Global menu

Our global pages

Close

New rules on how you protect transfers of personal data outside the EU

  • Global
  • Privacy, data protection and cybersecurity

29-06-2021

 

We have seen a number of important developments recently, which impact how organisations facilitate the transfer of personal data out of the EU in accordance with the GDPR.

In brief:

  • a new set of official template clauses has been published by the European Commission to help organisations ensure personal data transferred out of the EU is protected – if you are considering implementing them, there are some key dates you should be aware of; and
  • the European Data Protection Board has released final form recommendations to help organisations assess the risks involved transferring personal data outside the EU, and identify the appropriate supplementary measures to be implemented where needed.

If your organisation is subject to the GDPR and you are transferring personal data outside of the EU, or if your organisation is receiving personal data from within the EU then you are highly likely to be affected by these developments.

Background

On 7 June, the European Commission’s new standard contractual clauses were published in the Official Journal. In fact, the Commission published two sets of clauses: the first is a template set of clauses for controllers and processors to implement, pursuant to Article 28(7) GDPR (see here); and the second set provides appropriate safeguards for the international transfer of personal data, pursuant to Article 46(2)(c) GDPR (see here). This briefing focuses on the second set of clauses – we will refer to them as the “New Transfer SCCs”.

The New Transfer SCCs have been developed by the European Commission to replace the existing standard contractual clauses (last updated in 2010, under the old European Data Protection Directive 1995 regime). They have also been updated to reflect the GDPR and the judgment in Schrems II, in particular the impact of local law and surveillance powers in destination countries.

The New Transfer SCCs are relevant to your organisation if:

  1. you are subject to the GDPR (either directly or indirectly); and
  2. you transfer, or will transfer, personal data to jurisdictions which are not in the EU or do not have an adequacy decision from the European Commission.

It’s also important to note that the New Transfer SCCs are relevant to you if you are receiving personal data from an organisation in the EU (i.e. you are a data importer) – you may have obligations to fulfil under the clauses too. It’s not a case of it being “all on the data exporter” (a common misconception we are hearing).

If your organisation is not subject to the GDPR, for example if you are based in the UK and solely subject to UK law, then the New Transfer SCCs are currently irrelevant for your purposes. But it’s worth noting that the ICO is expected to publish its own clauses to cover transfers out of the UK later this summer.

Whilst the New Transfer SCCs will undoubtedly be an important tool for many organisations making international data transfers of personal data, they must not be considered in a silo. This is where the European Data Protection Board’s recently finalised Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“EDPB Recommendations”) come in. The EDPB Recommendations are designed to be read in tandem with the New Transfer SCCs and set out a six step plan to help organisations assess third countries and identify appropriate supplementary measures to be implemented on a case by case basis where needed.

What do I do now?

You should first take the opportunity to consider more broadly the international data transfers your organisation is making. Having an accurate and up to date Article 30 record of processing will greatly assist in this exercise. Then, identify which transfer tool(s) you are relying on to ensure your transfers are compliant/protected.

Assuming the New Transfer SCCs are an appropriate tool to protect your transfer(s), you will need to audit all the data transfer agreements you currently have in place (internally and with third parties) and only then – where applicable – ensure that the body of those contracts are updated to refer to the New Transfer SCCs, that the security annex is updated and that the New Transfer SCCs are appended or incorporated accordingly (and are complied with in practice).

In terms of implementing the New Transfer SCCs, there are three key dates to be aware of:

  • The New Transfer SCCs can be used to safeguard transfers from the 27 June 2021 onwards.
  • The existing standard contractual clauses will not be repealed for another three months, on 27 September 2021. Until that date, you have a choice of whether to use the existing standard contractual clauses or the New Transfer SCCs to safeguard your transfers. After that date, you must use the New Transfer SCCs.
  • Lastly, where the existing standard contractual clauses are used to safeguard any transfers that continue beyond 27 September 2021, then these must be replaced by the New Transfer SCCs by 27 December 2022.

