9 min read

Data Transfers: Rules for the transfer window and beyond

Read more

By Jade Kowalski

|

Published 13 November 2020

Overview

The week commencing 9 November 2020 has been a very busy one for data protection practitioners, the likes of which haven’t been seen since the closing weeks of May 2018.

You will no doubt be aware that the Schrems II judgment concluded that standard contractual clauses (SCCs) could only be used to make transfers to certain jurisdictions when accompanied by supplementary measures. On Wednesday 11 November, the European Data Protection Board (EDPB) published its guidance on what these supplementary measures look like in practice: Supplementary Transfer Measures Recommendations and European Essential Guarantees for consultation.

Then on Thursday 12th November, after years of waiting, the European Commission (EC) published its new set of draft standard contractual clauses. Of course, we can’t forget to mention the first entirely virtual all day data protection and cyber conference run by DAC Beachcroft on Tuesday 10 November!

We have to say that we are a little relieved that this plethora of guidance and clauses came just after our conference rather than just before it. However, that does leave us with an obligation to give you an update on the issues we discussed. On Tuesday, we had a number of questions regarding the future of data transfers and we are now pleased to provide some (if not all) of the answers.

 

Supplementary Transfer Measures and European Essential Guarantees

As a reminder, in July 2020 in the case known as “Schrems II” (C-311/18), the Court of Justice of the European Union (CJEU) (i) invalidated the EU-U.S. Privacy Shield Framework; and (ii) ruled that, in certain circumstances, organisations could still rely on SCCs to transfer personal data from the European Economic Area (EEA) to the U.S. or any other country that the EU considers not to provide an adequate level of data protection. However, in order to rely on the SCCs for such transfers, the exporting organisation must undertake a case-by-case assessment of the transfer to assess whether an “essentially equivalent” level of protection for the personal data is provided under the third country’s laws, and where necessary implement “supplementary measures” to ensure such protection.

Shortly after the Schrems II judgment, the EDPB issued its FAQs and noted that it would provide more guidance on the “supplementary measures”. Its “Supplementary Transfer Measures Recommendations” set out the steps which should be taken when seeking to make a transfer outside the EEA to a jurisdiction which has not been deemed “adequate” by the EC. The EDPB advises data exporters to take the following 6 steps in order to ensure a compliant transfer.

  1. Know your This involves undertaking a mapping exercise. It may be possible to obtain this information from your Article 30 records. At this point the EDPB refers to other principles in the GDPR such as minimisation and purpose limitation (i.e. making sure the data you are transferring is adequate, relevant and not excessive).
  2. Verify the data transfer mechanisms under Chapter V of the
  3. Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. This needs to be subjected to due diligence and properly documented. Consider the 4 essential guarantees set out in European Essential Guarantees document.
  4. Identify whether there are any supplementary measures This is only necessary if the analysis in Step 3 concludes that the law of the third country do impinge on the effectiveness of the safeguards of the transfer tools.
  5. Take any formal procedural steps to adopt your supplementary This will depend on the particular Article 46 GDPR transfer tool you are relying on.
  6. At appropriate intervals, re-evaluate the level of protection afforded to the data you transfer to third countries and monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous monitoring of the level of protection of personal data.

The European Essential Guarantees to provide data exporters with guidance on the assessment to conduct in order to determine whether a third country provides a level of protection essentially equivalent to that guaranteed within the EU.

The EDPB considers that the applicable legal requirements can be summarised in four “European Essential Guarantees”:

  • Processing should be based on clear, precise and accessible rules;
  • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
  • An independent oversight mechanism should exist; and
  • Effective remedies need to be available to the individual.

Together these two documents form a lengthy and, at points, complex framework and methodology for making compliant overseas transfers. A detailed analysis of the practical consequences of this will take some time. At this point, we would highlight the following: 

When do we need to comply with this guidance? This guidance applies with immediate effect and there is no grace period. For those organisations who have been slow off the mark following the Schrems II judgment, and have not yet concluded their data mapping exercise of international transfers, now is the time to bring a project team together to take action.

