On 10 November 2020, the EDPB published Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. On 12 November 2020, the European Commission issued a draft Implementing Decision on Standard Contractual Clauses for the transfer of personal data to third countries. These newly released documents will represent the foundations of international data transfers in the post-Schrems II era of data protection. This piece provides an initial overview of the contents of the Recommendation and the associated SCCs.
Where were we?
In its recent judgement C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) has asserted, among the other things, that transferring personal data to third countries can be deemed legitimate only where an ‘essentially equivalent’ level of protection of personal data is met. In doing so, the Court has upheld the validity of Standard Contractual Clauses (SCCs) as a transfer tool. In addition, the Court has stated that European data exporters are responsible to evaluate on a case-by-case basis the effectiveness of the available transfer tools contained in Article 46 GDPR. Where necessary, the Court has left open the possibility for exporters to implement supplementary measures that fill the gaps in the protection and bring it up to the level required by EU law.
The EDPB on Supplementary Measures
Recommendation 01/2020 provides exporters with a series of steps to follow and some examples of supplementary measures that could be put in place to perform compliant transfers:.
Step 1 : Know your transfers – Map the data transfer. Verify that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is transferred.
Step 2 : Identify the transfer tools you are relying on – Depending on the country and on the transfer being repetitive or non-repetitive, use one of the tools of Chapter V GDPR (e.g., BCRs, adequacy decision, SCCs, etc.).
Step 3: Assess the law or practice of the third country – The assessment should be focused on the legislation of the third country that is relevant for your transfer. For evaluating the elements to be taken into account when assessing the law of a third country, the EDPB published Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.
Step 4: Identify and adopt supplementary measures – Annex 2 of the recommendations contains a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective. These are divided into technical measures and additional contractual measures.
Step 5: Take formal procedural steps – Additional procedural steps, like the need to consult competent supervisory authorities, may be required where adopting supplementary measures.
Step 6: Re-evaluate at appropriate intervals – In accordance with the principle of accountability, continuous vigilance of the level of protection of personal data is needed.
The European Commission on SCCs
The newly released SCCs have been in the pipeline since the implementation of the GDPR and conform closely to the principles, rights and obligations of the GDPR. They combine general clauses with a modular approach to cater for various transfer scenarios. In addition to the general clauses, controllers and processors can select the module applicable to their situation. This allows them to tailor their obligations under the SCCs to their corresponding role and responsibilities in relation to the data processing at issue. The modules are divided as follows:
MODULE ONE: Transfer controller to controller
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
MODULE FOUR: Transfer processor to controller
Throughout the draft SCCs, a particular emphasis is given to security requirements. This is intended to ensure that the data is kept secure both at rest and in transit. Annex II of the SCCs includes a long list of exemplary security measures (Technical and Organisational Measures).
The draft implementing decision is open for feedback until 10 December. For a period of one year from the date of entry into force of the Decision, data exporters and importers can continue relying on the “old SCCs”, only where the contract between them was concluded before that date and remained unchanged in the meanwhile.
The bottom line
Clause 2 of the draft SCCs requires the parties to warrant that they “have no reason to believe that the laws in the third country…, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.” It further requires the parties to confirm that they have assessed the laws and practices of the third country to evaluate whether they provide or not ‘equivalent protection’.
While the practicability of these measures is still questionable, it is clear that four months after the CJEU’s decision, the full impact of Schrems II is still not complete. While it had immediate effects on data transfers with the US, its consequences will almost certainly impact transfers with the UK, in light of a probable Hard Brexit. The consequences will be carefully monitored by our team as the implications continue to develop.
Trilateral’s Data Governance and Cyber-Risk Team offer data governance services that can help your organisation develop policies and procedures to mitigate emerging risks. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. Our support services will help your organisation to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.