logo text

Monday, 23 November 2020

International Data Transfers: Our Insights on the New Standard Contractual Clauses and Supplemental Measures

The European Commission has been under intense pressure for years to upgrade its suite of standard contractual clauses (“SCCs”) for international data transfers 
– not least to update them in light of the new requirements set out in the General Data Protection Regulation (
GDPR).

Finally, on 12 November 2020, the Commission issued its draft new clauses for consultation. This much-needed upgrade to the SCCs now feels very close! Of course, for those of us in the UK, the future of international data transfer compliance is still at the mercy of Brexit negotiations and UK government policy, so may perhaps still be some way off. However, for now, let’s assume that we will continue to use SCCs in some form to justify data transfers.

The SCCs are one of the most popular compliant international data transfer tools available to organisations that export personal data out of the European Economic Area (
EEA). Most organisations hoped simply to sign them and assume that their international data transfer was approved, so that they could get on with the day job. In reality, it was never that simple from a legal perspective, but practically, the SCCs were definitely some help.

Two further things spoiled the cosy fiction that SCCs were an
easy way forward:

1.
The GDPR
Until this new consultation version of the SCCs, there had been no attempt to update them in line with the new GDPR requirements (including its new data protection principles). Nor had the SCCs been updated to deal with the new world of perfectly standard international arrangements. For example, SCCs didn’t cover:
  • A UK cloud services provider that was outsourcing its backup to a non-EEA company (such as one based in the USA or India).

  • A UK company that was processing a non-EEA company’s personal data before sending it back to them.

2. Schrems II
The European Court of Justice (
ECJ”) left the SCCs somewhat up in the air. In simple terms, they intimated that companies should crack on and continue to use the SCCs (even though they’re clearly out of date). Simultaneously, they reminded companies that they mustn’t forget to check that the law and practice in whatever jurisdiction they were sending the personal data to offered protection that was “essentially equivalent” to the protection for individuals in the EU. Cue thousands of businesses scratching their heads about how to carry out what amounts to a mini-version of what the Commission takes years to do, when considering issuing an adequacy decision.

Upgrading the SCCs for the GDPR

To help organisations to navigate both of these developments, the European Commission has now released its draft SCCs for consultation. (The consultation period closes on 10 December 2020 if you are interested in putting your views forward.) When the Commission has finalised these SCCs, it is intended that they will replace the existing versions.

The new SCCs won’t, however, automatically apply, so organisations will need to endure the excruciating process of upgrading all of their contracts that currently rely on SCCs, to include these new clauses. The Commission has suggested a one-year grace period, but we know that’s not long in practice. Do let us know if we can help to ease the pain for you!

Some things to bear in mind:

1. The SCCs are still in draft form.
The SCCs might still change, and we don’t know exactly when the final version will be launched. So, although it might be good to get ahead and start prepping for the contract change process that you will need to carry out, it is probably worth holding on for the final version before starting your contract negotiations in earnest. Given the one-year grace period, you may also want to schedule specific negotiations around rolling contract renewal dates with various suppliers, stakeholders, etc.

2. What impact will Brexit have?
Hopefully, we will get clarity soon (!) on what the application of the SCCs will be for organisations that are in the UK, or processing the personal data of UK individuals. It’s possible that the UK will create its own version of the SCCs that would look broadly similar and help to support any EU/UK adequacy decision that was being negotiated. However, if there’s no Brexit deal, all bets will be off and the UK government’s focus may not be on the SCCs. That will mean that more delay (and chaos) is likely. Keep an eye out for updates!

3. The new SCCs will need to be completed in full.
The original SCCs were often poorly implemented in practice, usually because organisations didn’t fill in the blanks properly. The new SCCs reiterate, and perhaps place more emphasis, that organisations must properly understand their data flows, document them clearly (both in the SCCs and in their privacy notices to individuals) and agree technical and organisational measures. Without understanding and inserting full details, the SCCs will not actually be complete or valid.

