2020 has been an interesting year for many reasons. In data protection, there was the Schrems II ruling which saw the European Court of Justice invalidate the Privacy Shield relied upon by many organisations for the transfer of personal data outside of the EEA. As part of the response to this ruling, the European Commission looked at updating the Standard Contractual Clauses (SCCs) and in November released a new draft for comment. Organisations will have 12 months to implement the new versions from their official acceptance date which is likely to be sometime in 2021. In this article, we focus on two points that indicate that investment in data governance policies and processes will likely be required by data controllers.
The Modular Approach
The purpose of the SCCs is to bolster data processing agreements by providing organisations with additional standard clauses that help meet the requirements under Chapter 4 of the GDPR. With the current SCCs there are different versions for controller to processor and controller to c ontroller agreements; from the draft, it appears that the new SCCs will only have one version, which will be modular.
Specifically, four modules cover the different types of data processing relationships.
- Module 1: Transfer from controller to controller
- Module 2: Transfer from controller to processor
- Module 3: Transfer from processor to processor
- Module 4: Transfer from processor to controller
In this article, we explore one aspect of the first module as set out in Section II, Clause 1 of the draft SCCs though the other modules will be addressed at a later date. Module 1 includes several sections that reinforce the growing relevance of the concept of Joint Controllers and appropriate agreements when data is transferred from one controller to another. The text makes clear the concept of ongoing responsibilities showing that even when personal data is passed from one controller to another, both parties remain in a relationship built on obligations to the data subject.
These ongoing obligations include:
- Breach reporting;
- Keeping data up-to-date and accurate;
- Restriction of processing to those purposes defined when the transfer was made.
Breach reporting obligations include the data importer having to ‘notify, without undue delay, both the data exporter and the competent supervisory authority’ where there are significant adverse effects to the data subject. Where the bar is set for ‘severe’ will no doubt be a heated discussion going forward as will who decides when this bar is reached!
The importer will also be required to notify without, undue delay the data subjects, involved in the data breach, ‘in cooperation with the data exporter’ if necessary.
While keeping data up-to-date and accurate is not an absolute requirement, again the bar seems to be set quite high with the data importer required to: ‘take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.’
And most importantly, if either party identifies an error in the personal data transferred or received, then ‘it shall inform the other Party without undue delay’. Interestingly there is no time limit on this requirement.
In other words, any transfer of personal data from one controller to another can be seen as an ongoing relationship and likely best managed through an agreement such as a Joint Controller Agreement. Importantly the personal data should not be used for any purpose other than that declared at the time of transfer.
Risk Assessment
Another significant difference in the new draft is the obligations on the parties acting as the data exporter and data importer to conduct a comprehensive risk assessment to determine if the non-EEA country can actually guarantee an adequate level of data protection as required by the GDPR. Third-country laws will need to be understood and assessed in the transfer impact assessment which must be made available to the competent Supervisory Authority on request (Section II.2(d)).
Under the new framework, the onus is the parties in the transfer to undertake a detailed risk assessment that takes into account a multitude of factors that will have to be documented and the potential impact on the data subjects’ rights. These include, but are not limited to:
- the content and duration of the contract;
- the scale and regularity of transfers;
- the transmission channels used;
- the purpose of processing;
- the nature of the personal data transferred, and
- any relevant practical experience with prior instances.
The assessment will also require the parties to assess local laws ‘including those requiring to disclose data to public authorities or authorising access by such authorities’. This reflects the Commission’s concerns of surveillance laws such as the Cloud Act in the US.
As part of the assessment, a detailed consideration of technical and organisational measures applied during transmission and to the processing of the personal data will need to be worked through. A long list of potential measures is offered in Annex II (Technical and Organisation Measures).
No longer will signing the SCC be sufficient as with the current version but now the parties, and particularly controllers must demonstrate:
- They have explored the wider context of the data transfer
- Identified risks including those from legislation and any lack of supports for data subjects’ rights
- And have chosen to implement appropriate measures to address any risks identified.
In the end, there will be significant effort required in terms of due diligence before a controller or processor can enter into an agreement to transfer personal to a third country.
Conclusion
The new draft SCCs reflect how data protection legislation has evolved and the increasingly heavy burdens that controllers must address when processing personal data outside the EEA and countries with adequacy decisions under Directive 95/46/EC. Such transfers will require robust data governance processes to assess risks for each transfer and systems to record where data is sent or where it originated to enable the meeting of ongoing obligations. This will require a step-change for many organisations in how procurement and other processes are handled and likely require some investment to meet the growing compliance requirements when considering third country transfers.
Trilateral’s Data Governance and Cyber-Risk Team has significant experience helping our clients achieve compliance with the latest Data Protection and ePrivacy regulations. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help to audit existing practices, reviewing your current systems and undertaking the transfer impact assessment if your organisation is looking to rely on SCCs for transfers to countries such as the UK and the USA going forward.
Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.