European Data Protection Board provides detailed guidance on international data transfers and use of new Model Clauses, David Varney

Last week the European Data Protection Board (“EDPB”) published its proposed Recommendations for public consultation (along with an accompanying explanatory press release) setting out how organisations can transfer data to third countries outside of the EU in a GDPR-compliant manner by use of the Standard Contractual Clauses (the “SCCs”, also commonly known as the ‘model clauses’), as well as providing a draft version of a revised set of SCCs (also for consultation purposes).

Both the Recommendations and revised SCCs are sorely needed following July’s Schrems II ruling from the Court of Justice of the EU (“CJEU”), which invalidated the Privacy Shield as a legal mechanism for transfers of data between Europe and the USA, and also called into question the efficacy of the SCCs and therefore the ability of European businesses to use the SCCs as a legal basis to lawfully transfer data internationally.

This is a developing area of law and the new Recommendations from the EDPB are only the start of the process of clarifying the law around international transfers of data after the uncertainty caused by the Schrems II ruling. We will continue to offer analysis to our clients as the law progresses through our data protection updates and via our website. Please do get in touch if you would like to discuss the issues raised in this article and how implementation of the EDPB’s guidance will affect your business more specifically.

Summary of the Recommendations

The Recommendations are essential for organisations that transfer personal data from the UK and/or the EU to a third country (i.e. a country outside the EU, Norway, Iceland and Liechtenstein) under the current SCCs. The Recommendations should also be reviewed by organisations transferring data between the UK and EU in relation to their Brexit preparations, as the Recommendations may need to be implemented in relation to data transfers between the UK and the EU in the event that the UK is not granted an adequacy decision by the European Commission on or before 31 December 2020.

In the Schrems II judgement the CJEU noted that, as the SCCs cannot bind entities that are not a party to the contract containing the SCCs (including in particular public authorities and state organisations), data exporters and importers should introduce additional “supplementary measures” to ensure compliance with an “essentially equivalent” standard of data protection as would be offered under GDPR.

The Recommendations set out 6 steps for data exporters to follow to ensure compliance with the ruling in Schrems II as well as the GDPR provisions relating to restricted transfers of data. The process should be thoroughly documented, in particular (i) the assessment in step 3; (ii) evidence of adoption of supplementary measures in step 4 (which should also be recorded in Annex 2 to the draft SCCs); and (iii) evidence of the continuous monitoring in step 6.

Step 1 - Know your transfers

: all data exporters should map their data flows and ensure that they are aware of where and to whom their data is being transferred to, the nature of the data being transferred, the purpose of the transfer, and they should also verify that the data transferred is adequate, relevant and limited to what is necessary.

Step 2 – Verify the transfer tool

: GDPR provides for various legal gateways to legitimise transfers of personal data outside of the EU (e.g., the SCCs, an Adequacy Decision in respect of a third country or binding corporate rules), and the data exporter will need to identify which gateway it is relying upon.

Step 3 – Assessment of the effectiveness of the transfer tool in the context of the intended transferthe European Essential Guarantees for Surveillance Measures to help data exporters determine whether the legal framework governing access to personal data by public authorities in a third country (i.e. national security agencies or law enforcement authorities) can be regarded as undermining the transfer tool (e.g. the SCCs) being used to legitimise the data transfer (as identified in step 2). These are needed as one of the primary reasons for the invalidation of the Privacy Shield in Schrems II regarding data transfers to the USA was the lack of recourse for European citizens to American security agencies in relation to those agencies’ ability to use their data.

: a data exporter must assess (in collaboration with the data importer as needed) whether there any obstacles or hindrance exists that might affect the legitimising transfer tool that is being relied upon for that transfer, with particular regard to the laws of the jurisdiction where the data is being exported to. This should be an objective determination and will need to take into account all actors (e.g. further sub-processors) involved in the data export and as identified in the data map drawn up in Step 1. As part of this assessment, data exporters will need to take note of any laws of the third country: (a) setting out requirements to disclose, or grant access to, personal data (for example, for criminal law enforcement or national security purposes); and (b) that might affect any ability of data subjects to exercise their rights under GDPR (e.g. their rights to access data that is held about them or to have that data deleted). To assist with this assessment, the EDPB has simultaneously published

Step 4 – Identify and adopt supplementary measures

: If the assessment carried out in the previous step suggests that the transfer tool may not be effective, then the data exporter will need to consider using supplementary measures in relation to the transfer. These may be contractual, technical or organisational in nature, for example, minimising the numbers of parties or actors involved in the processing, encrypting or pseudonymising data (the EDPB will require these measures to be carried out to a very high standard), or a right for the data exporter to terminate the agreement if the importer is unable to comply with its contractual commitments relating to the transfer due to an operation of the importer’s national law).

Step 5 – Take any formal procedural steps

: this would involve the data exporter entering into SCCs with the data importer, or ensuring that binding corporate rules are in place.

Step 6 – Continued re-evaluation and monitoring

: The Recommendations require the data exporter to re-evaluate its data transfers on an ongoing basis, with collaboration from data importers as appropriate, and monitor changes to the legislation in the third country that may affect the data transfer. Data exporters should therefore ensure that a contractual mechanism is in place such that transfers can be suspended or terminated if issues are identified. The draft SCCs contain these contractual provisions.

The implications of the Schrems II judgment, and the new Recommendations extend to all transfers from the EU to third countries. The EDPB emphasises that there are no quick fixes, nor a one-size-fits-all solution for all data transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal systems and legislation of the third countries to which they transfer or intend to transfer data.

European Essential Guarantees for Surveillance Measures

This ancillary set of recommendations detail the points that data exporters should consider when making their own decisions regarding state surveillance powers in third countries, and will help exporters come to a decision around assessing the effectiveness of the legal gateway that they intend to use (per step 3 above) and assessing appropriate safeguards. However, the EDPB is very clear in its guidance that the data exporters will bear all liability for the decision that the exporter makes. The provisions of the Essential Guarantees may also have implications regarding the EU granting the UK an Adequacy Decision prior to the end of the Brexit transition period.

Commentary

This guidance from the EDPB makes it clear that data exporters are responsible for carrying out their own assessment in the context of their international data transfer, the third country law and the transfer tool they intend to rely on. Data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability.

The key point from the Recommendations is that, rather than simply relying upon the SCCs without giving any other consideration to the wider context of the data transfer taking place, the EDPB is clear that data exporters will need to make their own determination and decision regarding the lawfulness of any international data transfers and compliance with GDPR. The guidance from the EDPB around assessing the effectiveness of a particular transfer tool, possible supplementary measures, and the Essential Guarantees regarding state surveillance measures will all prove helpful in assisting the data exporter with that decision but, ultimately, data exporters will be held accountable for their decision and compliance with GDPR regarding the transfer.

This article was drafted by David Varney and Andrew Wilson