Last week, both the European Data Protection Board (EDPB) and the European Commission released highly anticipated draft documents offering guidance to organizations that engage in cross-border data transfers involving EU personal data.
The EDPB, an independent body responsible for consistent application of data protection rules throughout the EU, published draft recommendations on supplemental measures for transfer mechanisms to ensure compliance with EU personal data protection standards (the “Transfer Recommendations”). Simultaneously, the EDPB issued an update to the April 2016 version of the recommendations on European Essential Guarantees for surveillance measures. Meanwhile, the EU’s executive branch, the European Commission, issued a draft of new Standard Contractual Clauses (SCCs) for compliant data transfers to non-EU countries under the EU’s General Data Protection Regulation (GDPR).
These drafts are subject to public consultation periods: the EDPB’s Transfer Recommendations through November 30, 2020, and the European Commission’s SCCs through December 10, 2020. On November 20, 2020, the EDPB extended their public consultation period to December 21, 2020.
EDPB Transfer Recommendations
Following the Court of Justice of the European Union’s (CJEU’s) July 2020 Schrems II decision, which invalidated the EU-U.S. Privacy Shield and raised questions about the continued use of SCCs, the EDPB issued FAQs about GDPR-compliant personal data transfers and promised more guidance to come. Almost four months later, that additional guidance has arrived (at least in draft form), providing a six-step framework for data exporters to analyze the compliance of their personal data transfers:
- Use data mapping to identify and understand all personal data transfers, including onward transfers.
- Evaluate the transfer mechanism in place for each transfer (such as an adequacy decision, Article 49 derogation, binding corporate rules or standard contractual clauses). If the transfer cannot be based on an adequacy decision or Article 49 derogation, the analysis continues to the next step.
- Assess the legal framework around data protection in the recipient jurisdiction(s) to ensure the transfer mechanism is effective in practice. For example, SCCs would not be effective in practice if the data importer may be prevented from complying with its contractual obligations.
- As appropriate (or necessary) further to Step 3, identify and adopt supplementary measures to ensure an essentially equivalent level of data protection to that which is guaranteed by the GDPR.
- Undertake any required formal procedural steps applicable to the transfers; for example, it may be necessary to notify supervisory authorities in some jurisdictions.
- Regularly assess and monitor the level of data protection in the recipient jurisdiction(s) to ensure ongoing compliance.
- Access = Transfer. The Transfer Recommendations make clear that remote access to EU personal data from outside the EU, including cloud storage maintained outside the EU, is to be considered a “transfer” that requires implementation of an appropriate data transfer mechanism.
- Data Subject Rights. Analysis of any transfer must consider whether EU data subjects will have adequate opportunity to exercise their rights over their transferred personal data and to seek redress, if necessary, in the recipient jurisdiction.
- Potential Government Access. Prior to transferring EU personal data, organizations must evaluate relevant requirements for the disclosure of personal data to public authorities in the recipient jurisdiction and assess whether such obligations may interfere with EU data subjects’ rights. The European Essential Guarantees for surveillance measures detail specific issues the exporter should consider when analyzing the justification for public authority access to personal data in other countries and the risks associated with such access.
- Accountability. Businesses must be able to demonstrate their efforts to ensure adequate data protection, including their oversight of the administrative, technical and organizational measures implemented relevant to the transfers. This will require documentation of their assessments and ongoing monitoring of data protection practices.
In terms of analyzing potential transfers of EU personal data to the United States, the Schrems II decision is helpful to the extent that it includes an assessment of U.S. data protection practices; unfortunately for exporters to the U.S. (and their importing counterparties), the CJEU found those practices were not “essentially equivalent” to the data protection offered in the EU. Accordingly, absent meaningful changes to certain U.S. government surveillance activities, it appears transfers to the U.S. will require implementation of supplemental measures to meet the GDPR’s standards for protecting EU personal data. That said, the EDPB’s Recommendations seem to indicate that even supplemental measures will be insufficient to address U.S. government surveillance concerns unless the measures effectively prevent access to the EU personal data by a U.S. importer.
- Supplemental measures may be implemented as part of a contract between the parties to the transfer. They also may be technical or organizational measures.
- Supplemental measures may need to be combined or layered, building on each other to attain an appropriate level of data protection.
- Where the concern is government access to EU personal data, particularly with respect to surveillance, the Transfer Recommendations indicate that using technical measures that impede public authority access may be the only truly effective way to comply with EU data protection standards (though these may be combined with additional contractual and organizational measures).
- Annex 2 of the Transfer Recommendations lists examples of supplemental measures that could be implemented in various scenarios, as well as examples of transfer scenarios that could not be remedied through the use of supplemental measures. Many of the supplemental measures suggested by the EDPB are reflected in the new draft SCCs.
