Data Transfers from the EU: What Does "Good" Look Like?
Client Alert | 10 min read | 11.17.20
Last week was another important week for privacy professionals: the European Data Protection Board (EDPB) issued its long-awaited recommendations on the so-called “supplementary measures” together with recommendations on the European Essential Guarantees for surveillance measures. Not to be outdone, the European Commission (EC) issued its even-longer-awaited updated standard contractual clauses. The first and third document are open for feedback until November 30, 2020, and December 10, 2020, respectively.
Why Are These Documents So Important?
One of the cornerstones of the European Union (EU) is the free movement of goods, services, capital, persons, and – quite important in today’s digitalized world – personal data. The European General Data Protection Regulation (GDPR) created a harmonized legal framework and, thus, one single territory without regulatory obstacles for the transfer of personal data from one EU Member State to another.
To make this uniform approach possible, the bar was set high: all EU Member States needed to provide a similarly solid level of protection of personal data. As the right to the protection of personal data is enshrined in the EU Charter of Fundamental Rights, the EU legislator wanted to make sure that such protection would not be diminished when data leave the EU’s protected environment by imposing such obligation upon the organizations that decide to send data outside the EU. Or, as the EDPB puts it: the protection “must travel with the data wherever it goes.”
While there are derogations for specific situations, the options to lawfully transfer personal data are rather limited: whether they are sent to a country that is considered to provide a similar, and thus “adequate”, level of protection or, if this is not the case, “appropriate safeguards” should be implemented. In practice, companies massively opted for the most straightforward solution of Standard Contractual Clauses (SCCs), which in essence is a standard language contract in which both the exporting and importing organization commit to set the bar for the protection of personal data outside the EU as high as within the EU.
Unfortunately, this data transfer mechanism is flawed for two main reasons: firstly, it has not been updated and, thus, still refers to the pre-GDPR legal framework, and secondly, since the CJEU’s Schrems II judgment, it is no longer sufficient on its own for transfers to countries lacking an “adequacy” decision from the EU Commission, which means that “supplementary measures” must be taken. The documents that have been issued now address both these challenges, which means that their importance cannot be underestimated.
Supplementary Measures
The EDPB was very clear when it issued its FAQ document after the Schrems II judgment: apart from appropriate safeguards such as SSCs and Binding Corporate Rules (not discussed herein), supplementary measures should be put in place when a data exporter and a data importer conclude that the legal framework of the data importer’s country does not provide an adequate level of protection. For several months it was unclear what such measures should look like, until now.
The EDPB’s recommendations provide a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.
The EDPB recommends a structured stepped approach. The first three steps are the ones that we also recommended in our client alert of July 16, i.e., the mapping of the data transfers and corresponding mechanisms and the assessment of the legal framework of the country of destination, while the last three steps relate to the taking and (re-)evaluating of the supplementary measures.
The EDPB clarifies that supplementary measures could be of contractual, technical or organizational nature, which is in line with what we recommended in our recent webinar on international data transfers.
Some examples are provided in Annex 2 of the recommendations:
A non-exhaustive list of technical measures that could potentially be effective in certain scenarios/use-cases to ensure an essentially equivalent level of protection:
Use Case |
Technical Measures |
Data storage for backup and other purposes that do not require access to data in the clear |
|
Transfer of pseudonymized data |
|
Encrypted data merely transiting third countries |
|
Protected recipient |
|
Split or multi-party processing |
|
Some scenarios/use cases in which no technical measures could be identified by the EDPB to ensure this level of protection:
- Transfer to cloud services providers or other processors which require access to data in the clear; or
- Remote access to data for business purposes.
Examples of contractual measures may relate to:
- Providing for the contractual obligation to use specific technical measures;
- Transparency obligations;
- Obligations to take specific actions; or
- Empowering data subjects to exercise their rights.
Examples of organizational measures may consist of:
- Internal policies for governance of transfers, especially with groups of enterprises;
- Transparency and accountability measures;
- Organization methods and data minimisation measures; or
- Adoption of standards and best practices.
In Annex 3, the EDPB provides a quite limited list of possible sources of information to assess a third country.
