The European Commission has been under intense pressure for years to upgrade its suite of standard contractual clauses (“ SCCs ”) for international data transfers – not least to update them in light of the new requirements set out in the General Data Protection Regulation (“ GDPR ”).
Finally, on 12 November 2020, the Commission issued its draft new clauses for consultation . This much-needed upgrade to the SCCs now feels very close! Of course, for those of us in the UK, the future of international data transfer compliance is still at the mercy of Brexit negotiations and UK government policy, so may perhaps still be some way off. However, for now, let’s assume that we will continue to use SCCs in some form to justify data transfers.
The SCCs are one of the most popular compliant international data transfer tools available to organisations that export personal data out of the European Economic Area (“ EEA ”). Most organisations hoped simply to sign them and assume that their international data transfer was approved, so that they could get on with the day job. In reality, it was never that simple from a legal perspective, but practically, the SCCs were definitely some help.
Two further things spoiled the cosy fiction that SCCs were an “easy way forward”:
1. The GDPR
Until this new consultation version of the SCCs, there had been no attempt to update them in line with the new GDPR requirements (including its new data protection principles). Nor had the SCCs been updated to deal with the new world of perfectly standard international arrangements. For example, SCCs didn’t cover:
- A UK cloud services provider that was outsourcing its backup to a non-EEA company (such as one based in the USA or India).
- A UK company that was processing a non-EEA company’s personal data before sending it back to them.
2. Schrems II
The European Court of Justice (“ ECJ ”) left the SCCs somewhat up in the air. In simple terms, they intimated that companies should crack on and continue to use the SCCs (even though they’re clearly out of date). Simultaneously, they reminded companies that they mustn’t forget to check that the law and practice in whatever jurisdiction they were sending the personal data to offered protection that was “essentially equivalent” to the protection for individuals in the EU. Cue thousands of businesses scratching their heads about how to carry out what amounts to a mini-version of what the Commission takes years to do, when considering issuing an adequacy decision.
Upgrading the SCCs for the GDPR
To help organisations to navigate both of these developments, the European Commission has now released its draft SCCs for consultation . (The consultation period closes on 10 December 2020 if you are interested in putting your views forward.) When the Commission has finalised these SCCs, it is intended that they will replace the existing versions.
The new SCCs won’t, however, automatically apply, so organisations will need to endure the excruciating process of upgrading all of their contracts that currently rely on SCCs, to include these new clauses. The Commission has suggested a one-year grace period, but we know that’s not long in practice. Do let us know if we can help to ease the pain for you!
Some things to bear in mind:
1. The SCCs are still in draft form.
The SCCs might still change, and we don’t know exactly when the final version will be launched. So, although it might be good to get ahead and start prepping for the contract change process that you will need to carry out, it is probably worth holding on for the final version before starting your contract negotiations in earnest. Given the one-year grace period, you may also want to schedule specific negotiations around rolling contract renewal dates with various suppliers, stakeholders, etc.
2. What impact will Brexit have?
Hopefully, we will get clarity soon (!) on what the application of the SCCs will be for organisations that are in the UK, or processing the personal data of UK individuals. It’s possible that the UK will create its own version of the SCCs that would look broadly similar and help to support any EU/UK adequacy decision that was being negotiated. However, if there’s no Brexit deal, all bets will be off and the UK government’s focus may not be on the SCCs. That will mean that more delay (and chaos) is likely. Keep an eye out for updates !
3. The new SCCs will need to be completed in full.
The original SCCs were often poorly implemented in practice, usually because organisations didn’t fill in the blanks properly. The new SCCs reiterate, and perhaps place more emphasis, that organisations must properly understand their data flows, document them clearly (both in the SCCs and in their privacy notices to individuals) and agree technical and organisational measures. Without understanding and inserting full details, the SCCs will not actually be complete or valid.
4. The data importer will need to be upskilled.
The new SCCs emphasise that the non-EEA data importer must fully understand its obligations under the GDPR (e.g. in relation to data minimisation, data retention, onward transfer, transparency, etc.). Organisations should therefore start considering whether those non-EEA data importers are actually ready for that in practice. For example, consider how you would confirm whether the data importer had full understanding of its obligations and how you would ensure that they were upskilled. If the exporter cannot confirm this to its satisfaction, it is possible that a transfer to that importer would not be valid. Remember: this assessment is required before the data transfer, and on an ongoing basis.
5. There will need to be an assessment of the law and practice of each jurisdiction to which data is transferred.
You can’t just sign the SCCs and get on with business. The EEA-based organisation (or data exporter) must now properly assess the law and practice of each of the jurisdictions that the personal data is being transferred to. Remember: this does not mean “just” considering the jurisdiction of the organisation that you have a direct relationship with, but also requires consideration of any onward international transfers of your data to its sub-contractors, etc.
Many things will need to be considered here. For example:
How on earth would you do this assessment in practice? The European Data Protection Board (“ EDPB ”) has provided a much-needed steer – see the “Supplemental measures” section below for its recommendations. At this point, how helpful the EDPB’s process is in practice remains to be seen.
