All over the world
We love to travel, and so does our data – or rather, companies want to send our data around the world. Elaine Morrissey zooms in on the international transfer of personal data and notes that new standard contractual clauses have increased due-diligence obligations on data exporters.
Protection granted to personal data must travel with the data. The General Data Protection Regulation (GDPR) provides that, for personal data to leave the European Economic Area (EEA), there must be an appropriate mechanism (safeguards) in place. Standard contractual clauses (SCCs) are a commonly used mechanism, and have been around for over a decade.
The European Commission has also granted ‘adequacy’ status to a number of countries, which means that no additional mechanisms/safeguards are required before a transfer takes place to those countries. The UK, Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland and Uruguay all hold adequacy status.
Why are international transfers of personal data such a hot topic? In the last two years, we have had the ‘Privacy Shield’ transfer mechanism invalidated, SCCs upheld, new SCCs issued, new European Data Protection Board (EDPB) guidelines and recommendations, varying opinions, data protection authority decisions, new obligations, and a joint statement from Joe Biden and Ursula von der Leyen regarding personal-data transfers from the EU to the US. So, yes, it’s a hot topic, requiring much time and attention to keep up.
What are SCCs?
The SCCs were initiated by the commission as a mechanism to allow personal data to be transferred globally under a single set of data-protection rules or standards that fall in line with the GDPR. In essence, they are a contractual agreement between the parties agreed on by the commission.
While the ‘old’ SCCs were developed under the now-repealed EU Data Protection Directive (95/46), SCCs have become more prevalent with the introduction of the GDPR, as they are listed as an appropriate safeguard for the transfer of personal data outside of the EEA (article 46 of the GDPR).
Unfortunately, however, the old SCCs could only be used for very specific purposes (due to the way they were drafted). The old SSCs only provided for transfers between a data controller in the EEA and a data processor or a data controller in a third country (non-EEA country). The commission had been working on the new SCCs at the time of the Schrems II decision.
Schrems II
In July 2020, the EU Court of Justice (CJEU) delivered a ruling in the case known as Schrems II, in which the mechanisms for personal-data transfers between the EEA and the US were challenged. The challenge was based on the argument that US law cannot adequately ensure protection of EU personal data.
In a momentous decision, the CJEU invalidated Privacy Shield as a valid transfer mechanism, thereby disallowing companies to transfer and store EU personal data in the US, unless they comply with another appropriate mechanism. In the same decision, the CJEU upheld SCCs as a valid mechanism for transatlantic data transfers, noting that this does make it possible, in practice, to ensure compliance with the level of protection required by EU law.
New appropriate safeguards needed to be created to meet the demand for companies acting as processors in the EU to transfer to controllers and other processors in third countries. The commission, following a detailed consultation period, issued the new SCCs on 4 June 2021, which provide appropriate safeguards when transferring personal data from the EEA to a third country.
The new SCCs increase obligations on the data exporter to conduct due diligence, including considering whether the importing company and third country can provide adequate safeguards, to be documented in a ‘transfer impact assessment’. This has put companies and their advisors into a tailspin in obtaining a balance between their obligations and what is achievable – a risk-based approach.
While the EDPB, in its June 2021 recommendations, adopted a risk-based approach, recent comments by the French data protection authority caused concern, as they said that a risk-based approach could not be adopted in completing a transfer impact assessment. It is difficult to align the comment with the overall GDPR philosophy, which is built on principles and a risk-based approach.
Despite being almost a year old now, the ‘new’ SCCs will likely retain that title for some time. To keep us all on our toes, there is also the possibility of ‘SCCs-lite’ – however, they have not landed yet.
What do the new SCCs look like?
The new SCCs (issued on 4 June 2021 and effective from 27 June 2021) are provided as an ‘à la carte’ document. Controllers and processors should select the appropriate modules, of which there are four:
- Controller to controller,
- Controller to processor,
- Processor to processor, and
- Processor to controller.
The new SCCs cannot be amended, unless to increase protection of personal data and data subjects and to complete the annexes, which include details of exporter, importer, details of processing, and technical and organisational measures. The good news is that negotiation should not be needed, with the exception of agreeing the modules and completing the annexes.
How do the new SCCs affect your client’s relationship with its suppliers and clients? Clients will need to consider whether they transfer personal data outside the EEA to another entity (client, vendor, affiliate), and ensure that they have in place an appropriate mechanism permitting the transfer – for example, entering into the new SCCs. Practitioners will also need to consider any transfers they are making – for example, personal data stored in the cloud by a US vendor.
How long do companies have to implement the new SCCs (grace period)? Only the new SCCs should be entered into. If the old SCCs are in place, companies have until 27 December 2022 to replace any old SCCs with the new SCCs. For any transfers that do not have a transfer mechanism in place, that needs to be attended to as soon as possible.
