EU: New SCCs and some key provisions
On 16 July 2020, the Court of Justice of the European Union ('CJEU'), in matters of EU law, struck down the EU-US Privacy Shield, a framework regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US. The CJEU judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Decision'), motivated by the fact that 'personal data transfers to third countries cannot be a means to undermine or water down EEA protections,' upheld the validity of Standard Contractual Clauses ('SCCs') as a means to ensure an essentially equivalent level of protection for transferred data. Petruta Pirvan, Global Data Privacy Compliance Manager at A.P. Moller-Maersk A/S, discusses how the Schrems II Decision has affected the transfer of data within and from the EU, and the contents of the European Commission's ('the Commission') draft on SCCs for the transfer of personal data to third countries pursuant to the GDPR, along with its draft set of new SCCs.
It is the CJEU's view that the data exporters are responsible for verifying, in collaboration with data importers, on a on a case-by-case basis, if the law or practice of the third country impinges on the effectiveness of appropriate safeguards in the Article 46 of the General Data Protection Regulation (EU) 2016/679) ('GDPR') transfer tools and whether supplementary measures can be implemented to fill protection gaps and bring them to GDPR levels. The Schrems II Decision did not specify what measures could be put in place, leaving it to exporters to identify these measures on a case-by-case basis and to be able to demonstrate compliance with the GDPR accountability principles.
The Commission's draft on SCCs for transfer of personal data to third countries
It is under this context which impacted the data protection professional world that the Commission launched public debates for its latest SCCs update. The SCCs updates seemed to be a response to the Schrems ll Decision bullet points. Under the new update, four different statuses of the parties are introduced though modules, namely:
- controller-to-controller transfers;
- controller-to-processor transfers;
- processor-to-processor transfers; and
- processor-to-controller transfers (in particular where the EU processor combines personal data received from the third-country controller with personal data collected in the EU).
The updated SCCs consider the complexity of modern processing chains by combining several general provisions with several modular provisions. Each module is calibrated on the GDPR accountability requirements and the correspondent party's obligation to demonstrate such accountability. Furthermore, parties are required to undertake a data transfer impact assessment and produce additional notifications and transparency reports.
The accountability requirements
According to the new SCCs draft, the data exporter and the data importer should be able to demonstrate a comprehensive data protection management program as an active approach to their accountability obligation in the area of data transfers. The data importer and the data exporter should maintain transfer inventories, tailored and transparency privacy policies, accuracy and data minimisation practices and processes for selecting and managing data processors and sub-processors, security policies, storage limitation policies, data breach handling procedures, and processes to continuously monitor, assess, and revise the effectiveness and appropriateness of the program controls. Appropriate measures to demonstrate accountability depend on the nature, scope, and purpose of processing, and the risks to and severity for rights and freedoms of individuals (the riskier the transfer, the greater the measures needed). Clause 1 'Data protection safeguards' in Section ll 'Obligations of the parties' of the new SCCs draw upon Article 24 of the GDPR provisions by requiring both the data importer and the data exporter to observe appropriate technical and organisational measures. Annex 1B 'Description of the transfer' should be completed to reflect such technical and organisational measures, including for the special categories of personal data. The parties to the SCCs should consider encryption during transmission and anonymisation or pseudonymisation where this does not prevent fulfilling the purpose of the processing, Furthermore, the data exporter and the data importer should actively ensure and be able to demonstrate that data processing is performed in accordance with the GDPR and review and update those measures where necessary through internal and external assessment such as privacy seals. Therefore, the new SCCs creates a roadmap to accountability for data transfer with the following checkpoints:
1. Know your transfer
Data exporters should maintain a 'map of destination.' For this reason, data exporters should make use of the records of processing activities that they are obliged to maintain under Article 30 of the GDPR. When mapping data transfers, the data exporter should consider onward transfers, for instance whether their processors outside of the EEA transfer the personal data entrusted to them to a sub-processor in another third country or in the same third country. In line with the GDPR principle of data minimisation, data exporters must verify if the transfer is adequate, relevant, and limited to what is necessary in relation to the purposes for which the data are transferred to and processed in the third country.
2. Actively and continuously assess if SCCs are the appropriate mechanism of transfer to rely on
Data exporters should assess if the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA. This is not the case if the data importer is prevented from complying with their obligations under the SCCs due to the third country's legislation and practices applicable to the transfer. Any relevant laws, in particular laws laying down requirements to disclose personal data to public authorities or granting such public authorities' powers of access to personal data, (for instance for criminal law enforcement, regulatory supervision and national security purposes) should be taken into account. If these requirements or powers are limited to what is necessary and proportionate in a democratic society, they may not impinge on the commitments contained in the SCCs. In carrying out this assessment, different aspects of the legal system of that third country, e.g. the elements listed in Article 45(2) of the GDPR, are also be relevant. For example, the rule of law situation in a third country may be relevant to assess the effectiveness of available mechanisms for individuals to obtain (judicial) redress against unlawful government access to personal data. The existence of a comprehensive data protection law or an independent data protection authority, as well as adherence to international instruments providing for data protection safeguards, may contribute to ensuring the proportionality of government interference.