Thankfully, under the SCCs, the data importer is obliged to help you out. The importer must tell the data exporter how the various GDPR requirements and fundamental rights of EU citizens (like privacy!) interact with its local law and practice on how personal data is handled in its country. In particular, it must state whether government authorities might be able to access the personal data. We expect that importers will start creating their own assessments that they can share with exporters.
Don’t forget that you have to make this assessment before you transfer any personal data. You must also regularly re-evaluate whether the assessment should change (i.e. if the data-processing activities or flows have changed in practice).
- If your assessment suggests that the law and practice will not offer adequate protection for individuals, you must consider supplemental measures. See the “Supplemental measures” section below for comments on the EDPB’s recommendations.
- If all that fails (when looked at objectively, of course – not just on the basis of how you perceive the risk), you must not start transferring personal data, or you must cease the transfer and ensure that any data that has been transferred is returned or destroyed.
6. Sub-processor scenarios are enabled.
The old SCCs did not cover any processing by a processor’s sub-processor. This has created many compliance difficulties, with many organisations and EU data protection regulators taking or expecting a fudged approach to compliance in this scenario.
By way of example, if a UK organisation contracted with a UK service provider, who further sub-contracted some processing (e.g. cloud backups) to an organisation outside the EEA, that service provider would have no obvious transfer mechanism to enable compliant international transfer. The point of the old SCCs was that the controller must maintain a direct contractual relationship with any organisation that is processing its personal data outside the EEA, and therefore individuals’ rights were protected. However, that did not reflect the reality of how modern organisations work.
Under the modular approach of the new SCCs, sub-processing scenarios are explicitly enabled. They create a mechanism that enables a processor to agree the SCCs with its sub-processors. This is extremely welcome, and should put an end to some rather jerry-rigged practices that are currently very common.
7. The new SCCs can be used when processors send data back to non-EEA controllers.
Previously, to be technically compliant, an EU processor would need to use an appropriate data transfer mechanism when sending personal data back to a non-EEA controller that had shared it with them in the first place. That data flow scenario is now catered for – see Module 4 of the new SCCs. The clauses are much simpler in this scenario, even more so if the EEA processor does not combine the non-EEA data with EEA personal data.
8. Multiple parties can sign up.
Once you have the SCCs in place, you can now more easily add and remove parties to reflect changing commercial realities. For example, a processor can add new controller entities, or a controller can add new processors to one set of SCCs. How this will be used in practice will be interesting. For example, will a cloud services provider really add each new controller customer to its SCCs (and remove them when they exit)?
Supplemental measures
As we mentioned above, if you assess that the international transfer mechanism that you have chosen might not be adequate, and you still want to make the transfer, the ECJ and now the EDPB are very clear that you still have work to do. You need to assess the jurisdiction’s law and practice to ensure that it offers “ essentially equivalent ” protection to individuals as they have under the GDPR in the EU. If that assessment falls short, you then need to establish what “supplemental measures” might adequately plug the gap. That’s no easy task. After all, it takes the European Commission years to make its own adequacy decisions, and these are essentially the same test.
On 12 November 2020, the EDPB, as if by magic, heard our pleas and issued its recommendations . These didn’t just cover how to assess “essential equivalence”, but also set out a process to follow, and suggested “supplemental measures” that organisations can use if their assessment falls short of the mark. These include:
- Technical measures such as data minimisation, access control, restrictions on onward transfer and encryption (with proper encryption key management by the exporter).
- Organisational measures such as training, processes and procedures, committees, regular audits and reviews, and specific contract terms (for example, to oblige the importer to inform the exporter about any likely risks of access by an authority, etc. and to provide a get-out if the regulatory playing field changes).
It is important to note that the EDPB’s supplemental measures are stated to be non-exhaustive examples only. They can therefore be mixed and matched. You may choose to use one measure, or many – whatever it takes for you to make an objective assessment that the transfer mechanism that you have chosen offers “essentially equivalent” protection to individuals.
As discussed above, if that objective assessment of those supplemental measures falls short, you must not start to transfer personal data, or if you have already been transferring data, you must cease to do so and ensure that any such data is returned or destroyed.
The EDPB gave some “use cases” where it felt that supplemental measures could plug the gap. Interestingly, it also set out some “use cases” where it felt that supplemental measures were unlikely to be sufficient. Those latter cases seem to relate to pretty standard scenarios (like a cloud provider accessing data in a jurisdiction where government authorities can access data without adequate controls). Given the court’s decision in Schrems II, these “use cases” aren’t a surprise, but it shows that organisations will need to think carefully when deciding when to send data abroad – particularly to the USA.
We hope that the Information Commissioner’s Office (“ ICO ”) will issue its own expanded guidance on these issues shortly – and give us more of a steer on the actual assessment of individual jurisdictions. Again, this may be delayed or the guidance muddied due to waiting for Brexit and adequacy decisions.
If you need help with any aspect of international data transfers , whether it is carrying out international data transfer assessments, documenting whether appropriate supplemental measures are in place or drafting your contracts to ensure compliant international data transfers, please get in touch .