Introduction
Background
What should organisations do now?
Summary of changes
Recently, there have been a number of important developments that affect how organisations facilitate the transfer of personal data out of the European Union in accordance with the EU General Data Protection Regulation (GDPR).
In brief, the developments are as follows:
- A new set of official template clauses has been published by the European Commission to help organisations ensure that personal data transferred out of the European Union is protected – organisations that are considering implementing these clauses should be aware of some key dates.
- The European Data Protection Board has released final form recommendations to help organisations assess the risks involved in transferring personal data outside the European Union and identify the appropriate supplementary measures to be implemented where needed.
Organisations that are subject to the GDPR and that are transferring personal data outside of the European Union and organisations that are receiving personal data from within the European Union are highly likely to be affected by these developments.
On 7 June 2021 the European Commission's new standard contractual clauses (SCCs) were published in the Official Journal. In fact, the European Commission published two sets of clauses:
- The first set is a template set of clauses for controllers and processors to implement, pursuant to article 28(7) of the GDPR.(1)
- The second set provides appropriate safeguards for the international transfer of personal data, pursuant to article 46(2)(c) of the GDPR (new transfer SCCs).(2)
This article focuses on the second set of clauses.
The new transfer SCCs have been developed by the European Commission to replace the existing SCCs (which were last updated in 2010, under the old European Data Protection Directive 1995 regime). They have also been updated to reflect the GDPR and the European Court of Justice judgment in Schrems II(3) – in particular, the impact of local law and surveillance powers in destination countries.
The new transfer SCCs are relevant to organisations that:
- are subject to the GDPR (either directly or indirectly); and
- transfer, or will transfer, personal data to jurisdictions which are not in the European Union or do not have an adequacy decision from the European Commission.
The new transfer SCCs are also relevant to organisations that are receiving personal data from an organisation in the European Union (ie, data importers) – such organisations may have obligations to fulfil under the clauses too. It is not a case of it being "all on the data exporter" (a common misconception).
The new transfer SCCs are currently irrelevant for organisations that are not subject to the GDPR (eg, organisations that are based in the United Kingdom and solely subject to UK law). However, the Information Commissioner's Office is expected to publish its own clauses to cover transfers out of the United Kingdom in Summer 2021.
While the new transfer SCCs will undoubtedly be an important tool for many organisations making international data transfers of personal data, they must not be considered in a silo. This is where the European Data Protection Board's (EDPB's) recently finalised Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (EDPB recommendations) come in. The EDPB recommendations are designed to be read in tandem with the new transfer SCCs and set out a six-step plan to help organisations assess third countries and identify appropriate supplementary measures to be implemented on a case-by-case basis where needed.
What should organisations do now?
Organisations should first take the opportunity to consider more broadly the international data transfers that they are making. Having an accurate and up to date article 30 record of processing will greatly assist in this exercise. Then, organisations should identify on which transfer tool(s) they are relying to ensure that their transfers are compliant and protected.
Assuming that the new transfer SCCs are an appropriate tool to protect an organisation's transfer(s), it will need to audit all of the data transfer agreements that it currently has in place (internally and with third parties) and only then – where applicable – ensure that:
- the body of those contracts are updated to refer to the new transfer SCCs;
- the security annex is updated; and
- the new transfer SCCs are appended or incorporated accordingly (and are complied with in practice).
In terms of implementing the new transfer SCCs, there are three key dates to be aware of:
- The new transfer SCCs can be used to safeguard transfers from 27 June 2021 onwards.
- The existing SCCs will not be repealed for another three months (ie, 27 September 2021). Until that date, organisations have a choice of whether to use the existing SCCs or the new transfer SCCs to safeguard their transfers. After that date, organisations must use the new transfer SCCs.
- Where the existing SCCs are used to safeguard any transfers that continue beyond 27 September 2021, these must be replaced by the new transfer SCCs by 27 December 2022.
Next, following Schrems II, organisations will need to consider whether their transfer tools are effective in offering an "essentially equivalent" level of protection for data in the place of destination. Do the laws or practices of the third country impinge on the effectiveness of the appropriate safeguards of the transfer tool(s)? Where "problematic legislation" is identified in the destination country, the EDPB recommends the exporter to consider whether it will be applied in practice to the relevant data, taking into account the importer's experience and sector.
If there are gaps in the level of protection, what supplementary measures can be implemented to address them? Annex 2 of the EDPB recommendations contains a non-exhaustive list of examples of supplementary measures. If those gaps cannot be plugged, organisations will need to consider not going ahead with the transfer or suspending it (as applicable).
It is then a case of taking the practical and procedural steps required to implement the relevant supplementary measures. Organisations will have to regularly re-evaluate the level of protection given to transferred data and repeat the stages above as needed.
The new transfer SCCs contain similar obligations and restrictions as were in place under the existing SCCs, but there are also several differences. The key changes are summarised below.
Broader scope covering new data transfer scenarios
The new transfer SCCs have a broader scope of coverage. They are modular in nature, enabling importers and exporters to select the clauses that apply to the type of data transfer(s) relevant to them.
Whereas previously only controller-to-controller and controller-to-processor transfers were covered, the new transfer SCCs include four modules to cover the following types of transfer arrangement:
- controller-to-controller;
- controller-to-processor;
- processor-to-processor; and
- processor-to-controller (which assumes that the controller is instructing the processor – an issue for another day).
Practical impact
The new transfer SCCs are now available for processors to enter into directly, which was never previously possible. This means that service providers in the European Union can now be proactive in ensuring adequate protection for their customers' data when they use sub-processors in other jurisdictions.
The intention behind the new modular format is that organisations will be able to put in place transfer safeguards to cover all types of transfers more easily.
