Standard Contractual Clauses

Draft of new Standard Contractual Clauses published by the European Commission

On 12 November 2020, the European Commission published a draft Implementing Decision on new Standard Contractual Clauses for the transfer of personal data to third countries.

The CJEU judgement in the Schrems II case has brought to light some deficiencies in the current guarantees applied to international data transfers. Apart from invalidating the Privacy Shield, the Court stipulated that additional measures are required when using Standard Contractual Clauses (SCCs) in order to ensure that the data subjects are granted a level of protection essentially equivalent to the one guaranteed by the GDPR and the EU Charter of Fundamental Rights.

You can learn more about the business implications of Schrems II decision in our blog.

What’s new?

In response to the caveats pointed out by the CJEU with regard to the use of SCCs for making international transfers, the European Commission published a draft implementing decision containing a draft new set of SCCs for transfers of personal data to third countries, which includes five main changes in relation to the current clauses (approved under the Directive 95/46/EC):

  • Modular approach to cover various transfer scenarios, including processor-controller and processor-sub-processor international data transfers.
  • More than two parties could adhere to the SCCs and additional controllers and processors should be allowed to accede to them throughout the life cycle of the contract.
  • Additional safeguards should be provided to ensure a level of protection of the personal data essentially equivalent to the one granted by the GDPR.
  • Data subjects should be provided with a copy of the SCCs upon request and they should be informed of any change of purpose and of the identity of any third party to which the personal data is disclosed.
  • The data importer should inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints or requests.

Modular approach and territorial scope

The draft of new SCCs aims to address some gaps of the current SCCs, such as the limitation of the type of data transfers that can be made under their provisions. While the current SCCs are designed for international data transfers from EU controllers to non-EU/EEA controllers and international data transfers from EU controllers to non-EU/EEA processors, the proposed new ones combine general clauses with a modular approach which would allow controllers and processors to select the module applicable to their situation and tailor their obligations to their corresponding role and responsibilities. In terms of territorial restrictions, the new SCCs do not require the data exporter to be established in the EEA, which also increases the number of scenarios that may be covered by this safeguard.

 

Additional safeguards

The new SCCs stipulates some obligations that the parties should meet for the purpose of ensuring an adequate level of data protection. The additional measures imposed by the new SCC include, inter alia, the following:

  • Application of additional requirements to address how to deal with binding requests from public authorities in the third country for disclosure of personal data. 
  • Risk assessment undertaken by the data exporter to determine whether there are any reasons to believe that the laws applicable to the data importer are not in line with the requirements laid down in the SCCs. To this end, some key elements should be taken into account, namely:
    • Duration of the contract.
    • Nature of the data transferred.
    • Type of recipient.
    • Purpose of the processing.
    • Any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.
    • Laws of the third country of destination relevant in light of the circumstances of the transfer.
    • Technical and organisational measures applied during transmission and to the processing of the personal data.
  • Obligation of the data importer to notify the data exporter and the data subject about any legally binding request issued by a public authority under the law of the country of destination for disclosure of personal data or about any direct access by public authorities to the personal data.

Grace period

Once these SCCs have been approved, they will replace the current ones. A one year grace period will be granted for parties to put the new clauses in place. During this period, transfers can continue to be made on the basis of current SCCs, unless those contracts are changed. If the contracts are changed, then the parties lose the benefit of the grace provision and must move to the new clauses. If parties change existing contracts in order to introduce additional safeguards, as required by Schrems II, then they can still benefit from the grace period provision.

 

The draft is open for feedback until 10 December 2020.

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

EU-US Privacy Shield

EU-US Privacy Shield invalidation business implications follow-up

Since the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in their Schrems II judgement delivered two weeks ago, many questions have arisen around international data transfers to the US.

After the invalidation of the EU-US Privacy Shield by the CJEU two weeks ago, as reported by Aphaia, data transfers to the US require another valid safeguard or mechanism that provides an adequate level of data protection similar to the one granted by the GDPR.

European Data Protection Board guidelines

With the aim of clarifying the main issues derived from the invalidation of the EU-US Privacy Shield, the European Data Protection Board (EDPB) has published Frequently Asked Questions on the Schrems II judgement. These answers are expected to be developed and complemented along with further analysis, as the EDPB continues to examine and assess the CJEU decision.

In the document, the EDPB reminds that there is no grace period during which the EU-US Privacy Shield is still deemed a valid mechanisms to transfer personal data to the US, therefore businesses that were relying on this safeguard and that wish to keep on transferring data to the US should find another valid safeguard which ensures compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.

