Under the General Data Protection Regulation ((EU) 2016/679) (GDPR), data controllers and data processors are only permitted to transfer personal data outside the EEA in accordance with one of the safeguards set down in Chapter V of the GDPR.
Key developments since Schrems II
Since the Court of Justice of the European Union (CJEU) issued its ruling in the Schrems II1 case in July 2020 (further information on which can be found in our earlier client briefing) there have been a number of significant developments in the area of international data transfers under GDPR which include the following:
- the European Commission has published New Standard Contractual Clauses (New SCCs) which became operable on 27 June 2021. Under EU data protection law to date, standard contractual clauses approved by the European Commission (SCCs) have been heavily relied upon as an appropriate safeguard to transfer personal data outside of the EEA.
- the European Data Protection Board (EDPB) has published two sets of recommendations relating to transfers outside of the EEA including:
- EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Supplementary Measures Recommendations) which were adopted on 18 June 2021. These assist EU data exporters in assessing the laws and practices of third countries and identifying appropriate supplementary measures, where needed; and
- EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (European Essential Guarantees Recommendations or "EEGs") which were adopted in November 2020. These set down a number of key factors that are likely to suggest that transfers to a third country are of a high or lower risk. In particular, where an assessment suggests a third country does not meet the threshold of the EEGs, the effectiveness of any supplementary measures will need to be very carefully considered;
- The European Commission adopted a time limited adequacy decision in favour of the (UK Adequacy Decision) on 28 June 2021. The UK Adequacy Decision deemed the UK to have an essentially equivalent level of data protection to that guaranteed under EU law. As a result, personal data may continue to flow freely from the EU to the UK, as a third country, without any additional safeguards, such as New SCCs, being put in place under Chapter V of the GDPR. This decision will automatically expire on 27 June 2025, four years after its entry into force unless renewed by the European Commission. As long as the UK Adequacy Decision remains valid, no further safeguard under Chapter V of GDPR is needed. However, organisations should monitor the validity of the UK Adequacy Decision to ensure all data transfers to the UK remain compliant with GDPR.
In this client briefing, we turn our focus to the New SCCs and the related requirements to carry out an assessment of the laws and practices of the third country of destination and the supplementary measures which may be needed in order to legitimise the transfer of personal data using the New SCCs.
New Standard Contractual Clauses
As noted above, in June 2021, the European Commission published New SCCs to be used as an appropriate safeguard for data transfers outside the EEA. The New SCCs became operable on 27 June 2021. The old SCCs will be repealed with effect from 27 September 2021 which means that, from that date, only the New SCCs can be used for any new transfer outside the EEA.
Data exporters who currently rely on the old SCCs will have until 27 December 2022 to transition to the New SCCs for their international transfers. However, if before that date the processing operations that are covered by the old SCCs change and reliance on those SCCs does not ensure that the transfer of personal data is subject to appropriate safeguards, they will need to implement the New SCCs for that transfer.
Key points of the New SCCs
Some key points of the New SCCs include the following:
- They operate on a modular approach and address: (i) Controller-to-Controller, (ii) Controller-to-Processor, (iii) Processor-to-(Sub-) Processor and (iv) Processor-to-Controller transfers. The controllers / processors completing the New SCCs will therefore need to select the module applicable to their situation so as to tailor them to the specific role and responsibilities in relation to the data processing in question;
- Once a data exporter has entered into the New SCCs, they will not need to enter into a separate data processing agreement with the relevant data importer in order to comply with their obligations under Article 28 of the GDPR;
- The New SCCs can be used by multiple parties and include arrangements for new parties to accede to them via a "docking clause" either as a data exporter or data importer;
- The New SCCs can be used to legitimise the onward transfer of personal data by the data importer to a third party in a third country provided that the third party accedes to the New SCCs;
- The parties to the New SCCs must be able to demonstrate compliance with the New SCCs, with a particular emphasis on the data importer retaining appropriate documentation on the processing activities carried out on behalf of the data exporter;
- The New SCCs must be governed by the law of one of the EU Member States which provides for third-party beneficiary rights. To address this matter in Irish law, the European Union (Enforcement of Data Subjects' Rights on Transfer of Personal Data Outside the European Union) Regulations 2021 (S.I. No. 297 of 2021) were introduced to amend the Data Protection Act 2018 to provide for these third party beneficiary rightsin a data protection context; and
- The New SCCs reflect the ruling in the Schrems II case by requiring parties to consider the law and practices of the third country applicable to the processing of personal data by the data importer to ensure that they do not prevent the data importer from fulfilling its obligations under the New SCCs. Therefore, before the parties enter into the New SCCs, they must undertake a transfer impact assessment whereby the proposed transfer is assessed in order to determine whether or not the personal data will be adequately protected and, if not, if and what supplementary measures are required. Such assessment must also be documented and the parties must make it available to a competent supervisory authority on request.
Transfer impact assessment and New SCCs
The Supplementary Measures Recommendations provide guidance on this transfer impact assessment and propose a six-stage process to assess the risks related to transfers. This process includes assessing whether the New SCCs are effective in light of national law and practice of the data importer. This part of the assessment requires an assessment of both; (1) the law and practices of the data importer which are relevant to the protection of the specific data being transferred; and (2) the operation of law enforcement and national security agencies in practice in that jurisdiction. The EEGs provide further guidance on this part of the assessment.
The outcome of the assessment will determine if supplementary
measures will be needed in addition to the New SCCs to ensure that
personal data will be properly protected. The supplementary
measures may be contractual, technical or organisational in nature.
The effectiveness of the supplementary measure will depend on the
third country and, in some cases, data exporters may be required to
combine several supplementary measures. Annex 2 of the
Supplementary Measures Recommendations describes a number of
potential supplementary measures including a non-exhaustive list of
potential technical measures such as using an encryption algorithm
or using pseudonymisation in certain circumstances. Data exporters
are required to re-evaluate at appropriate intervals the level of
protection afforded to the personal data under the national law and
practice of the data importer and to monitor if there have been or
there will be any developments that may affect it.
Data exporters and data importers should review and update their data protection policies and procedures in light of the obligations set out in the New SCCs and the assessment requirements.
Other transfer tools
It is worth noting that this assessment of the laws and / or practices of the third country must also be carried out when relying on other transfer tools under Chapter V of GDPR, such as binding corporate rules, codes of conduct, certification mechanisms and other ad hoc data protection contractual clauses adopted by a supervisory authority and approved by the European Commission.
Organisations should now review and map all international data transfers currently being undertaken and take the following steps:
- If currently relying on the old SCCs to legitimise certain international data transfers, organisations should start taking steps to replace them with the New SCCs before 27 December 2022. Depending on the level and type of international data transfers, this may be a very onerous task and therefore organisations should begin to take steps sooner rather than later to ensure they will be ready for 27 December 2022.
- From 27 September 2021, the old SCCs will be repealed and the New SCCs must be used for any new arrangement involving the transfer of personal data outside the EEA.
- Prior to entering into the New SCCs, organisations will need to undertake the transfer impact assessment provided for in the Supplementary Measures Recommendations and in accordance with the guidance set out in the EEGs. Once this documented assessment has been carried out, the relevant data exporter must then decide whether or not it is permissible to proceed with, or continue, the transfers of personal data to the relevant third country.
- For organisations whose underlying processing activities change before 27 December 2022, the deadline for the entry into the New SCCs (along with the associated transfer impact assessment and the consideration of supplementary measures) is not 27 December 2022 but instead is the date of implementing the changes to the processing activities.
1. Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.