Reform of Standard Contractual Clauses and new Guidance on Supplementary Measures announcedThursday, 19 November 2020
Last week, the European Commission (Commission) published draft standard contractual clauses for transfers of personal data from the European Union to third countries (proposed SCCs). These have been long awaited in light of modern requirements of the digital economy, international trade and the recent Schrems II judgment of the Court of Justice of the European Union (CJEU). See our article of 17 July on the judgment.
The Commission also published standard contractual clauses that can be used by controllers when engaging processors located in the European Union (Article 28 Clauses).
Two days prior, the European Data Protection Board (EDPB) adopted two draft sets of recommendations in relation to (i) measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Recommendations) and (ii) European Essential Guarantees for surveillance measures (EEGs). Both documents were adopted in response to the Schrems II ruling.
1. Proposed Standard Contractual Clauses
1.1 Consultation Period/Implementation
The proposed SCCs are currently open for public consultation until 10 December 2020. It is expected that the proposed SCCs will replace the prior SCCs and will apply from the date of adoption for all new (and revised) contracts dealing with data transfers outside the EEA following that date. The Commission’s draft implementing decision accompanying the proposed SCCs indicates that businesses will have one year to replace their existing arrangements.
In addition to controller to controller and controller to processor SCCs, the proposed SCCs also deals with processor to processor and processor to sub-processor arrangements, which is a welcome development. Additional parties can also accede to the contract at a later stage as either a data importer or data exporter, once the existing parties have agreed to this.
1.2 Enhanced obligations in light of GDPR and Schrems II
The current SCCs pre-date the GDPR so the proposed SCCs reflect the enhanced transparency requirements and data subject rights introduced by the GDPR. They also incorporate the requirements on data exporters and data importers identified by the CJEU in Schrems II to ensure an adequate level of data protection applies in the country of the non-EEA data importer (i.e. which is ‘essentially equivalent’ to the level of protection afforded to data subjects under EU law).
Where using the SCCs (and in light of Schrems II), Each party is required to carry out a documented risk assessment which takes due account of (i) the specific circumstances of the transfer, (ii) the laws of the destination third country in light of the circumstances of the transfer, and (iii) any supplemental safeguards and measures to those under the proposed SCCs (including technical and organisational measures) which may need to be applied. These are onerous requirements for data exporters/controllers which will be mandatory once the proposed SCCs come into effect.
2. EDPB’s Recommendations on supplementary measures for international transfers and European Essential Guarantees
2.1 Recommendations on supplementary measures
The EDPB’s Recommendations seek to serve as practical guidance for controllers and processors in meeting their obligations as identified in Schrems II, where the CJEU held that there would be circumstances where the safeguards contained in SCCs would not be sufficient and in such cases, data exporters would need to identify and implement measures that are supplementary to the SCCs in order to ensure effective compliance or where this is not possible, cease transferring the data in question.
The Recommendations propose a step-by-step approach to ensuring that international data transfers remain subject to an adequate level of data protection at all times:
Step 1: Map international data transfers.
Step 2: Identify the international data transfer mechanism under GDPR, such as SCCs under article 46.
Step 3: Assess the law or practice of the third country and whether the transfer mechanism such as SCCs will be effective in light of the circumstances of the transfer.
Step 4: Identify and adopt supplementary measures
If Step 3 reveals that the transferred personal data will not be effective then it will be necessary to identify and implement measures supplementary to the appropriate safeguards set out in article 46 of GDPR. Supplementary measures may be contractual, technical or organisational in nature.
The Recommendations provide a non-exhaustive list of supplementary measures such as:
- Technical measures, e.g. encryption, pseudonymization, or splitting processing by transferring to separate data importers in such a way that neither can reconstruct the personal data in whole or in part.
- Contractual measures, e.g. an ‘Enhanced SCC’ exists between the parties which could mandate the use of certain technical measures, or transparency obligations on the data importer concerning the level of access public authorities and measure taken to mitigate such disclosure.
- Organisational measures, e.g. internal policies governing international transfers, documenting access requests from state authorities, or adoption of trusted data security and data privacy policies based on recognised EU or international standards such as ISO.
The Recommendations note that contractual and organisational measures alone are not likely to overcome access to personal data by public authorities of the third country (which came under scrutiny in Schrems II and more recently in Privacy International where the US and UK were identified as non-EU countries whose national security laws proved problematic for compliance with EU data protection and privacy laws).
Step 5: Formal procedures for the adoption of supplementary measures may be required to formally implement the supplemental measures in order to avoid any contradiction arising between the transfer mechanism adopted and the supplementary measures.
Step 6: Periodic re-evaluation of the level of protection applicable to the personal data in order to ensure that data protection of the transfer remains adequate on an ongoing basis.
2.2 European Essential Guarantees for surveillance measures
The EEGs are complementary to the recommendations on supplementary measures and provide data exporters with indicators in order to determine whether national security and law enforcement surveillance laws in the destination third country can be regarded as a justifiable interference and not contrary to European privacy and data protection law. The EEGs are as follows:
Guarantee A: Processing should be based on clear, precise and accessible rules;
Guarantee B: Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
Guarantee C: Independent oversight mechanism; and
Guarantee D: Effective remedies need to be available to the individual.
2.3 Consultation Period
The Recommendations and EEGs are currently open for feedback from the public until 30 November 2020.
We will continue to keep you posted on updates in relation to international data transfers and Standard Contractual Clauses. For further information or advice, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey or any member of the ByrneWallace Data Protection / GDPR Team.