‘Privacy Shield 2.0’
Since the invalidation of Privacy Shield in June 2020, the EU and the US have been in constant talks to address the shortcomings identified by the CJEU. This culminated in Joe Biden and Ursula von der Leyen making a joint announcement on the “agreement in principle on a new framework for transatlantic data flows” on 25 March 2022. This is being hailed as the long-awaited key step to ‘Privacy Shield 2.0’.
What this means is that, for US companies who certify to Privacy Shield, no additional mechanism (such as SCCs) are needed to transfer personal data to that company. While the devil is in the detail, and there is a lot to be worked out, this is seen as a very positive step for EU/US transfers.
In terms of timelines, the best estimate is the end of 2022 or early 2023. Whether it will come into play before the deadline to have the new SCCs in place is unclear. Even if it does, it will likely take first-time organisations some time to have their certification approved.
However, not everyone is happy. Max Schrems has already indicated that Privacy Shield 2.0 will be challenged. So expect a lot more discussion, debate, and turbulence.
Brexit and data transfer
When the Brexit transition period ended on 31 January 2020, the UK formally became a third country for the purposes of EU data-protection law.
In June 2021, the commission adopted two adequacy decisions for the UK – one under the GDPR and the other for the Law Enforcement Directive. This means that personal data can now flow freely from the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law (without the need for additional data-transfer safeguards under article 46 of the GDPR). This means that SCCs are not needed when transferring personal data to the UK.
For the first time, the adequacy decisions include a ‘sunset clause’, which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force, on June 2025, unless it is renewed.
The adequacy decision will only be renewed if the UK continues to ensure an adequate level of data protection. During these four years, the commission will continue to monitor the legal situation in the UK and can intervene at any point if the UK deviates from the level of protection currently in place.
If the adequacy decision is not renewed, the next best alternative is for EU entities to enter into SCCs with UK entities. As a ‘belt-and-braces’ approach, many companies are entering into the new SCCs with UK companies now.
There are no additional requirements for the transfer of personal data from the UK to the EU.
In March of this year, the UK issued its own version of SCCs – the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU SCCs. These are for use where UK personal data is being transferred to a third country (for example, the US).
The UK is currently considering adopting its own adequacy decision system – for example, the UK granting an adequacy decision to the US. It is expected that the UK will piggyback on Privacy Shield 2.0 to adopt its own version.
While the UK had indicated a move to be more ‘flexible’ in terms of data transfers, they are mindful not to jeopardise their own EU adequacy status. This is likely to keep the UK aligned with the GDPR.
In short, for UK/EU transfers:
- Entities can rely on the adequacy decision to transfer EU personal data to the UK,
- There are no additional requirements to transfer UK personal data to the EU,
- The UK has adopted its own SCCs for use in transferring data to a third country (for example, the US),
- The UK is currently considering its own adequacy decision system, paying particular attention to what is agreed between the EU and US.
What to do?
International transfers will continue to remain a hot topic. What does this mean for practitioners and clients?
- For transfers outside the EU, where no adequacy decision exists, a transfer mechanism must be in place. For the moment, the new SCCs are the most appropriate transfer mechanism. These need to be executed between the parties before that transfer can take place. It’s important to note that executing the SCCs does not, of itself, bring any additional obligations on a company – unless the transfer takes place. While some companies may have regular data transfers, others may be more ad hoc. Regardless, it’s a breach of the GDPR to transfer personal data without an appropriate mechanism in place.
- It is not simply a matter of signing the SCCs and letting the data fly free – due diligence must be carried out in advance and kept under review.
- Supplemental measures may also need to be put in place (see the EDPB’s June 2021 recommendations).
- For UK/EU transfers (there is nothing to be done unless out of an abundance of caution), the new SCCs are entered into with UK entities.
Surely, this all seems very difficult and not conducive to a global economy? While entering into the new SCCs is the easy bit, the due diligence and possible supplemental measures are very onerous and challenging for companies.
Given the challenges with complying with the obligations, much attention is falling on Privacy Shield 2.0. As a significant trading partner with the US, having Privacy Shield 2.0 in place will likely lead to a stampede of new registrations – and the companies who have retained their certification cruising to Privacy Shield 2.0.
Look it up
CASES:
- Schrems II(Facebook Ireland and Schrems (C-311/18)
LEGISLATION:
LITERATURE:
Read and print a PDF of this article here.
Elaine Morrissey
Elaine Morrissey is a member of the Law Society’s Intellectual Property and Data Protection Law Committee and is data-protection legal counsel at ICON.