Companies have three months to prepare to use the latest standard contractual clauses for new data transfers, and 18 months to migrate existing arrangements.
On 4 June 2021, the European Commission released its much-anticipated final Implementing Decision containing the new standard contractual clauses (SCCs) for the transfer of personal data to third countries, which will enter into effect on 27 June 2021. Organisations may continue to use the existing SCCs until 27 September 2021, after which time the new SCCs must be used for relevant new data transfers. Organisations have an 18-month grace period (until 27 December 2022) during which they must migrate any existing SCC arrangements to the new SCCs.
The new SCCs differ little in substance from those in the draft Implementing Decision, which was published in November 2020, though many of the changes suggested by the European Data Protection Board (EDPB) and the European Data Protection Supervisor in their January 2021 Joint Opinion have been incorporated. (For more information, see Latham’s blog post “The Commission’s Draft Updated Standard Contractual Clauses — A Close Look.”)
As predicated by the drafts, the new SCCs:
- More closely mirror the General Data Protection Regulation (GDPR) (e.g., in relation to transparency, accuracy, and data minimisation obligations)
- Address certain requirements set by the Court of Justice of the European Union (CJEU) in its Schrems II ruling (e.g., obligations to assess the destination country’s legal regime, and in relation to data disclosure requests)
- Include mandatory data processing terms under Article 28 GDPR
- Can be used for processor-to-processor and processor-to-controller transfers, which were gaps in the previous SCCs
- Can be relied upon by non-EU established data exporters, to the extent the processing is subject to the GDPR pursuant to the extraterritorial reach of Article 3(2) GDPR
The new SCCs make up one part of the currently tumultuous personal data transfer landscape. Following the CJEU’s Schrems II judgement in July last year, and the EDPB’s subsequent draft recommendations on supplementary measures for data transfers from the EEA (recently published in final form; see below), organisations have faced significant practical challenges in risk assessing their data transfers. Adding to this complex picture are recent Schrems II investigations and enforcement actions (e.g., in France, Germany, and Portugal); the ongoing negotiations for an enhanced EU-US Privacy Shield mechanism; and the UK ICO’s stated intention to publish UK-specific SCCs later this year. The adoption of the UK adequacy decision on 28 June has provided some certainty in relation to data transfers to the UK.
The key practical changes resulting from the new SCCs that both data exporters and data importers should be aware of include:
Destination country’s legal regime. The SCCs require all parties to warrant that “they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses”.
The SCCs identify specific elements that parties must take into account in providing this warranty. These elements include:
- “[T]he specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred”
- Relevant laws and practices of the destination country
- Relevant safeguards in place to supplement the SCCs
The parties’ assessment of the risks of the data transfer must be documented and made available to supervisory authorities upon request.
The draft SCCs had envisaged that “any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred” could be considered when assessing the laws of the destination country. While the Commission removed the reference to the so-called subjective factors from the substantive clause of the new SCCs, it provided a guidance footnote that states, “Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests”. The Commission has applied certain conditions — described in the Implementing Decision as “strict conditions” — on organisations seeking to rely on such factors, including that the “practical experience” cover a sufficiently representative timeframe; that other relevant, “objective” elements support the practical experience; and that other information, case law, or independent reports corroborate and do not contradict the practical experience.
Although the so-called subjective factors were demoted from the substantive terms of the SCCs, it remains helpful that these factors are explicitly referenced in a guidance footnote and may still be relied on in practice by organisations in their data transfer impact assessments.
Obligations on the data importer in the event of a government access request for disclosure of personal data. The SCCs contain extensive obligations on data importers in relation to disclosure requests from public authorities, including:
- Notification to the data exporter
- Use of best efforts to obtain a waiver of any prohibition on notifying the data exporter
- Provision of regular information on requests to the data exporter
- Assessment of the legality of disclosure requests
- Raising of challenges to requests
- Minimisation of data disclosure
These obligations have been relaxed slightly compared to the drafts but remain potentially onerous in practice.