4. The data importer will need to be upskilled.
The new SCCs emphasise that the non-EEA data importer must fully understand its obligations under the GDPR (e.g. in relation to data minimisation, data retention, onward transfer, transparency, etc.). Organisations should therefore start considering whether those non-EEA data importers are actually ready for that in practice. For example, consider how you would confirm whether the data importer had full understanding of its obligations and how you would ensure that they were upskilled. If the exporter cannot confirm this to its satisfaction, it is possible that a transfer to that importer would not be valid. Remember: this assessment is required before the data transfer, and on an ongoing basis.

5. There will need to be an assessment of the law and practice of each jurisdiction to which data is transferred.
You can’t just sign the SCCs and get on with business. The EEA-based organisation (or data exporter) must now properly assess the law and practice of each of the jurisdictions that the personal data is being transferred to. Remember: this does not mean
just considering the jurisdiction of the organisation that you have a direct relationship with, but also requires consideration of any onward international transfers of your data to its sub-contractors, etc.

Many things will need to be considered here. For example:
  • How on earth would you do this assessment in practice? The European Data Protection Board (EDPB) has provided a much-needed steer – see the “Supplemental measures” section below for its recommendations. At this point, how helpful the EDPB’s process is in practice remains to be seen.

  • Thankfully, under the SCCs, the data importer is obliged to help you out. The importer must tell the data exporter how the various GDPR requirements and fundamental rights of EU citizens (like privacy!) interact with its local law and practice on how personal data is handled in its country. In particular, it must state whether government authorities might be able to access the personal data. We expect that importers will start creating their own assessments that they can share with exporters.

  • Don’t forget that you have to make this assessment before you transfer any personal data. You must also regularly re-evaluate whether the assessment should change (i.e. if the data-processing activities or flows have changed in practice).

  • If your assessment suggests that the law and practice will not offer adequate protection for individuals, you must consider supplemental measures. See the “Supplemental measures” section below for comments on the EDPB’s recommendations.

  • If all that fails (when looked at objectively, of course – not just on the basis of how you perceive the risk), you must not start transferring personal data, or you must cease the transfer and ensure that any data that has been transferred is returned or destroyed.

6. Sub-processor scenarios are enabled.
The old SCCs did not cover any processing by a processor’s sub-processor. This has created many compliance difficulties, with many organisations and EU data protection regulators taking or expecting a fudged approach to compliance in this scenario.

By way of example, if a UK organisation contracted with a UK service provider, who further sub-contracted some processing (e.g. cloud backups) to an organisation outside the EEA, that service provider would have no obvious transfer mechanism to enable compliant international transfer. The point of the old SCCs was that the controller must maintain a direct contractual relationship with any organisation that is processing its personal data outside the EEA, and therefore individuals’ rights were protected. However, that did not reflect the reality of how modern organisations work.

Under the modular approach of the new SCCs, sub-processing scenarios are explicitly enabled. They create a mechanism that enables a processor to agree the SCCs with its sub-processors. This is extremely welcome, and should put an end to some rather jerry-rigged practices that are currently very common.

7. The new SCCs can be used when processors send data back to non-EEA controllers.
Previously, to be technically compliant, an EU processor would need to use an appropriate data transfer mechanism when sending personal data back to a non-EEA controller that had shared it with them in the first place. That data flow scenario is now catered for – see Module 4 of the new SCCs. The clauses are much simpler in this scenario, even more so if the EEA processor does not combine the non-EEA data with EEA personal data.

8. Multiple parties can sign up.
Once you have the SCCs in place, you can now more easily add and remove parties to reflect changing commercial realities. For example, a processor can add new controller entities, or a controller can add new processors to one set of SCCs. How this will be used in practice will be interesting. For example, will a cloud services provider really add each new controller customer to its SCCs (and remove them when they exit)?

Supplemental measures

As we mentioned above, if you assess that the international transfer mechanism that you have chosen might not be adequate, and you still want to make the transfer, the ECJ and now the EDPB are very clear that you still have work to do. You need to assess the jurisdiction’s law and practice to ensure that it offers “essentially equivalent” protection to individuals as they have under the GDPR in the EU. If that assessment falls short, you then need to establish what “supplemental measures” might adequately plug the gap. That’s no easy task. After all, it takes the European Commission years to make its own adequacy decisions, and these are essentially the same test.