However, using the more bespoke new transfer SCCs will involve a more labour intensive papering exercise, as it will not just be a matter of appending the clauses to a data processing agreement. Organisations will have to review the new transfer SCCs and select specific clauses, based on the module relevant to their transfer.
While it is helpful that the new transfer SCCs cover a wider range of transfers, they have left some critical areas ambiguous. The new transfer SCCs clarify that they cannot be used if the importer is subject to the GDPR. However, they do not clarify whether SCCs are even needed in that situation (ie, whether this situation counts as a transfer). Recital 7 of the new transfer SCCs even says that use of the clauses is "without prejudice to the interpretation of the notion of international transfer", which could be interpreted as an acknowledgement of this grey area.
Application to exporters based outside EU and reverse transfers (processor-to-controllers)
A data exporter no longer need be based in the European Union to be able to execute the new transfer SCCs.
The new transfer SCCs also cover the scenario where personal data is transferred from an exporter based outside the European Union to an importer based in the European Union and then transferred back to the non-EU exporter.
Practical impact
This means that exporters based outside of the European Union but subject to the GDPR may use the new transfer SCCs when transferring personal data to other entities outside the European Union (eg, a US entity transferring data belonging to EU individuals in its capacity as a controller to a processor entity based in India).
These new options seek to address the "transfers back conundrum"(4) and put a stop to the creative "free drafting" endeavours previously deployed by lawyers to cover such scenarios.
New transfer SCCs can be used by multiple parties
The new transfer SCCs can be entered into by multiple parties and contain a new "docking clause", enabling additional parties to sign up to the new clauses at any point.
Practical impact
This change will be particularly useful for multinational organisations with complex intra-group data sharing arrangements. However, the logistics of using the prescribed appendix and obtaining "agreement of the Parties" may prove to be complicated.
Changes to reflect Schrems II judgment
Impact of local laws
Exporters and importers will both need to warrant that they have no reason to believe that the laws and practices in the destination country, including disclosure or surveillance requirements, will prevent the data importer from fulfilling its obligations under the new transfer SCCs. Further, importers must notify the data exporter if it has reason to believe that it has become subject to any laws that prevent the importer from fulfilling its obligations.
Transfer impact assessments
A risk-based assessment must be carried out and made available to the relevant supervisory authority on request. The impact assessment requirement already exists for exporters post-Schrems II, but including it in the new transfer SCCs makes it a contractually enforceable requirement on importers that are not otherwise subject to the GDPR. However, interestingly, this is not an obligation that is enforceable by data subjects.
The impact assessment must, among other things, consider the laws and practices of the third country of destination, such as those requiring disclosure of or granting access to data to public authorities. The new transfer SCCs now clarify that the parties may consider relevant and documented practical experience with prior instances of these requests from public authorities or the absence thereof.
Challenging requests from public authorities
The clauses impose new obligations on importers about how they handle requests for personal data from public authorities. The obligations require the importer to notify the data exporter of the request and to review, document and challenge the request to the extent legally permissible.
Practical impact
Parties will need to assess what (if any) local requirements in the destination country may prevent them from meeting their obligations under the new transfer SCCs or contradict them.
Organisation will also need to consider any problematic legislation in light of the EDPB's recommendations and determine what supplementary measures may be required.
Audits
Under the new transfer SCCs, exporters may consider any audit certifications that the importer has in place when an exporter exercises their audit rights against the importer.
Practical impact
This is a positive development for processor importers in particular and will be most impactful when a processor importer is a third party (as opposed to a group company).
More detailed security measures to be taken and documented
The new transfer SCCs are clearer and more prescriptive regarding the practical security measures that need to be in place and set out in Annex II for compliance.
Practical impact
While this is a positive change for organisations seeking clarity on security measures taken to protect personal data, the prescriptive requirements could also be detrimental to those organisations satisfied with their existing security measures and reluctant to make changes.
New transfer SCCs prevail over other commercial terms but are unclear regarding limited liability
The parties may supplement the new transfer SCCs with additional obligations, as required for the relevant data transfer arrangement. However, in the event of a conflict between the new transfer SCCs and any other terms agreed between the parties in respect of the transfer, the new transfer SCCs will prevail.
The new transfer SCCs echo the joint and several liability provisions already contained in article 82 of the GDPR. However, the new transfer SCCs are silent on whether a cap or limit on liability (between the parties) would "contradict" the provisions of the new transfer SCCs.
Practical impact
The prevalence of the new transfer SCCs over other commercial terms agreed between the parties provides a level of certainty. However, limitation of liability is likely to continue to be hotly negotiated by parties to data transfer arrangements, given the lack of clarity provided.
For further information on this topic please contact Paula Barrett at Eversheds Sutherland's London office by telephone (+44 20 7919 4500) or email ([email protected]). Alternatively, contact Michael Bahar at Eversheds Sutherland's Washington DC office by telephone (+1 202 383 0100) or email ([email protected]), Olaf van Haperen at Eversheds Sutherland's Amsterdam office by telephone (+31 20 5600 600) or email ([email protected]) or Nils Müller at Eversheds Sutherland's Munich office by telephone (+49 89 54565 0) or email ([email protected]). The Eversheds Sutherland website can be accessed at www.eversheds-sutherland.com.
Endnotes
(1) For further information, please see here.
(2) For further information, please see here.
(3) For further information, please see "Schrems II Judgement: EU:US Privacy Shield Framework for personal data transfers is invalidated; Standard Contractual Clauses need re-assessment…".
(4) For further information, please see "Speed read: Part 2. The 'transfers from EU back in to the UK' conundrum…".
Marie McGinley, partner, Gayle McFarlane, partner and Philip James, partner, assisted in the preparation of this article.