Technical and organisational measures. The SCCs require specific information on technical and organisational measures in place to keep the transferred personal data secure, and include an explicit requirement for ongoing monitoring of the sufficiency of those security measures. A description of the specific technical and organisational measures taken by the processor/sub-processor to assist the controller/exporter is also required (e.g., assistance with data breach notification).
Broadly, the enhanced contractual safeguards included in the SCCs will increase the likelihood that reliance on the SCCs will be sufficient for GDPR-compliant data transfers in many cases, without the need for additional technical supplementary measures. However, the sufficiency of the SCCs, and the nature of any additional supplementary measures required, depends on the outcome of each specific transfer impact assessment. The Commission acknowledges in its Implementing Decision the potential need for the SCCs to be accompanied by supplementary measures, where necessary, to ensure an adequate level of protection for the transferred data, which may include encryption in certain circumstances.
EEA and UK data transfer divergence. Organisations may not rely on the new SCCs as a data transfer mechanism under the UK data protection regime (which consists of the UK GDPR and the Data Protection Act 2018), and should instead continue to rely on the previous SCCs. The ICO has stated that it intends to release SCCs for UK GDPR data transfers later this year (together with its own guidance on compliance with Schrems II requirements), and is considering the new SCCs in that context.
The EDPB adopted its final Recommendations on supplementary measures on 18 June 2021 (Recommendations), following a consultation period in 2020. In its draft Recommendations, the EDPB described the “practical experience” factor (above) as “subjective”, and stated that subjective factors should not be considered in assessing the essential equivalence of the destination country. In its final Recommendations, the EDPB acknowledges that the data importer’s practical experience (e.g., prior experience of public authority disclosure requests) may, in fact, be taken into consideration when defining and assessing the third country laws and practices that are applicable to the transfer. Specifically, the EDPB identifies three circumstances in which it considers an examination of public authority practices to be important in the assessment of the destination country legal regime (in addition to an examination of applicable legislation):
- Applicable legislation formally meets relevant EU standards. However, the practices of relevant public authorities “may clearly indicate that they do not normally apply/comply with the legislation that governs, in principle, their activities”. In this case, the EDPB states that these practices must be taken into account, and that “adequate supplementary measures” will be required in order to appropriately protect the transferred data.
- There is an absence of relevant legislation governing public authority access to data. In this case, the EDPB calls for an examination of any practices in the destination country that are incompatible with the relevant data transfer safeguard or with EU data protection standards. If so, the EDPB states that, “adequate supplementary measures” will be required in order to appropriately protect the transferred data.
- Applicable legislation is “problematic” and the transferred data and/or the data importer fall or may fall within the scope of this problematic legislation. The EDPB defines as problematic, legislation that “1) imposes on the recipient of personal data from the European Union obligations and/or affect the data transferred in a manner that may impinge on the transfer tools’ contractual guarantee of an essentially equivalent level of protection and 2) does not respect the essence of the fundamental rights and freedoms recognised by the EU Charter of Fundamental Rights or exceeds what is necessary and proportionate in a democratic society to safeguard one of the important objectives as also recognised in Union or EU Member States’ law, such as those listed in Article 23 (1) GDPR”.
In this third circumstance, the EDPB recognises that the data importer’s practical experience can be considered when assessing whether or not the problematic legislation applies to the particular data transfer and/or importer in question. If the outcome of that assessment is that there is no reason to believe that the problematic legislation will, in practice, be applied to the transfer, then supplementary measures will not be required to address that problematic legislation.
The Recommendations impose certain conditions on the use of information garnered by the importer’s practical experience, similar to the conditions imposed by the SCCs. For example, the importer must not be prohibited from providing relevant information on disclosure requests; the practical experience must be documented and the assessment endorsed by the exporter’s legal representatives; the practical experience should be corroborated and not contradicted by relevant, objective, reliable, verifiable, and publicly available or otherwise accessible information.
