Alert
Alert
By Scott Morton,
11.24.20
On November 11, 2020, the European Data Protection Board (EDPB), which represents European supervisory authorities, published its eagerly awaited recommendations on what “supplementary measures” data exporters should bear in mind regarding international data transfers following the judgment of the Court of Justice of the European Union (CJEU) in Schrems II (the “Recommendations”). At the same time, the EDPB published recommendations on the European Essential Guarantees for surveillance measures, which supplement the Recommendations (the “EEG Recommendations”).
A day later, the European Commission released long-awaited draft standard contractual clauses (SCCs) for the transfer of data to third countries (“Draft SCCs”).
The Recommendations and EEG Recommendations are in draft form and open for public consultation until November 30, 2020. The Draft SCCs are open for comment until December 10, 2020.
As a reminder, in the Schrems II judgment, the CJEU clarified that organisations relying on Article 46 transfer tools (including the SCCs and Binding Corporate Rules) to transfer personal data outside the European Economic Area (EEA) must verify, on a case-by-case basis and, as appropriate, in collaboration with data importers, whether the law of the importer’s country ensures a level of protection for the personal data that is essentially equivalent to that offered by the GDPR. If not, data exporters need to assess whether they can implement supplementary measures to help ensure the requisite level of protection. The CJEU did not provide any detail as to what such supplementary measures should include.
In the Recommendations, the EDPB offers data exporters a “roadmap of [six] steps to take in order to find out if [the data exporter] need[s] to put in place supplementary measures to be able to legally transfer data outside the EEA”:
Step 1: Mapping of transfers. The first step is for data exporters to map their international transfers to understand what data they are transferring out of the EEA to third countries.
Step 2: Identify the transfer tools relied on. The second step is for data exporters to identify the transfer tools relied on for their international transfers. These may include adequacy decisions, Article 46 transfer tools (including SCCs and Binding Corporate Rules), or derogations under Article 49 of the GDPR.
Step 3: Assess the legal system of the recipient country. Where the data exporter is relying on an Article 46 GDPR transfer tool (including SCCs and Binding Corporate Rules), it should then assess whether that transfer tool ensures a level of protection in the third country that is essentially equivalent to that guaranteed in the EEA—in other words, the transfer tool must be effective in practice. In making the assessment, the data exporter should consider the EEG Recommendations which identify four European Essential Guarantees that must be respected to make sure third country surveillance measures do not interfere with privacy rights of EU data subjects.
Step 4: Adopt supplementary measures as necessary. If the assessment under Step 3 reveals that the Article 46 GDPR transfer tool is not effective, then data exporters should consider, where appropriate in collaboration with the data importer, if supplementary measures could ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that guaranteed in the EEA.
Examples of supplementary measures include encryption with keys stored in the EEA or a country which has received an adequacy decision, pseudonymisation, split or multiparty processing, contractual security obligations, transparency obligations, reinforced audit rights, requiring the adoption of internal governance policies, etc.
Step 5: Take any procedural steps required. The data exporter must then take any procedural steps required to implement the effective supplementary measures.
Step 6: Reevaluate at appropriate intervals. Finally, the data exporter must monitor, on an ongoing basis, and where appropriate in collaboration with data importers, developments in the third country to which the data has been transferred.
Draft SCCs
On November 12, 2020, the European Commission released new Draft SCCs which, once finalised, will replace the predecessor SCCs set out in Decisions 2001/497/EC and 2010/87/EU.
Whereas the European Commission previously maintained two sets of SCCs, the Draft SCCs take a “modular” approach. In practice, parties will have the option to select from different clauses in order to build an appropriate set of SCCs depending on the nature of the data-sharing relationship in question, i.e., controller to processor, controller to controller, processor to processor, and processor to controller transfers (which is a welcomed development for many).
Some further useful points to note are as follows:
i. The Draft SCCs bring into clear scope data exporters not located within the European Union, but subject to the GDPR.
ii. As with the predecessor SCCs, data importers must list out the security measures in place to protect personal data once received. Helpfully, Annex II to the Draft SCCs lists out examples of the kinds of security measures which supervisory authorities would expect to see.
iii. The Draft SCCs appear to permit retention of personal data by data importers following the end of a provision of services where local law so requires. This is seemingly at odds with the GDPR which states that non-EEA processors should only be permitted to retain data where required to do so by EU or Member State law. It will be interesting to see if this inclusion survives the consultation period.
iv. The Draft SCCs are comprehensive in nature, arguably leaving little room for negotiation of front-end commercial terms. On the basis that the terms of the Draft SCCs are confirmed to prevail where a conflict arises, parties must be careful that any commercial terms agreed do not conflict with the Draft SCCs (e.g., around audit rights and liability).
v. In processor-to-processor relationships, data exporters are required to list out all controllers for which it is a processor. In complex processing arrangements, this could be hundreds of controllers.
Since the Schrems II decision “shooting down” the Privacy Shield, businesses have been in a quandary as to what to do regarding international data transfers. The Recommendations provide some welcome guidance. Data exporters should take steps now to revisit their practices, policies and documentation, in particular, to identify what (if any) supplementary measures they need to implement.
Aside from impacting U.S. businesses with European dealings, this will also potentially impact transfers from the EEA to the UK following the end of the Brexit transition period (after December 31, 2020). As things stand, from January 1, 2021, the UK will be a “third country” from an EU law perspective. It is currently not certain whether the European Commission will give the UK a data adequacy decision, particularly given recent decisions by the CJEU on surveillance practices and the wider political and trade negotiations stance between the UK and the EU.
Turning to the Draft SCCs, consultation is open until December 10, 2020. As things stand, there will be a one-year transition period from the date on which the Draft SCCs come into force (currently estimated to be the first half of 2021). Once finalised, data exporters will need to undertake a contract remediation project to identify and update any contracts implementing the predecessor SCCs. Best advice is to take steps now to understand what your organisation needs to do.