In documents published last week, the EU provided some welcome clarity on how organisations should address the invalidation of Privacy Shield as a basis for exporting personal data from the EU.
On 10 November 2020, the European Data Protection Board (EDPB) adopted recommendations on ‘supplemental measures’, which can be considered to ensure compliance with the EU level of protection of personal data when it is exported from the EU. This follows the earlier European Court judgment (Schrems II) invalidation of the US Privacy Shield as a basis for data export to the US and the questioning of the use of Standard Contractual Clauses as a default mechanism for data export.
On 12 November 2020, the European Commission published for consultation drafts of new ‘Standard Contractual Clauses’ (or SCCs). These update the older (2001 and 2010) SCCs in light of GDPR (which came into force in 2018) and also address the impact of Schrems II.
Whilst last week also saw the election of a new US president and a successful COVID vaccine efficacy trial, the impact of these two policy initiatives is highly significant for any organisation exporting personal data from the EU. They both create a material compliance burden and will increase the pressure on many multi-national organisations to primarily store and process EU personal data in the EU.
EDPB Recommendations on supplementary measures following Schrems II
Whilst the EDPB recommendations were formally ‘adopted for public consultation’, this is a mature draft and so we do not expect further material changes in the near future, although the recommendations may be updated from time to time to take account of new information or rulings.
The recommendations seek to ‘operationalise’ Schrems II and to provide practical guidance for data controllers and processors wishing to export personal data from the EU.
The recommendations suggest that companies follow a six stage process in relation to the export of personal data from the EU.
Stage 1: Know your transfers
Stage 1 is for data exporters to assess what personal data is transferred outside the EU.
At this stage data exporters should also check that they are only transferring personal data that is adequate, relevant and limited to what is required for the purposes for which it is exported.
Stage 2: Identify the transfer tools you are relying on
Stage 2 is for data exporters to identify how they are ensuring an essentially equivalent level of protection as in the EU for the exported data. This is a three step assessment:
Adequacy finding by EU Commission
First, if the importing country has been found to provide adequate protection by the European Commission, then the data exporter can rely on this as a basis for data export. As at November 2020, the countries covered are:
- Canada (for commercial organisations)
- Faroe Islands
- Isle of Man
- New Zealand
Despite the UK’s Brexit transition period being due to end on 31 December 2020, there is no firm indication that the UK will have an adequacy finding from 1 January.
For regular and repetitive transfers: tools available
Second, the recommendations make it clear that the derogations set out in Article 49 of GDPR cannot be relied on for ‘business as usual’ regular and repetitive data transfers. Instead, one of the tools listed in Article 46 of GDPR must be used:
- standard contractual clauses (SCCs)
- binding corporate rules (BCRs)
- codes of conduct
- certification mechanism
- ad-hoc contractual clauses
For occasional and non-repetitive transfers: potential derogations
Finally, for non ‘business as usual’ exceptional transfers it may be the case that one of the derogations in Article 49 apply. However, these cannot be used to justify ongoing regular data transfers. The derogations are:
- data subject consent
- performance of a contract (or pre-contract steps) with the data subject
- to conclude or perform a contract with a data subject
- public interest
- establishing, exercising or defending legal claims
- to protect vital interest of data subject who is unable to consent
- legitimate transfer from a public register
Stage 3: Assess adequacy of identified tool
Stage 3 is to assess whether the law and practice of the data importing country impinge on the effectiveness of the tools used for the transfer.
The assessment should be objective and focus on the legislation of the data importing country by reference to the EDPB European Essentials Guarantee recommendation. If the legislation is not available or not clear, then relevant and objectives factors must be assessed.
The assessment must be carried out properly and documented thoroughly. The assessment will be disclosable to regulatory authorities and may for the basis of investigations and/or enforcement.
Stage 4: Identify and adopt supplementary measures
If the data exporter’s stage 3 assessment identifies that the law or practice of the country to which data is to be imported impinges on the effectiveness of the data export tool to ensure equivalence, then the data exporter should consider if the deficiency can be addressed through using potential supplemental measures set out in the Annex to the recommendation.
As with stage 3, this consideration needs to be objectively and appropriately investigated and fully documented.
The recommendations make it clear that in some cases it will not be possible to identify adequate supplementary measures. In that case, the consequences are severe:
“Where you are not able to find or implement effective supplementary measures that ensure that the transferred personal data enjoys an essentially equivalent level of protection, you must not start transferring personal data to the third country […]. If you are already conducting transfers, you are required to suspend or end the transfer of personal data. […] the data that you have already transferred to that third country and the copies thereof should be returned to you or destroyed in their entirety by the importer.”Paragraph 52, EDPB Recommendation (emphasis added)
Stage 5: Process to be follow if effective supplementary measures are to be adopted
Stage 5 requires the data exporter to take any formal steps required to implement adopted supplementary measures.
Step 6: Periodically review and re-evaluate
Stage 6 requires ongoing monitoring of developments in the country to which data is being exported and that prompt action is taken if the supplemental measures are no longer effective.
New draft SCCs published by EU Commission for consultation
On 12 November 2020, the European Commission published for consultation new Standard Contractual Clauses. The new SCCs take account of both the coming into force of GDPR and the Schrems II decision.
These are subject to public consultation until 10 December 2020.
Once the decision adopting the new SCCs comes into force there will be a one year transition period, during which the older SCCs will remain valid (subject of course to the caveats in Schrems II and the EDPB recommendations).
The new SCCs are modular, and in contrast with prior SCCs deal with all possible transfers between controllers and processors. We will review in more detail, once finalised after the consultation.