From 27 June 2021, companies can use the European Commission's long-awaited new standard contractual clauses as an appropriate safeguard for transferring personal data to countries outside the European Economic Area (EEA). The European Data Protection Board has also updated its recommendations on additional measures that data controllers should take. This report from Ius Laboris Belgian firm Claeys & Engels explains.
Personal data can only be transferred to countries outside the EEA if so-called ‘appropriate safeguards' are in place and data subjects have enforceable rights and effective legal remedies. Appropriate safeguards may include the use of standard data protection clauses approved by the European Commission. In practice, these ‘standard contractual clauses' (SCCs) are the most evident transfer mechanism when no adequacy decision exists for the third country concerned. This is the case, for example, for data transfers to the US since the EU–US Privacy Shield was invalidated by the Schrems II judgment (read more on this here).
Subsequently, in November 2020, the European Commission published a draft of new SCCs, and the European Data Protection Board (‘EDPB') adopted recommendations on the additional measures that can be taken when it appears that the legal framework of the third country does not provide equivalent protection (read more on this here).
New standard contractual clauses
On 7 June 2021, the final version of the new SCCs was published in the Official Journal of the European Union. The new SCCs contain general provisions adapted to the language of the GDPR and also four ‘modules' that cover different transfer scenarios:
- Module 1 covers the scenario for transfers from data controllers to data controllers.
- Module 2 covers the scenario for transfers from data controllers to data processors.
- Module 3 covers the scenario for transfers from data processors to data processors.
- Module 4 covers the scenario for transfers from data processors to data controllers.
These modules represent a significant improvement in comparison with the old SCCs, which only covered the first two situations. For transparency of processing, these modules also include the right of data subjects to receive a copy of the SCCs.
In addition, the new SCCs contain three annexes:
- Annex 1 and the so-called docking clause allow multiple parties to join the agreement, which is particularly useful for intra-group data transfers.
- Annex 2 allows parties to include a list of the technical and organisational measures they have taken to ensure an adequate level of protection within the meaning of the Schrems II judgment. Moreover, the Annex contains some examples as an inspiration (e.g., pseudonymisation, physical security of locations, identification and authorisation of users etc.).
- Annex 3 allows including a list of sub-processors (to be completed in modules 2 and 3).
Finally, the new SCCs include a number of so-called Schrems II provisions on obligations for data importers in third countries when a public authority wishes to access European personal data.
In terms of timing, the old SCCs only expire on 27 September 2021, so you still have three months from today to choose between the old and new SCCs if you enter into new agreements. For existing agreements, you still have until 27 December 2022 to replace the old SCCs with the new SCCs, but nothing prevents you from making this update today.
Update recommendations of the European Data Protection Board
Even when companies use the new SCCs, as a result of the Schrems II judgment, they still need to verify whether these appropriate safeguards are effective in view of the privacy legislation in the third country concerned (and take additional measures if the appropriate safeguards prove to be ineffective). The European Data Protection Board updated its Recommendations No. 01/2020 on 18 June 2021, providing additional clarification, in particular, to guide the assessment of the third-country legislation (data transfer impact analysis):
- In your assessment, you should pay specific attention to any relevant laws laying down the requirements to disclose personal data to public authorities or granting such public authorities powers of access to personal data (e.g., criminal law enforcement, national security etc.).
- The requirements or powers arising from such legislation are considered to impair the effectiveness of the appropriate safeguards and thus to be ‘problematic' if they do not respect the essence of the fundamental rights and freedoms of the EU Charter of Fundamental Rights, or if they exceed what is necessary and proportionate in a democratic society to safeguard important public interest objectives of the EU or of a Member State, such as national security, defence, public security, prosecution of criminal offences etc.
- Your assessment should be based first and foremost on publicly available legislation, but in addition you should also take into account practices in the third country. If the relevant legislation is lacking or formally provides sufficient protection but is not applied in practice, then the data transfer should be suspended or supplementary measures should be implemented.
If the relevant legislation is problematic, but you have no reason to believe that it will be applied in practice, then you may decide to proceed with the data transfer without taking supplementary measures. The assessment that the legislation is not applied in practice should then be documented in a detailed report in which you have to explain, among other things, the internal procedure to produce the assessment (e.g., involvement of lawyers or other consultants). This report should be endorsed by the company's legal representative.
- The assessment of the legal framework should focus on the legislation and practices relevant to the protection of your specific data transfer and is therefore not intended to analyse the entire privacy legislation of the third country in general terms.
- Your analysis should take into consideration all possible actors participating in the data transfer (data controllers, processors and sub-processors processing data in the third country).
- It is the responsibility of the data importer (i.e., the entity in the receiving country) to provide all relevant sources and information to the data exporter. These sources and information should be ‘relevant, objective, reliable, verifiable and publicly available'.
- It is possible to consider the data importer's practical experience with relevant prior instances of requests for access received from public authorities. However, the absence of prior instances of requests cannot by itself be a decisive factor that allows the transfer to proceed without supplementary measures.
- You should properly document your assessment, as the national supervisory authority (in Belgium, the Data Protection Authority or DPA) may request you to show your documentation and hold your company accountable for the decisions made on the basis of the assessment;
Finally, the EDPB emphasises that the exceptions under Article 49 GDPR (including transfers that are necessary for the conclusion or performance of a contract, or transfers that occur on the basis of the explicit consent of the data subject) can only be applied on an occasional basis and can therefore not be used to escape the obligation to carry out an assessment of the legislation in the third country.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.