How will I make an assessment? You will have to make a detailed assessment of the type of data being sent, the access that might be granted to the data when overseas and an assessment of the legal regime in the countries where you are sending the data. We refer to these as “Transfer Impact Assessments”.

What if I am transferring encrypted data or pseudonymised data? Annex 2 of the Supplementary Transfer Measures Recommendations sets out a non-exhaustive list of the supplementary measures that could be put in place. It contains some insightful case studies where it is clear that strong encryption and pseudonymisation can work as a sufficient measure to ensure a compliant transfer so long as the data remains encrypted and pseudonymised throughout.

Will I have to stop certain transfers? The answer is "unfortunately yes". Case Study 6 of Annex 2 uses the example of a cloud service provider which requires access to unencrypted data to perform the service. The EDPB offers no solution to make this transfer compliant if the result of the analysis at Step 3 has concluded that the laws of the third country impinge on rights and protections granted by European data protection laws. One has to assume following Schrems II, that US laws impinge in a way that is not compatible with European data protection law.

The Supplementary Transfer Measures Recommendations are open for consultation until 30 November. The European Essential Guarantees are in final form.

 

New Draft SCCs

So what of the fate of the SCCs themselves? A revised set has been awaited since the implementation of the GDPR. However, given the Schrems II case, the EC put its publication on hold.

Earlier this week at our Data Protection and Cyber Conference, we identified a number of questions regarding the replacement SCCs. Perhaps the EC was listening because it addressed those questions in its Draft Implementing Decision with proposed revised SCCs appended.

Here’s what you need to know:

Who will they cover? Perhaps the most exciting development is that the draft SCCs are structured in a “modular” format covering transfers between (i) controller to controller; (ii) controller to processor; (iii) processor to sub-processor; and (iv) processor to controller.

This approach allows much greater flexibility and plugs some fundamental gaps. It will be of particular comfort to those who had concerns regarding transfers from EU processors to UK controllers following the end of the Brexit transition period. In addition, the draft SCCs also contain a “docking” clause which allows addition parties to be added post execution.

What will change? The answer to this is “quite a lot”, although this was expected. The new SCCs mirror the requirements of the GDPR. The controller to processor “module” incorporates the requirements of Article 28, meaning that the SCCs can now be used as a complete document satisfying the contractual data protection requirements when engaging a processor. The new SCCs also attempt to address the concerns raised in the Schrems II judgment. In particular, there are specific sections dealing with local laws affecting compliance and obligations on the importer in the event of government access requests.

When will they be published? The draft version was published yesterday (12 November 2020). This draft will be available for consultation until 10 December 2020, following which a final version will be published. A timeline for this has not been announced but, given the Christmas break, we expect this to be in the new year.

How long will organisations have to implement the new SCCs? Organisations will have one year from the date of the final, approved EC decision to replace old SCCs in existing arrangements (unless any changes are made to the processing in the interim, in which case they should be implemented at that point). All new arrangements must be made on the basis of the new SCCs from the date of the final, approved EC decision. In relation to both new and existing arrangements, the requirement to carry out an assessment and, where required, implement supplementary measures, applies immediately.

Whilst the draft SCCs have provided answers to many of the conceptual questions, organisations will now need to ask themselves how they will go about implementing a programme of Transfer Impact Assessments and replacing existing SCCs.

 

Practical guidance:

  • If you haven’t started already, you need to map your data flows. As well as having a clear understanding of what data flows to which jurisdiction and under which transfer mechanism, you also need clarity regarding the specifics of the transferred personal data.
  • The next stage will be to perform Transfer Impact Assessments. Based on the draft EPDB Guidance, it is likely that the outcome of a number of these assessments will be the conclusion that the adequate data protection cannot be guaranteed in all of the circumstances and therefore the transfer cannot be made compliantly. Given the impending end of the transition period (and in the absence of an adequacy decision), organisations in the UK may be on the receiving end of such a decision.
  • A large “re-papering” exercise will be needed in the New Year. Whilst one year for implementation sounds like a long time, in reality, for many organisations the scale of the task will be enormous and may involve the mobilisation of a team.
  • Controllers should be prepared to be on the receiving end of the revised SCCs from processors which brings a new dynamic to those relationships.

Author