On 12 November 2020, the EDPB, as if by magic, heard our pleas and issued its recommendations. These didn’t just cover how to assess “essential equivalence”, but also set out a process to follow, and suggested “supplemental measures” that organisations can use if their assessment falls short of the mark. These include:
  • Technical measures such as data minimisation, access control, restrictions on onward transfer and encryption (with proper encryption key management by the exporter).

  • Organisational measures such as training, processes and procedures, committees, regular audits and reviews, and specific contract terms (for example, to oblige the importer to inform the exporter about any likely risks of access by an authority, etc. and to provide a get-out if the regulatory playing field changes).
It is important to note that the EDPB’s supplemental measures are stated to be non-exhaustive examples only. They can therefore be mixed and matched. You may choose to use one measure, or many – whatever it takes for you to make an objective assessment that the transfer mechanism that you have chosen offers “essentially equivalent” protection to individuals.

As discussed above, if that objective assessment of those supplemental measures falls short, you must not start to transfer personal data, or if you have already been transferring data, you must cease to do so and ensure that any such data is returned or destroyed.

The EDPB gave some “use cases” where it felt that supplemental measures could plug the gap. Interestingly, it also set out some “use cases” where it felt that supplemental measures were unlikely to be sufficient. Those latter cases seem to relate to pretty standard scenarios (like a cloud provider accessing data in a jurisdiction where government authorities can access data without adequate controls). Given the court’s decision in Schrems II, these “use cases” aren’t a surprise, but it shows that organisations will need to think carefully when deciding when to send data abroad – particularly to the USA.

We hope that the Information Commissioner’s Office (
ICO) will issue its own expanded guidance on these issues shortly – and give us more of a steer on the actual assessment of individual jurisdictions. Again, this may be delayed or the guidance muddied due to waiting for Brexit and adequacy decisions.

If you need help carrying out international data transfer assessments, documenting whether appropriate supplemental measures are in place or drafting your contracts to ensure compliant international data transfers, please get in touch.

Friday, 17 July 2020

Court Decision Affects How Businesses Transfer Data to the USA



The European Court of Justice (ECJ) has today delivered its verdict on a long-running case between Facebook Ireland and Max Schrems, an Austrian lawyer and privacy activist. For many businesses that transfer personal data from the EU to the USA, and indeed to many other jurisdictions outside the EU, this decision has fundamental impact.

Validity of Privacy Shield

The court decided that the EU–US Privacy Shield (Privacy Shield) was no longer valid, on the basis that the US regulatory regime does not adequately protect EU citizens’ data rights. US legislation allows US government agencies to have access to EU personal data, for example, when running surveillance programs. The court found that the USA offered inadequate protection of EU citizens’ rights, and no effective rights or legal remedy in the USA. Crikey! Any businesses relying on the Privacy Shield should look at their situation urgently, and decide how best to manage transfers from the UK/EU to the USA.

Validity of SCCs

The court also considered the validity of the EU’s standard contractual clauses (SCCs) for transfers of EU personal data outside the EU and made the following findings:

  • The SCCs were valid, but it was for the parties transferring the personal data to assess the adequacy of the regulatory regime in the non-EU jurisdiction (in particular, the recipient organisation must tell the data exporter whether the local laws allow it to comply with the SCCs!).
  • If the guarantees contained within the SCCs were not upheld, data protection regulators like the UK’s Information Commissioner’s Office (ICO) should suspend the data transfers that rely on them. 
Gulp! Businesses using the SCCs need to conduct a review of the local regulatory regime wherever they (or indeed their sub-contractors or their sub-contractor’s sub-contractors…) are processing their personal data.

This, of course, is not an easy task: European regulators take years to assess whether a country’s data protection regime is adequate!