The recognition that the importer’s practical experience may be considered aligns the Recommendations more closely with the new SCCs on this issue. This recognition is helpful to organisations facing a potentially complex and onerous transfer impact assessment exercise, notwithstanding the various conditions applied and that the Recommendations note “the absence of prior instances of requests received by the importer can never be considered, by itself, as a decisive factor on the effectiveness of the Article 46 GDPR transfer tool”.
In relation to supplementary measures, the EDPB’s position adopted in the final Recommendations has not changed significantly since last year’s drafts. The Recommendations maintain an emphasis on technical measures over contractual and organisational measures, with the EDPB stating that “there will be situations where only appropriately implemented technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes”. The Recommendations focus on the use of encryption as a potential technical solution, and the EDPB has maintained its view that, in order to be effective, the encryption arrangements must be such that the data recipient never has access to, or the ability to access, the unencrypted data or the encryption keys.
In this context, the Recommendations rely upon the CJEU’s decision in Schrems II to conclude that, based on the US surveillance regime (particularly Section 702 of the Foreign Intelligence Surveillance Act, FISA), the United States does not meet the essentially equivalent standard. Therefore, according to the Recommendations, if FISA Section 702 is applicable to a data transfer (determined using information that may include the importer’s practical experience of FISA Section 702), the EDPB’s position effectively precludes any practical supplementary measures for the majority of US-based cloud services arrangements or global, intra-group data sharing with a US nexus if there is a need for data access in the US to operate the relevant business or its services (at least in the context of today’s most commonly available encryption technology). (For more information, see Latham’s blog post “The EDPB’s Draft Data Transfer Guidance Following Schrems II — A Close Look.”)
Ultimately, the relevant courts will make decisions on the compliance of particular data transfers with the GDPR, taking into account the SCCs as a legally binding mechanism. How much weight the courts will give to the non-binding Recommendations remains to be seen.
Implementing the new SCCs is unlikely to be a purely administrative task. The 18-month grace period is helpful (increased from the 12-month period in the drafts), though it is not necessarily a comfortable timeframe given the extensive practical implications of the SCCs. Organisations should consider the following practical steps:
- Prepare to include the new SCCs in relevant new contracts from the end of the initial three-month period and replace copies of or references to the previous SCCs with the new SCCs in relevant standard forms and templates
- Conduct an audit and map data transfers and applicable roles (i.e., controller, processor, sub-processor) to scope the new SCC migration and compliance exercise; identify critical or high-risk relationships for priority migration to the new SCC terms
- Conduct and document the transfer impact assessments / risk assessments required by the SCCs; implement any supplementary measures (e.g., additional contractual terms, enhanced encryption) identified during the risk assessment
- Identify and document the additional information required to complete the new SCCs form (e.g., the roles of each party; safeguards for any sensitive data transferred; transfer frequency; data retention periods; specific detail on technical and organisational measures; and authorised sub-processor details (if relevant))
- Consider whether the structure and parties of existing intra-group transfer agreements need to be refreshed, in addition to replacing the SCC terms; for example, processor-to-processor and/or processor-to-controller terms may be required, and sub-processing and onwards transfer provisions may need to be updated
- Map and review relevant agreements in the data supply chain (e.g., data processing agreements, master services agreements) to identify where new SCC obligations may need to be flowed-through into sub-processing, onwards transfer, or other arrangements; for example, processors may need to enter into process-to-processor SCCs with sub-processors
- Implement or enhance vendor diligence processes to capture additional technical and organisational measures or supplementary safeguards, and to flow-down relevant SCC obligations (e.g., obligations in relation to disclosure of information to public authorities, data breach notification)
- Implement or update relevant data governance and transparency documentation (e.g., disclosure request handling and notification procedures; regular reporting on disclosure requests to data exporters; and data governance documentation evidencing SCC compliance, in a form that may be disclosed to other parties and supervisory authorities); refresh privacy policies with SCC-required transparency information; and update records of processing as required