Next, in this post-Schrems II world, you will need to consider whether your transfer tools are effective in offering an “essentially equivalent” level of protection for data in the place of destination. Do the laws/practices of the third country impinge on the effectiveness of the appropriate safeguards of the transfer tool(s)? Where “problematic legislation” is identified in the destination country, the EDPB recommends the exporter to consider whether it will be applied in practice to the relevant data, taking into account the importer’s experience and sector. 

If there are gaps in the level of protection, what supplementary measures can be implemented to address them? The EDPB Recommendations contain a non-exhaustive list of examples of supplementary measures in its Annex 2. If those gaps cannot be plugged, you will need to consider not going ahead with the transfer or suspending it (as applicable). 

Then, it’s a case of taking the practical and procedural steps required to implement the relevant supplementary measures. And finally, regularly re-evaluating the level of protection given to the transferred data and repeating the stages above, as needed.

What our international specialists are saying 

Marie McGinley: “The New Transfer SCCs and EDPB Recommendations introduce a renewed focus on the principle of accountability in the GDPR and the need to not only comply but demonstrate compliance. These objectives are clear when we consider the steps that will be involved in introducing these New Transfer SCCs (and the applicable Recommendations). Organisations should not underestimate what is required to achieve these objectives, namely to understand its data flows, identify risks, assess and mitigate these risks. Preparation and planning will be key.

Nils Mueller: “The New Transfer SCCs certainly solve some headaches from a practical perspective, considering for example the new module on processor-processor transfers and the “docking-clause” concept. However, clients must be aware that this is not a one-time paperwork exercise. A common statement we hear is that “we rely on SCCs, so we are fine”. The transfer impact assessment aspect will certainly cause some new headaches going forward.

Olaf van Haperen: “The New Transfer SCCs can provide a legitimate mechanism for transferring data to countries outside the EEA, but only if an equivalent level of protection can be guaranteed in practice. Is there no equivalent level of protection in the country of destination? Then companies must take additional measures to ensure this. The EDPB Recommendations provide useful guidance in this respect. Nevertheless, if an equivalent level of protection remains unfeasible, companies might need to consider to refrain from transferring personal data. In such cases, the Dutch DPA advises companies to keep their personal data in the EEA. In any case, companies must now examine their international data transfers under SCCs, carry out transfer impact assessments and determine the right course of action.

Philip James: ”The introduction of the New Transfer SCCs represents a fundamental step change and will require a substantial re-papering of existing SCCs before 27 December 2022. The time to start preparing is now. This is almost akin to preparing to comply with EU GDPR when that came into force, should anyone ask for a comparison. It is a great opportunity to refresh and review an organisations’ maturity, not only in terms of its compliance but also its data strategy and risk governance processes. The key is to identify and triage key data flow risks (in and out).

New Transfer SCCs – summary of changes

The New Transfer SCCs contain similar obligations and restrictions as were in place under the existing standard contractual clauses, but there are also a number of differences. We have summarised the key changes below:

Change

Detail

Practical impact

Broader scope covering new data transfer scenarios

The New Transfer SCCs have a broader scope of coverage. They are modular in nature, allowing importers and exporters to select the clauses that apply to the type of data transfer(s) relevant to them.

Whereas previously only controller to controller and controller to processor transfers were covered, the New Transfer SCCs include four modules to cover the following types of transfer arrangement:

     i.   controller to controller

    ii.   controller to processor

   iii.   processor to processor

  iv.   processor to controller (which assumes the controller is instructing the processor – an issue for another day).

The New Transfer SCCs are now available for processors to enter into directly which was never previously possible, meaning that service providers in the EU can now be proactive in ensuring adequate protection for their customers’ data when they use sub-processors in other jurisdictions.

The intention behind the new modular format is that organisations will be able to put in place transfer safeguards to cover all types of transfers more easily.

However, using the more bespoke New Transfer SCCs will involve a more labour intensive papering exercise, as it will not just be a matter of appending the clauses to a data processing agreement. You will be required to review the New Transfer SCCs and select specific clauses, based on the module relevant to your transfer.

Whilst it is helpful that the New Transfer SCCs cover a wider range of transfers, they have left some critical areas ambiguous. The New Transfer SCCs make clear that they cannot be used if the importer is subject to GDPR. However, they do not clarify whether SCCs are even needed in that situation (i.e. whether this situation counts as a transfer). Recital 7 of the New Transfer SCCs even says that use of the clauses is “without prejudice to the interpretation of the notion of international transfer”, which could be interpreted as an acknowledgement of this grey area.