Concerns

If the court saw fit to invalidate the Privacy Shield on the grounds that the US regulatory regime offered inadequate protection, does that mean that any analysis of the US regime for the purposes of using the SCCs fails, too?

The Irish Data Protection Commission is certainly looking to explore that question. In its reaction to the court’s decision, it stated, “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” The Hamburg Data Protection Commissioner has also offered many helpful observations.

However, it may take time to get a definitive answer: so far, we haven’t seen any guidance from the European Data Protection Board, and the ICO has only issued a preliminary holding statement.

The court kindly pointed out that there are other mechanisms for international transfers (such as where they are necessary for a contract, or based on the consent of each individual, etc.), but that is little help to businesses conducting large-scale, ongoing or regular transfers of personal data, or where consent simply isn’t practical (especially given that obtaining consent that complies with the General Data Protection Regulation (
GDPR) is itself a tricky task).

Our thoughts

The ECJ’s verdict is not unexpected, especially given ongoing criticism of the Privacy Shield by various EU bodies in recent months.

However, it is, of course, disappointing for the European Commission, who have to start again to find a new solution; for the affected US companies themselves; and for all those organisations who rely on services or business involving the USA.

So, what next? Well, before panic sets in, remember that we have been here before. Back in 2015, Max Schrems’ earlier legal challenge against Facebook Ireland led to the invalidation of the previous EUUS Safe Harbor Framework (the predecessor to the Privacy Shield). It wasn’t the end of the world then, and it is unlikely to be now.

In 2015, EU regulators were sympathetic in the aftermath of the decision, and gave organisations some time to put in place other compliance measures (mostly the SCCs). Almost immediately, work also began to craft a new EUUS-compliant mechanism, which evolved into the Privacy Shield. It is likely that similar approaches will follow over the coming months.

What is clear is that a better mechanism will be needed this time around, to avoid more legal challenge and uncertainty for businesses. It is likely that most organisations will now turn to SCCs for, at the very least, an interim solution.

However, those SCCs are not in great shape: they have yet to be updated for the GDPR and there are countless other issues with them, given how dated they are. New versions have been worked on for some time, so what next? Wait for new SCCs to be published (but risk non-compliance in the meantime) or scrabble around to put new terms in place ASAP, knowing they will need to be changed again before long? It’s not an easy decision to make!

Alternatives to SCCs

Organisations must bear in mind that they will now be expected to consider whether the data protection regime adequately protects the data rights of EU individuals in the USA, or any other jurisdiction outside the European Economic Area (EEA) with no adequacy decision, for that matter.

And lets remember: the UK comes out of the Brexit transition period on 1 January 2021. Businesses need to keep an eye on whether the EU will decide if the UK is an adequate jurisdiction and therefore whether the EU will enable free flows of personal data to the UK. As part of those developments, we will all need to monitor how UK data protection law evolves, once the UK has worked out how to take back control and retain a data protection regime that is sufficiently similar to the EU to enable businesses to continue free flows of personal data!

Now could be a good time to consider some alternatives to SCCs:
  • We’ve already received approaches in relation to whether binding corporate rules (BCRs) are the new golden ticket and need serious consideration now. We wonder whether BCRs will be worth the effort, though, if the USA can’t offer adequate protection to EU citizens without some serious changes to their regime.
  • What extra safeguards can you put in place in addition to the SCCs? Are there ways to bolster the SCCs themselves by adding clauses that go above and beyond the base set of provisions? Is there a way to limit the personal data being processed in the USA? Suppliers will make offers as quickly as the day of the ECJ’s verdict even – to offer fully contained EU data solutions that don’t depend on transfer to the USA at all.
  • Remember that there are other ways to transfer data internationally – particularly if you only send personal data occasionally or it’s for a specific contract with the individual (like a foreign hotel booking).

Next steps

Sadly, it’s time to pull the contracts out of the drawer – again.

We understand that there will be a lot of uncertainty in light of the judgment, so if you need any advice about your organisation’s approach to transferring personal data to and from the USA, or indeed other jurisdictions outside the EU, please don’t hesitate to contact us at Pritchetts for advice on next steps.