What about Standard Contractual Clauses?

The CJEU considered the SCC validity depends on the ability of the data exporter and the recipient of the data to verify, prior to any transfer, and taking into account the specific circumstances, whether that level of protection can be respected in the US. This seems to be difficult though, because the Court found that US law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection.

The data importer should inform the data exporter of any inability to comply with the SCCs and where necessary with any supplementary measures and the data exporter should carry out an assessment to ensure that US law does not impinge on the adequate level of protection, taking into account the circumstances of the transfer and the supplementary measures that could be put in place. The data exporter may contact the data importer to verify the legislation of its country and collaborate for the assessment. Where the result is not favourable, the transfer should be suspended. Otherwise the data exporter should notify the competent Supervisory Authority.

What about Binding Corporate Rules (BCRs)?

Given that the reason of invalidating the EU-US Privacy Shield was the degree of interference created by the US law, the CJEU judgement applies as well in the context of BCRs, since US law will also have primacy over this tool. Likewise before using SCCs, an assessment should be run by the data exporter and the competent Supervisory Authority should be reported where the result is not favourable and the data exporter plans to continue with the transfer.

What about derogations of Article 49 GDPR?

Article 49 GDPR comprises further conditions under which personal data can be transferred to a third-country in the absence of an adequacy decision and appropriate safeguards such as SCCs and BCRs, namely:

  • Consent. The CJEU points out that consent should be explicit, specific for the particular data transfer or set of transfers and informed. This element involves practical obstacles when it comes to businesses processing data from their customers, as this would imply, for instance, asking for all customers’ individual consent before storing their data on Sales Force.
  • Performance of a contract between the data subject and the controller. It is important to note that this only applies where the transfer is occasional and only for those that are objectively necessary for the performance of the contract.

What about third countries other than the US?

The CJEU has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the CJEU for transfers to the US applies for any third country, and the same goes for BCRs.

What should I do when it comes to processors transferring data to the US?

Pursuant to the EDPB FAQs, where no supplementary measures can be provided to ensure that US law does not impinge on the essentially equivalent level of protection as granted by the GDPR and if derogations under Article 49 GDPR do not apply, “the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the US. Data should not only be stored but also administered elsewhere than in the US”.

What can we expect from the CJEU next?

The EDPB is currently analysing the CJEU judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures.

ICO statement

The ICO is continuously updating their statement on the CJEU Schrems II judgement. The latest version so far dates 27th July and it confirms that EDPB FAQs still apply to UK controllers and processors. Until further guidance is provided by EU bodies and institutions, the ICO recommends to take stock of the international transfers businesses make and react promptly plus they claim that they will continue to apply a risk-based and proportionate approach in accordance with their Regulatory Action Policy.

Other European Data Protection Authorities’ statements

Some European data protection supervisory authorities have provided guidance in response to the CJEU Schrems II judgement. While most countries are still considering the implications of the decision, some other are warning about the risk of non-compliance and a few of them like Germany (particularly Berlin and Hamburg) and Netherlands have openly stated that transfers to the US are unlawful.

In general terms, the ones that are warning about the risks claim the following:

  • Data transfers to the U.S. are still possible, but require the implementation of additional safeguards.
  • The obligation to implement the requirements contained in the CJEU’s decision is both on the businesses and the data protection supervisory authorities.
  • Businesses are required to constantly monitor the level of protection in the data importer’s country
  • Businesses should run a previous assessment before transferring data to the US.

The data protection supervisory authority in Germany (Rhineland-Palatinate) has proposed a five-step assessment for businesses. We have prepared the diagram below which summarizes it:

Can the level of data protection required by the GDPR be respected in the US?

The CJEU considered that the requirements of US domestic law and, in particular, certain programmes enabling access by US public authorities to personal data transferred from the EU, result in limitations on the protection of personal data which do not satisfy GDPR requirements. Furthermore, the CJEU stated that US legislation does not gran data subjects actionable rights before the courts against the US authorities. 

In this context, it seems difficult that a company could be able to demonstrate that they can provide an adequate level of data protection to personal data transferred from the EU, because basically it would have to bypass US legislation.

Latest moves in the US Senate does not shed light in this issue, because the “Lawful Access to Encrypted Data Act” was introduced last month. It mandates service providers and device manufacturers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of a lawfully obtained warrant.

Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance servicesContact us today.