The European Commission’s New SCCs
European Commission-approved Standard Contractual Clauses are one of the most popular GDPR-compliant mechanisms for transferring personal data out of the EU to countries, such as the United States, that are not considered to provide “adequate” data protection. Following the invalidation of the EU-U.S. Privacy Shield Framework in Schrems II, many businesses turned to SCCs to cover their transatlantic personal data transfers.
The European Commission’s existing sets of SCCs (adopted in 2001, 2004 and 2010) have been in need of an update for some time; among other issues, they still reference the now-defunct 1995 EU Data Protection Directive and they cannot readily be applied to many common transfer arrangements. For example, the current SCCs only apply to controller-controller and controller-processor transfers without allowing for other types of business relationships and data flows. The new draft SCCs address these issues but also introduce new obligations.
- The draft SCCs are presented as a single document with different modules applicable to varying transfer relationships: controller-controller, controller-processor, processor-processor and processor-controller.
- Multiple controllers and processors may sign on to the same set of SCCs, addressing a limitation of the existing clauses which only contemplate a single exporter and a single importer as signatories.
- An optional docking clause allows for the possibility of adding parties after the execution of the agreement, subject to approval by all parties.
The flexibility introduced by these changes should streamline the contracting process by more accurately capturing how personal data may be transferred in different scenarios and eliminating the need to implement multiple sets of SCCs for various parties within the same business relationship.
New provisions in the draft SCCs also respond to concerns articulated in the CJEU’s Schrems II decision, including by introducing additional security requirements and strengthening existing language around security measures; addressing limitations on public authority requests for personal data; and emphasizing assessment and audit processes to ensure compliance. While the new SCCs are still in draft form, organizations should consider the following suggestions to prepare for the transition:
- Understand personal data flows. Although the modular format of the new SCCs offers greater flexibility, businesses will need to carefully examine their EU personal data flows and their role(s) with respect to each (for example, importer vs. exporter, controller vs. processor) in order to understand all applicable obligations. Now is a good time to update data maps – or to create them if you have not yet done so.
- Develop an SCC compliance assessment. The new SCCs set forth data protection considerations that must be evaluated and documented in advance; such documentation will have to be provided to supervisory authorities upon request. These considerations include the specific circumstances of the personal data transfer, safeguards in place to protect the personal data and any non-EU laws relevant to the data transfer. Parties must warrant that they have no reason to believe that the applicable non-EU laws would prevent the data importer from fulfilling any obligations under the SCCs.
- Prepare security statements. Annex II of the new SCCs requires extensive information about data security measures, so businesses should be prepared to provide these details and establish a process for regular updates. Certain data security information may be withheld if the SCCs are to be produced in response to a data subject request, but a meaningful summary of the security measures must be provided instead. The SCCs also introduce more explicit data retention requirements, and retention limits must be listed in Annex I.
- Enhance record-keeping processes and compliance documentation. EU supervisory authorities as well as other parties to SCCs will have the ability – and possibly an obligation – to ask for documentation of a company’s data protection posture. Businesses should review their compliance materials and develop protocols to ensure the documents are accurately maintained and easy to produce on request.
- Develop or revise public authority personal data request handling procedures. The new SCCs require additional transparency around public authority requests, including notification to the data controller (and potentially affected data subject(s)) and reporting regarding such requests. They also introduce record-keeping requirements related to law enforcement requests and a protocol for reviewing the legality of public authority requests and challenging them, as appropriate.
- Consider supplemental clauses. As with the existing SCCs, parties cannot modify the approved text of the new SCCs; however, there may be a little more leeway to insert additional detail. Drawing on GDPR Recital 109, the new SCCs will allow for adding “other clauses or additional safeguards” as long as these do not either contradict the SCCs or “prejudice the fundamental rights or freedoms of data subjects.”
The final SCCs are expected to be adopted in early 2021, but first:
- In addition to the public consultation process, the new SCCs also must pass through “comitology” – a type of EU committee process allowing representatives of the Member States to discuss the draft and issue an opinion.
- At the European Commission’s request, the EDPB and the European Data Protection Supervisor will issue a joint opinion on the draft before the SCCs are finalized. In light of the EDPB’s Transfer Recommendations, it seems likely the EDPB could recommend changes.
Assuming the European Commission’s SCCs implementing decision is adopted as drafted, the following changes will apply:
- All prior versions of the SCCs will be repealed and can no longer be used for GDPR-compliant data transfers.
- Organizations with the existing SCCs in place will have a one-year transition period from the adoption date to implement the new SCCs, provided no changes are made to the underlying agreement during that time. Note that supplemental data protection measures may be required in the interim.
- If the underlying agreement between the parties is renegotiated or otherwise changed during the year following the implementing decision’s effective date, this transitional “grace period” ends and the new SCCs (or another transfer mechanism) must be implemented at that time.