Application to exporters based outside EU and to reverse transfers (processor to controllers)

A data exporter no longer needs to be based in the EU to be able to execute the New Transfer SCCs.

The New Transfer SCCs also cover the scenario where personal data is transferred from an exporter based outside the EU to an importer based in the EU, and then a transferred back to the non-EU exporter.

This means that exporters based outside of the EU but subject to GDPR, may use the New Transfer SCCs when transferring personal data to other entities outside the EU. For example, a US entity transferring data belonging to EU individuals in its capacity as a controller, to a processor entity based in India.

These new options seek to address the “transfers back conundrum” and put a stop to the creative ‘free drafting’ endeavours previously deployed by lawyers to cover such scenarios.

New Transfer SCCs can be used by multiple parties

The New Transfer SCCs can be entered into by multiple parties and contain a new “docking clause” enabling additional parties to sign up to the new clauses at any point.

This change will be particularly useful for multi-national organisations with complex intra-group data sharing arrangements. However, the logistics of using the prescribed Appendix and obtaining “agreement of the Parties” may prove to be complicated.

Changes to reflect Schrems II judgment

Impact of local laws

Exporters and importers will both need to warrant that they have no reason to believe that the laws and practices in the destination country, including disclosure or surveillance requirements, will prevent the data importer from fulfilling its obligations under the New Transfer SCCs. Further, importers are required to notify the data exporter if it has reason to believe that it has become subject to any laws that prevent the importer from fulfilling its obligations.

Transfer impact assessments

A risk-based assessment must be carried out, and made available to the relevant supervisory authority on request. The impact assessment requirement already exists for exporters post Schrems II, but including it in the New Transfer SCCs makes it a contractually enforceable requirement on importers who are not otherwise subject to the GDPR. Interestingly, however, this isn’t an obligation which is enforceable by data subjects.

The impact assessment must (among other things) take account of the laws and practices of the third country of destination, such as those requiring disclosure of / granting access to data to public authorities – and the New Transfer SCCs now make clear that the parties may consider relevant and documented practical experience with prior instances of these requests from public authorities, or the absence of such requests.

Challenging requests from public authorities

The clauses impose new obligations on importers about how they handle requests for personal data from public authorities. The obligations require the importer to notify the data exporter of the request, and to review, document and challenge the request to the extent legally permissible.

Parties will need to assess what (if any) local requirements in the destination country may prevent them from meeting their obligations under the New Transfer SCCs or may contradict them.

You will also need to consider any problematic legislation in light of the EDPB’s Recommendations and determine what supplementary measures may be required.

 

Audits

Under the New Transfer SCCs, exporters may consider any audit certifications that the importer has in place when an exporter exercises their audit rights against the importer.

This is a positive development for processor importers in particular, and will be most impactful when a processor importer is a third party (as opposed to a group company).

More detailed security measures to be taken and documented

The New Transfer SCCs are clearer and more prescriptive as regards the practical security measures that need to be in place and set out in Annex II for compliance.

Whilst this is a positive change for organisations seeking clarity on security measures taken to protect personal data, the prescriptive requirements could also be detrimental to those organisations satisfied with their existing security measures and reluctant to make changes.

New Transfer SCCs prevail over other commercial terms but unclear as to whether liability can be limited

The parties may supplement the New Transfer SCCs with additional obligations, as required for the relevant data transfer arrangement. However in the event of a conflict between the New Transfer SCCs and any other terms agreed between the parties in respect of the transfer, the New Transfer SCCs will prevail.

The New Transfer SCCs echo the joint and several liability provisions already contained in Article 82 GDPR. However, the New Transfer SCCs are silent on whether a cap/limit on liability (between the parties) would “contradict” the provisions of the New Transfer SCCs.

The prevalence of the New Transfer SCCs over other commercial terms agreed between the parties provides a level of certainty. However, limitation of liability is likely to continue to be hotly negotiated by parties to data transfer arrangements given the lack of clarity provided.