In the wake of the decision of the Court of Justice of the European Union (CJEU) in Schrems II, controllers and processors have been working closely with legal advisors to find a compliant way to transfer personal data outside of the European Economic Area (EEA).

As discussed in our article here, the CJEU found in Schrems II that the validity of Standard Contractual Clauses (SCCs), the popular model contract many companies rely upon to transfer personal data outside of the EEA, may require "supplementary measures" in certain instances where the laws of the transfer destination country do not afford a "level of protection essentially equivalent" to that guaranteed within the EU by the GDPR.

This week saw a number of welcome developments and the publication of guidance by:

  • the European Data Protection Board (EDPB) on supplementary transfer tools to ensure compliance with the EU level of protection of personal data (Supplementary Measures Guidance – available here). The Supplementary Measures Guidance has been published in draft form and is open for public consultation.
  • the EDPB on essential guarantees for surveillance measures (Essential Guarantees Guidance – available here). The Essential Guarantees Guidance has been adopted outright.
  • the European Commission (Commission) on new draft SCCs (Draft SCCs – available here). The Draft SCCs have been published in draft form and are open for public consultation.

In this note, we look at the implications of these developments for international data transfers.

1. Supplementary Measures Guidance

The Supplementary Measures Guidance opens with a reminder that “transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EEA”. The Supplementary Measures Guidance sets out the steps that entities transferring personal data outside of the EEA (data exporters) should adopt in order to comply with the GDPR principle of accountability. Data exporters must:

  1. know the personal data being transferred and conduct data mapping
  2. verify the transfer tools (e.g. SCCs, Binding Corporate Rules etc.) being used to facilitate the transfer
  3. assess the law or practice of the transfer destination country to ensure that the effectiveness of the appropriate safeguards of the relevant transfer tool are not impinged
  4. adopt supplementary measures as necessary. The Supplementary Measures Guidance includes an annex which provides a non-exhaustive list of sample supplementary measures
  5. take any formal procedural steps to adopt supplementary measures (this includes obtaining the authorisation of the competent supervisory authority if the parties intend on modifying the SCCs), and
  6. re-evaluate at appropriate intervals the protections in place for international transfers.

2. Essential Guarantees Guidance

The Essential Guarantees Guidance clarifies in which circumstances surveillance measures permitting access to personal data by national security agencies or law enforcement authorities can be considered a justifiable interference. The EDPB considers that the applicable legal requirements to make limitations to data protection rights justifiable can be summarised in four "Essential Guarantees" which are:

  1. processing should be based on clear, precise and accessible rules
  2. necessity and proportionality with regard to the legitimate objectives pursued needs to be demonstrated
  3. an independent oversight mechanism should exist, and
  4. effective remedies need to be available to the individual.

The Essential Guarantees are key criteria for any assessment of a transfer destination country's surveillance laws.

3. Draft SCCs

The Draft SCCs have a "modular" format designed to cover four types of data transfer scenarios:

  1. controller to controller (previous facilitated by the SCCs set out in the annex to Commission decision 2004/915/EC)
  2. controller to processor (previous facilitated by the SCCs set out in the annex to Commission decision 2010/87/EU)
  3. processor to sub-processor, and
  4. processor to controller.

Commentators have welcomed that, for the first time, the Draft SCCs deal with data transfers made by a processor in its role as a data exporter. This development will obviate the need to include agency language in data transfer agreements where a processor is acting as a data exporter. Under the current SCCs, it is necessary to appoint the processor as an agent of the controller for the limited purpose of entering into the SCCs for and on behalf of the controller as data exporter.

Draft SCCs – a way forward for international transfers

Parties using the Draft SCCs will still have to take "due account" of certain factors before transferring the personal data outside of the EEA. These factors include:

  1. specific circumstances of the transfer, including the content and duration of the contract; the scale and regularity of transfers and the length of the processing chain
  2. laws of the transfer recipient country in light of the circumstances of the transfer, including those requiring disclosure of data to or authorising access by public authorities, as well as the applicable limitations and safeguards, and
  3. any safeguards in addition to those under the Draft SCCs, including the technical and organisational measures applied during transmission and to the processing of the personal data in the country of destination.

The controller / processor recipient of the personal data, or "data importer", must make "best efforts" to provide the data exporter with relevant information and cooperate with the data exporter for continued compliance with the Draft SCCs.

Next Steps

The public consultation for the Supplementary Measures Guidance closes on 30 November 2020 and the Draft SCCs closes on 10 December 2020. We recommend that data exporters commence data mapping in line with step 1 of the Supplementary Measures Guidance. On finalisation of the materials by the EDPB and Commission, further steps can be assessed and implemented as necessary.