Standard Contractual Clauses
As mentioned above, updating the outdated SCCs was long overdue. EU commissioner Reynders referred to “modernized” SCCs in several occasions, and while the draft document is not the final version yet, we can certainly assess whether we can indeed talk about a “modernization.”
Privacy professionals who have been working – and struggling – with the current versions for many years, certainly welcome the following changes:
- one single document: may be used by controllers or processors for transfers to controllers or processors;
- entire data processing chain covered: may also be used for onward transfers and for transfers from processors to subprocessors;
- extraterritoriality: may also be used by non-EU-based controllers or processors;
- modular approach: general clauses combined with clauses for specific scenarios, which allows organizations to tailor the document to the specific situation and each party’s roles and responsibilities; and
- multi-party approach: may now be used by several controllers or processors and new parties can opt-in by adhering to the existing document.
While these changes may feel like a breath of fresh air when compared to the current version, and while they should certainly be considered as an important improvement, these are arguably not really innovative changes from a European contract law point of view.
Furthermore, some additional obligations will certainly be challenging from an operational point of view. For example, individuals (so-called “data subjects”) should always be informed about the identity of the data importer, which goes a step further than the current transparency obligations stemming from the GDPR, which impose to inform about the “categories” of recipients and “the fact” of an (intended) international data transfer.
Additionally, onward transfers are more strictly regulated. Barring a limited number of exceptions such as the consent of the data subject, onward transfers are only allowed to a party that is or agrees to be bound by the SCCs.
The shadow of the Schrems II judgment can clearly be seen when reading the clauses referring to the local laws affecting compliance with the SCCs and the obligations of the data importer in case of government access requests. The draft Commission decision authorizing the new SCCs explicitly includes a placeholder for the EDPB guidance on required “supplementary measures” that are discussed above, and reiterates the requirement that the parties to any transfer must “take into account the specific circumstances of the transfer” when determining whether the appropriate level of protection is provided. Clause 2(b)(ii) of the new SCCs requires importers and exporters to consider “relevant practical experiences with prior instances” of requests or “the absence of requests for disclosure” as part of this analysis – a more explicit requirement than that parties consider the factual question of whether transferred data is likely to be actually subject to a request, rather than solely considering what national law may apply to an importer.
Additionally, the draft decision emphasizes that data importers must notify both data subjects and data exporters, should an importer receive a legally binding request from a public authority, or otherwise become aware of any direct access by public authorities to personal data transferred.
And lastly, it is not surprising that GDPR principles such as accuracy, data minimization and storage limitation are called out specifically, and the focus on third-party beneficiary rights for data subjects is also in line with the expectations, as well as the fact that SCCs should provide for rules on liability between the parties and with respect to data subjects, as well as rules on indemnification between the parties.
So now that we have this new kid on the block, what about the old SCCs? There will be a transitional period of one year during which organizations can still rely on existing SCCs, unless there are changing circumstances. Note, however, that the need for supplementary measures imposed by Schrems II is required for both the old and the new SCCs.
In summary, the new SCCs provide a more workable instrument for international data transfers and, if approved, organizations will be able to start using them in the beginning of 2021. It is, however, more than ever clear that compliance with international data transfer obligations and restrictions is not a box that can be checked just by entering into an agreement. There is homework to be done, both before and after the transfer, and with both regulators and privacy activists looking over their shoulders, organizations certainly know where to focus their data protection compliance efforts.
Contacts
Insights
Client Alert | 3 min read | 11.22.24
Key Takeaways from Crowell & Moring’s 38th Annual Managing Tax Audits and Appeals Seminar
On October 24, 2024, Crowell & Moring LLP hosted its 38th Annual Managing Tax Audits and Appeals Seminar. The seminar featured several prominent IRS speakers and lively discussion among clients, including conversations about the following hot topics:
Client Alert | 8 min read | 11.21.24
New Legislation Introduced in Congress Proposes Ending Normal Trade Relations with China and More
Client Alert | 5 min read | 11.21.24
OFAC Issues Necessary and Long-Awaited Updated Guidance for (Re)Insurance Industry
Client Alert | 9 min read | 11.20.24
2024 GAO Bid Protest Report Shows Notable Decrease in Merit Decisions