Keypoint: The European Commission will consider the joint opinion and public comments and decide whether to modify the draft standard contractual clauses.
On January 15, 2021, the European Data Protection Board (EDBP) and European Data Protection Supervisor (EDPS) issued joint opinions on the European Commission’s two draft standard contractual clauses (SCCs) issued in November 2020. The first draft SCCs concern the transfer of personal data to third countries. The second draft SCCs concern the transfer of personal data between controllers and processors in the EEA. Both SCCs were open for public comment until December 10, 2020.
The below post will focus on the joint opinion on the draft SCCs concerning international data transfers (hereinafter “Cross-Border Transfer SCCs”).
As discussed in our prior post, because of the CJEU’s Schrems II decision, the Cross-Border Transfer SCCs will, once finalized, become the primary mechanism for U.S. entities to legitimize cross-border data transfers out of the EEA. Consequently, it will be essential for such U.S. entities to understand and comply with them.
The joint opinion on the draft Cross-Border Transfer SCCs provides a number of recommendations and suggestions for modifications as well as an annex with comments. Some of the key takeaways from a U.S. entity perspective are:
Although the draft Cross-Border Transfer SCCs incorporate many provisions designed to address the Schrems II decision, the joint opinion states that the draft SCCs still must be read in conjunction with the EDPB’s Recommendations on supplementary measures. The joint opinion asks the European Commission to “clarify that there may still be situations where, despite the use of the new SCCs, ad-hoc supplementary measures will remain necessary to be implemented in order to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU.” In other words, U.S. entities looking to use the SCCs to legitimize international data transfers would still need to engage in a supplementary measure analysis and not be able to rely on the four corners of the SCCs.
Assessment of Laws of Third Country
Intertwined with the issue of supplementary measures is the issue of how parties should analyze the laws of the recipient country. That is particularly relevant to U.S. entities given the Schrems II decision, its discussion of U.S. surveillance laws, and its ultimate conclusion that the existence of those laws rendered Privacy Shield invalid.
Paragraph 42 of the EDPB’s Recommendations on supplementary measures emphasized that the legal analysis of the recipient country’s laws should be done on an objective basis and not on whether an individual entity might be subject to such laws. That position was subject to significant pushback during the public comment period, in particular because of GDPR’s risk-based approach, which is seen as being in contrast to the EDPB’s position. See, e.g., AFME and SIFMA Public Comments at 2, ¶ 2. In comparison, the draft Cross-Border Transfer SCCs could be read to support a subjective approach, which would allow contracting entities much more flexibility.
In reaction, the joint opinion “stress[ed]” that “the assessment of whether there is anything in the law or practice of the third country of destination, which prevents the data importer from fulfilling its obligations under the Draft SCCs in the context of the specific transfer, should be based on objective factors, regardless of the likelihood of access to the personal data.” According to the joint opinion, “[t]he mere fact that the data are comprised within the scope of a third country legislation that allows access to data by public authorities without specific essential guarantees . . . would amount, per se, to considering that such access will possibly take place, without the need to rely on any practical experience in this regard or absence of requests for disclosure from public authorities received by the data importer.” The joint opinion takes the position that the “current drafting” of the draft Cross-Border Transfer SCCs can be “misunderstood” to permit “data to be exported if the data importer has not yet received any order to disclose personal data, even if it is subject to local laws permitting such orders.”
Ultimately, the joint opinion recommends that the Commission revise the SCCs to reconcile them with EDPB’s recommendations. In addition, the joint opinion recommends that a new annex be added “to require the parties to document, prior to signature of the contract . . . the assessment of the third country’s legislation and practices in light of the circumstances of the transfer.”
If implemented, the joint opinion’s proposed requirements would no doubt substantially increase the compliance hurdles for U.S. entities utilizing the SCCs.
Government Access Requests
Yet another issue linked to the Schrems II decision is the process for data importers to notify data exporters of government access requests. The draft Cross-Border Transfer SCCs address this issue; however, the joint opinion recommends a few changes, including that the data importer notify the data exporter of a government access request before the importer complies with it.
In sum, the joint opinion reiterates the CJEU’s position in Schrems II and the EDPB’s position in its Recommendations for supplementary measures that the draft Cross-Border Transfer SCCs, once completed, will not simply result in a “copy and paste” exercise for parties utilizing them for cross-border data transfers. Rather, contracting parties will need to engage in a detailed examination of the circumstances of the transfer to ensure that it can be lawfully completed.
As for next steps, the European Commission will now consider the joint opinion as well as the over 100 comments it received during the public comment period.