The European Data Protection Board (EDPB) has finally released its much anticipated guidance following the Schrems II decision in July 2020, which invalidated the "Privacy Shield" system that allowed the transfer of personal data to the United States. EDPB also released draft new Standard Contractual Clauses (SCCs) that allow for data transfers from processors who are exporters as well as new SCCs for controllers who are exporters.
The draft processor-to-sub-processor SCCs released in 2014 did not receive approval. Many European-based processors were therefore forced to use the controller-to-processor SCCs instead. The new SCCs are intended to be a flexible agreement, which will be welcomed by many organizations. Additionally, the UK government and European Commission have agreed on an extended period to allow for the unrestricted flow of personal data from the European Union (EU) to the United Kingdom (UK) for up to six months from 1 January 2021 following Brexit and pending the UK’s application for an adequacy decision.
The UK’s withdrawal from the EU finally came into substantive effect after the end of the transitional period on 1 January 2021. From 1 January 2021, the UK’s statutory data protection framework consists of a domestic version of the General Data Protection Regulation (GDPR), known as UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (implementing the European ePrivacy Directive, which will be replaced by the ePrivacy Regulation covering the EU). For data protection purposes, no substantive changes come into effect immediately. The anticipated approval of the UK’s forthcoming application for adequacy would then allow for the free flow of personal data from the EU to the UK after the end of the extended period (of up to six months from 1 January 2021). If the UK’s adequacy application is not approved, there would then be a restriction on transferring personal data from the EU to organizations in the UK (which would be officially classed as a “third country”). The options for allowing the transfer of personal data to third countries include the execution of SCCs.
The new draft SCCs consist of a modular template covering four scenarios. The draft SCCs allow for the following transfers:
The draft SCCs also obviate the need for two documents for processor transfers, i.e., the SCCs and a data processing agreement, as they include the processing obligations which are required by Article 28 of the GDPR.
The SCCs include a clause (described as being "optional") allowing them to evolve during their execution by offering third parties the possibility to join the SCCs, at any time, subject to the agreement of the parties.
The new SCCs are likely to provide a flexible and business-friendly mechanism for data transfers. We anticipate that they will be approved in 2021.
Data exporters should also be aware that the old SCCs are valid for a year after the new SCCs are approved. After that time, the old SCCs will no longer be approved, meaning that organizations (both controllers and processors) will need to replace them with the new versions.
EDPB Guidance - A Six-Stage Process
The EDPB has published its guidance on how to assess data transfers after the Schrems II decision.
In Schrems II, the Court of Justice of the European Union (CJEU) confirmed that SCCs remain valid to transfer personal data to third countries outside the EU. The CJEU, however, also reminded organizations that they must undertake a risk assessment of the use of SCCs and, where identified by the risk assessment, implement additional safeguards to the SCCs to ensure an essentially equivalent level of protection of the personal data being transferred to the relevant third countries. Without these safeguards which give equivalence to protect the personal data, the transfers are prohibited, even when using SCCs.
The EDPB’s recommendations have two parts:
- the process for the risk assessment and, in particular, setting out some measures that could supplement transfer tools to ensure compliance with the EU level of protection of personal data (still in draft); and
- the process to assess the legal regime of a third country to which personal data is being sent (which is already in final version). This is referred as the “European Essential Guarantees” for surveillance measures.
The EDPB proposes a six-stage process to assess risks of the data transfers:
- Step 1: Identifying the flow of data transfers (including any onward transfers)
- Step 2: Identifying the transfer mechanisms, e.g., SCCs, BCRs, derogations from GDPR transfer restrictions or adequacy decisions
- Step 3: Where relying on SCCs or BCRs, assessing whether the transfer mechanism is effective in light of the European Essential Guarantees for surveillance measures
- Step 4: Adopting additional safeguards or supplementary measures where necessary
- Step 5: Considering whether any procedural steps are required, e.g. approval by a supervisory authority
- Step 6: Re-evaluating the process at appropriate intervals
The recommendations and supplementary measures proposed by the EDPB are technical (e.g., using enhanced encryption or pseudonymization), contractual (e.g., requiring the importer to challenge access requests or the publication of transparency reports on government access), and/or organizational (e.g., having an internal policy in place on how to handle government access requests within the organization). The recommendations indicate that technical security measures, like encryption, will not be sufficient for remote access to EU hosted data or cloud-based solutions in countries which do not meet the European data protection standards, such as the United States. EU established businesses will implement additional contractual and organizational protections, as well as technical measures, to demonstrate essential equivalence. The measures are focused on assisting companies in a practical manner but they may be difficult to implement in practice. They are likely to increase the cost for compliance for most organizations.
What to Expect in 2021?
We expect final versions of the recommendations and supplementary measures to be finalized within the next six or so months of 2021. The draft SCCs will also be finalized in the same timeframe. We should also know whether the UK’s application for adequacy was successful or if organizations need SCCs for their EU-to-UK data flows.
Practical Steps to Take Now
We recommend that organizations review the data flows from EU and UK exporters to non-EU importers, as well as the EU-to-UK- data flows. Any processor arrangements that are currently being managed as controller-to-processor SCCs and separate data processor agreements should also be reviewed with a view to replacing them with the new processor-to-processor SCCs and data processing provisions in a combined document or whether any further contractual protections are necessary.