3. Adopt supplementary measures
If the assessment under step two has revealed that the SCCs are not an effective transfer mechanism, in collaboration with the data importer, supplementary measures need to be considered to ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that guaranteed within the EU. In principle, supplementary measures may have a contractual, technical, or organisational nature. Combining diverse measures in a way that they support and build on each other may enhance the level of protection and may therefore contribute to reaching EU standards.
4. Re-evaluate at appropriate intervals
The data exporter must monitor, on an ongoing basis, the effectiveness of the SCCs and, where appropriate in collaboration with data importers, the developments in the third country that could affect the initial assessment of the level of protection and the decisions taken. Accountability is a continuing obligation under Article 5(2) of the GDPR.
Transfer impact assessment and criteria for this
According to Clause 2 'Local laws affecting compliance with the Clauses,' paragraph (a):
'The parties warrant that they have no reason to believe that the laws in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.'
In producing such a warranty, parties must undertake a transfer impact assessment. Paragraph (b) lists out the elements that are required to be considered for such an assessment.
These elements are:
- the specificities of the transfer, the data being transferred, and the duration of the contract, quantitative and qualitative aspects, the numbers of actors involved in the transfer chain, and the absence of requests for disclosure received by the data importer from public authorities;
- the laws of the data importer and the applicable limitations and safeguards; and
- safeguards such as the technical and organisational measures applied during transmission and to the processing of personal data in the country of destination.
Under the accountability principle analysed above, the parties are to document the transfer impact assessment and make it available to the supervisory authority upon request. It is to be appreciated that the aforementioned stipulations are to be completed by the European Data Protection Board's Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, adopted on 10 November 2020. According to these Recommendations, the country transfer assessment should be primarily focused on third country legislation that is relevant to the transfer and that may undermine its level of protection. In particular, it should be carefully considered if the legislation governing the access to data by public authorities is ambiguous or not publicly available. In the absence of legislation governing the circumstances in which public authorities may access personal data, if the transfer is perused, relevant and objective factors must be taken into account as opposed to subjective factors, such as the likelihood of public authorities' access the data in a manner not in line with EU standards. The assessment needs to be conducted with due diligence and documented thoroughly to demonstrate accountability with the decision taken on that basis.
Under the new SCCs there are two types of notifications required to be produced by the data importer to the data exporter and to the data subjects, and one type of notification that falls within the data exporter responsibility toward the regulator. According to paragraph (e) in Clause 2 'Local laws affecting compliance with the Clauses,' the data importer should produce a prompt notification to the data exporter if the data importer becomes subjects to legal requirements falling short of compliance with the data importer obligations under the SCCs. In such a scenario, the data exporter needs to decide whether its assessment and potential additional measures can fill in the gap or not. If the data exporter decides to maintain the transfer, the data exporter should notify the competent supervisory authority together with an explanation and a description of the measures taken. Besides, Clause 3 'Obligations of the data importer in case of government access request,' paragraph 3.1. (a) provides that the data importer would promptly notify the data exporter and, where possible, the data subjects if the data importer receives or becomes aware of a governmental request for disclosure of personal data subject to the SCCs. The data importer must assess the legality of such a request in the perspective of the law in force in the third country and, where it considers it has grounds, it must challenge the request. On top of that, where prohibited to notify the data exporter, paragraph (b) provides that the data importer is obliged to take best efforts to obtain a waiver of such prohibition. In responding to such a request, the data importer is obliged to disclose the minimum amount of personal data reasonably possible in response to the order. The data importer must document the request and the steps it followed to comply with the aforementioned obligations. The data importer must prepare a transparency report to reflect general information about the nature of requests received.
The new SCCs introduce an obligation of transparency by the data importer which goes over and above the regular audit reports demonstrating compliance with the requirements of the SCCs. The data importer should regularly provide the data exporter with the greatest amount of relevant information on the governmental requests for disclosing personal data under the SCCs. Such transparency reports should include information around the number of requests received, type of data requested, the requesting authority, whether the request has been challenged, and the outcome of the exercise.
Petruta Pirvan Global Data Privacy Compliance Manager
A.P. Moller-Maersk A/S, Copenhagen