The European Data Protection Board has finalised its guidance on what steps it expects organisations to take when using Standard Contractual Clauses following last year's Schrems II ruling. While the Information Commissioner is no longer part of the EDPB, the guidance will be relevant for organisations that make transfers that are subject to GDPR. It may also give an indication of the position that the ICO will take on Schrems II.
In July 2020, the European Court of Justice issued its judgment in the Schrems II case. While the case upheld the validity of Standard Contractual Clauses for transfers of personal data outside the EU/EEA, the judgment made clear that data exporters need to assess the laws in the destination territory to understand whether they undermined the rights of individuals under EU data protection law. Depending on the outcome of that assessment, the data exporter may need to put in place supplemental measures. You can read more about the Schrems II case in our summary.
In November 2020, the EDPB published for consultation its recommendations on Supplemental Measures, together with its recommendations on assessing whether the laws of the destination territory are essentially equivalent to EU law. You can read more about the draft recommendations in our summary.
The post Brexit transition period ended on 31 December 2020. While the ICO is no longer part of the EDPB, the guidance may give an indication as to the approach that the ICO may take. The guidance is also relevant to organisations that may have group companies that are subject to GDPR or that are otherwise subject to GDPR under the extra-territorial provisions.
What has changed in the final Schrems II guidance?
The finalised recommendations on supplementary measures retain the same six key steps as the initial version published for consultation.
However, there are a number of notable changes, many of which will be welcomed by data exporters as providing a more proportionate approach.
In particular, Step 3 (assess the law and/or practices in force in the third country) has been expanded to provide more guidance on the assessment of the third country's practices and the weight that can be placed on this. The assessment of practices is relevant for determining whether:
- laws in the third country that meet EU standards are not applied or complied with in practice
- there are practices incompatible with the commitments in the transfer tool (ie SCCs or BCRs) where legislation in the third country is lacking
- the transferred data and/or importer falls or may fall within the scope of "problematic legislation".
The EDPB says that in the first two situations the exporter either needs to suspend the transfer or put in place adequate supplementary measures.
However, in the third situation, it is now open to the exporter to proceed within without putting in place supplementary measures if it considers that it has no reason to believe that "the relevant and problematic legislation will be interpreted and/or applied in practice so as to cover" the transfer or importer (including its sub-processors). As part of this assessment, the exporter may look at the experience of other importers in the same sector and/or transfers of similar data. You can consider the absence of prior requests from law enforcement to the importer, but this cannot be a decisive factor in the assessment. It is essential that the exporter can demonstrate, and documents, the basis for this conclusion.
This change in emphasis potentially enables exporters to apply a proportionate assessment of whether problematic laws are likely to be exercised in relation to the specific transfer that they are looking to make. The key factors here are likely to be the identity and nature of the importer and the personal data that is actually being transferred to that importer or its processors or sub-processors.
How does this apply to importers that are subject to s.702 of FISA?
This change is also reflected in an amendment to the example where the data importer is subject to section 702 of FISA (the US law that was much discussed in Schrems II). Section 702 is the law that enables US law enforcement to mandate information from telecommunications providers (including cloud service providers and social media companies) in relation to non-US citizens.
Previously, the EDPB said that if the importer is subject to section 702 then the only way a transfer could be lawful is if encryption is used to prevent the importer having access to the unencrypted data.
Now the example adopts the approach set out above. Relevant questions might include assessing:
- Whether publicly available information shows that there is a legal restriction on providing information about requests for data (or the absence of requests).
- Whether the importer has confirmed that it has (or has not) received requests in the past.
- Whether publicly available information reveals that other importers in the same sector have received requests for access to similar data.
If the assessment of practice is that section 702 of FISA does not impinge on the transfer tool then a transfer can be made without any supplemental measures. Alternatively, if the transfer tool is impinged, then appropriate supplementary measures should be adopted. However, the absolute requirement to use encryption is no longer included in the guidance.
While the finalised guidance provides more flexibility, these assessments will not be straight forward. They will require careful consideration, and independent advice to assess the position in relation to each proposed transfer. Statements provided by the exporter as to practice should be critically assessed and validated using independent sources.
You can download the guidance from the EDPB website: