It has been a busy year in the data protection world. In July 2020, the CJEU delivered its seminal judgement in the Schrems II case, invalidating the EU-US Privacy shield and causing disarray for companies regularly transferring personal data from the EEA to the US. The CJEU found that US surveillance programs prevented the mechanisms put in place under the EU-US privacy shield from effectively safeguarding the rights of the data subjects involved. The decision went further still, finding that enhanced due diligence is required for all transfers of personal data based on standard contract clauses (SCCs) and Binding Corporate Rules (BCRs) in order to ensure data subjects are provided with protection ‘essentially equivalent’ to that in the EEA.
This summer, in the wake of Schrems II, the European Commission has published a new set of SCCs and the European Data Protection Board (“EDPB”) has published recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the Recommendations).
Where data is being transferred from the EEA, compliance with the new SCCs will be required for all new data transfer agreements relying on SCCs entered into from 27 September 2021, while any agreements relying on the old SCCs must be updated by 27 December 2022 (for data being transferred from the UK, see the final section of this article below). The key changes to the SCCs are increased obligations for receivers of personal data, the inclusion of additional transparency and notification requirements, and the big one – a requirement for the data sender to carry out an assessment of the receiver’s local law prior to the transfer taking place (DTIA). The DTIA assessment is used to confirm that the data receiver is not prevented (by law or in practice) from complying with the terms of the SCCs.
While implementation of the new SCCs is not required immediately, the Recommendations already apply to all transfers of personal data from the EEA to third countries. This includes transfers relying on the new and old SCCs, BCRs or any other appropriate safeguard set out in Article 46(2) GDPR.
How do the changes affect suppliers?
A supplier is likely to encounter data transfers in the context of its own internal data for which it is the controller (e.g. employees, customers) and also in the provision of services to its customers where it is the processor. While many suppliers use BCRs as the transfer tool, in practice many customers insist on SCCs and in any case, the parties will need to perform a DTIA.
When processing on behalf of customers, the customer may insist that it is the exporter and the supplier is the importer, or alternatively see the EEA-based supplier as the exporter and want to see evidence of the supplier’s SCCs/DTIA with its internal or external offshore subcontractor (the importer). In either case, the customer is likely to rely on the supplier to assist in the implementation of the SCCs and the preparation of the DTIA.
Importantly, there is no need to enter into a bespoke set of SCCs or perform a brand new DTIA every time a new data transfer is performed. A single set of SCCs and DTIA can cover multiple transfers of similar types of personal data to the same importer (and in the case of a DTIA, the same jurisdiction). The DTIA should be reviewed at regular intervals to ensure they are kept up to date, and in particular if the data types change significantly (e.g. you start transferring special category data).
What are suppliers required to do?
Before a supplier transfers customer personal data from the EEA to a third country, it must: (1) conduct a local law assessment in the jurisdiction where the European personal data is transferred to – a DTIA; and (2) where required, implement supplementary measures (technical, operational and/or contractual) for such transfers to ensure protection ‘essentially equivalent’ to the EEA. This obligation applies regardless of whether the supplier is acting as a data controller or processor, as long as it is the data exporter.
The Recommendations set out a six step process that must be followed in order for the transfer to comply with the GDPR in light of Schrems II.
- Understand your transfers by mapping all transfers of personal data to third countries. While this might be relatively simple for the majority of a supplier’s transfers, it can become challenging when there are multiple onward transfers of the personal data (e.g. to different internal or external subcontractors based in different territories);
- Identify the appropriate transfer tool each transfer relies upon. If a supplier has BCRs in place, this will likely be the relevant safeguard for most internal transfers, although customers may insist on using SCCs (see above). Transfers from the EEA to countries with data protection adequacy decisions (such as the UK, Japan etc.) can stop at this step;
- Carry out a DTIA to assess whether the transfer tool is effective. This is the most important step. The supplier must assess the third country’s legal system and practices and determine whether they compromise the effectiveness of the safeguards put in place for the specific transfer. Where they do, supplementary measures must be implemented. Where problematic legislation is identified but the supplier can demonstrate that there is no reason to believe it will be applied to the particular transfer in practice, the transfer may proceed;
- Identify and adopt any supplementary measures required following the DTIA. This step is only required where the DTIA reveals third country legislation/practices that compromise the effectiveness of the transfer tool. The Recommendations include examples of technical, contractual and organisational supplementary measures that may be appropriate to include;
- Take any additional procedural steps required such as adding clauses to the SCCs as necessary. The Recommendations say that any amendments required to BCRs will be set out in upcoming guidance; and
- Continue to re-evaluate the DTIA regularly because developments in the third country could impact the outcome of the DTIA.
For a more in-depth analysis of these six steps, see our article: “Not entirely adequate…? EDPB offers guidance on Schrems II“.
Having assisted numerous clients conduct DTIAs over the past few months, we have found the following points to be particularly relevant for IT and technology service providers.
- The DTIA needs to be tailored to consider the particular risks in the technology sector that are most relevant to each transfer. Ensuring Legal is proactive with the Business to facilitate early involvement in the process will help ensure the focus of the DTIA is correct for each transfer.
- Appreciate that legal advice from the third country may be required in completing a DTIA, particularly when dealing with a new jurisdiction you have not previously transferred personal data to. This can take a little while, particularly if local counsel has not assisted with such an assessment before and should be built into any timetable. Ongoing monitoring should also be planned for.
- Local practices, as well as legislation, need to be considered. The Supplier should consider the suggested sources of information listed in Annex 3 of the Recommendations, including reports from regulatory networks, reports from business intelligence providers and in some circumstances, warrant canaries – local legal teams (or external counsel) in the jurisdiction should be able to advise which may be most helpful.
- Additional consideration should be given to the type of personal data being transferred. While the transfer of highly sensitive data (such as health data) may require supplementary measures to be applied, the risk of compromising legislation/practices being applied to the transfer of a database containing a list of names is far lower.
- Remember: a DTIA can cover multiple transfers of similar types of personal data to the same jurisdiction – a new DTIA will not be required for each new similar transfer, but ongoing DTIAs should be reviewed at regular intervals to ensure they are kept up to date.
- The supplier may sometimes find itself in the position of the data importer. While this means the obligations technically lie with the customer and not with the supplier, anything the data importer can do to assist the data exporter with its assessment will help the agreement to be finalised more quickly and smoothly.
- The whole process needs to be carefully documented in order to satisfy the GDPR’s accountability requirements.
What about data transfers originating in the UK?
Since the UK left the EU at the end of the transition period (when the new SCCs and Recommendations were still in draft form), the new SCCs are not valid for transfers of personal data internationally from the UK. The Recommendations are also not strictly applicable for transfers from the UK to third countries, though remain persuasive.
Despite this, the Schrems II decision is relevant to the interpretation of the UK GDPR because it was decided during the transition period. This means that UK data controllers are also required to conduct an assessment as to whether the old SCCs provide protection ‘essentially equivalent’ to the UK regime, and if necessary, put in place supplementary technical measures (following the process set out above).
For restricted transfers of data from the UK, the ICO has now published a draft “International Data Transfer Agreement” for consultation, along with a draft International Transfer Risk Assessment Tool, intended for use as the UK equivalent of the EU SCCs and DTIA/Recommendations. The ICO has also published a draft UK addendum to the EU SCCs for situations where mixed EU/UK restricted transfers are made. These three documents are not yet in force but show the direction the ICO is taking in the wake of the Schrems II case. In the meantime UK data transfers are covered by the old EU SCCs and the Recommendations can be used to assist with carrying out a DTIA.