these Clauses" (i.e. that it has undertaken the assessments covered by the Supplementary Measures Recommendations).
The decision implementing the new SCCs also makes it clear that data subjects should be able to invoke, and where necessary enforce, the SCCs as third-party beneficiaries. This means that the parties to the SCCs will need to choose a governing law that allows for third party beneficiary rights.
An additional point to bear in mind is the extensiveness of the data processing restrictions imposed – these are likely in many circumstances to conflict with some of the data processing terms commercially-agreed between the parties. Taking stock of the likelihood of conflict between the main contract terms and the appended SCCs, the new draft SCCs are explicit that they will take precedence over other terms in the event of conflict. As a result, it will be important to consider the interactions between the SCCs and other terms, in particular in relation to liability.
Although it is unclear whether the UK will adopt the new SCCs for transfers out of the UK once adopted, they will still be a key method of legitimising data transfers out of the EEA, including to the UK after the Brexit Transition period has ended.
WHERE DO WE GO FROM HERE?
The new SCCs and the EDPB Guidance are particularly welcome following the uncertainty created by the Schrems II judgment and the impending impacts of Brexit. For many businesses which have started undertaking TIAs of their data transfers, the EDPB Guidance in particular will provide practical recommendations in a variety of cases, albeit not all.
In particular, the fact that the new SCCs provide for scenarios where EU-based processors transfer data to non-EEA (including UK)-based controllers will be particularly helpful for UK businesses using service providers in the EU.
However, the new SCCs and EDPB Guidance will not be a 'silver bullet' for organisations using Data and struggling with international data transfers. In practice, many businesses will still find it extremely difficult, if not impossible, to assess how a government is likely to approach the exercise of their surveillance rights in any given scenario. The level of resource required to conduct a TIA – and in particular an assessment of privacy law in the territory of transfer - before appointing a new supplier could act as a deterrent to smaller organisations who are simply not resourced to take this on. It is likely that larger suppliers of services who are data importers will assist with this process (we are already starting to see this) however it is clear from the new draft EDPB guidance and draft SCCs that simply relying on the assurances of a data importer will not be enough to avoid liability for non-compliance.
We anticipate extensive discussion on the new SCCs and the EDPB Guidance during the consultation periods but it is clear that the next year will need to involve significant efforts by businesses relying on international data transfers to ensure ongoing compliance with EU and UK law.