Update several months after the Schrems II judgment
In the Schrems II judgment of 16 July 2020, the Court of Justice ruled that the transfer of personal data outside the European Economic Area (EEA) on the basis of “standard contractual clauses” (SCCs) is only in compliance with the GDPR insofar as the recipient country offers an equivalent level of data protection as in the EU. In the meantime, recommendations have been issued on the supplementary measures which can be taken by companies if the legal framework in the third country does not provide sufficient protection, and a draft version of new SCCs has also been published.
In a previous newsflash, we discussed the Schrems II judgment, which invalidated the EU–US Privacy Shield and subjected the transfer of personal data based on SCCs to the condition that the legal level of data protection in the third country is equivalent to the level of protection guaranteed within the EU (read the newsflash through this link).
European Data Protection Board recommendations
Shortly after the judgment, the European Data Protection Board announced that it would issue guidelines on the supplementary measures that should be followed if it appears that the legal framework of the third country does not offer protection equivalent to the GDPR. These long-awaited recommendations were published on 11 November 2020 and include six steps to be taken by data controllers in order to bring their transfers outside the EEA into line with the Schrems II judgment:
(i) Know your transfers. First of all, the countries outside the EEA to which personal data are transferred need to be identified. This includes verifying whether the transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which the data are processed in the third country;
(ii) Verify the transfer tool your transfer relies on. The second step is to determine which transfer tool is used to transfer the data. This can be an adequacy decision (e.g., for Canada, Switzerland, Japan), appropriate safeguards provided for in Article 46 of the GDPR (SCCs, “Binding Corporate Rules”, codes of conduct and certification) or the specific occasional derogations provided for in Article 49 of the GDPR (e.g., transfers that are necessary for the conclusion or performance of a contract, or transfers that occur on the basis of the explicit consent of the data subject);
(iii) Assess the effectiveness of the transfer tools. If the transfer is based on appropriate safeguards provided for in Article 46 of the GDPR, it should be assessed whether these safeguards are effective under the privacy laws of the third country concerned, and particularly with regard to the possibility of government interference in data processing. In order to facilitate the analysis of the legislation in the third country, the European Data Protection Board has identified four “European Essential Guarantees” to be monitored in the third country:
• The processing should be based on clear, precise and accessible rules;
• The processing should be necessary and proportionate with regard to the legitimate objectives pursued;
• An independent oversight mechanism should exist in the third country;
• Effective remedies need to be available to the individual whose data are being processed.
(iv) Adopt supplementary measures. If the third step reveals that the privacy laws in the receiving country outside the EEA do not comply with the “European Essential Guarantees”, one or more supplementary measures should be adopted. The European Data Protection Board gives some examples of measures, divided into three categories:
• Technical measures: encryption, pseudonymisation etc.
• Contractual measures: commitment of the data importer to take certain technical measures himself (e.g., encryption), transparency obligations (e.g., obligation for the data importer to list the laws in the recipient country regarding government access to data, as an annex to the contract), the power of the data exporters to conduct audits to verify whether data have been disclosed to the government, the commitment to contest government access requests in court, an obligation for the importer or exporter to notify the exporter and the person concerned whose data have been disclosed following the government request etc.
• Organisational measures: intra-group policies on transfers of personal data between companies within the same group, internal policies on the procedure to be followed in the event of a government request (including a team in the EEA to be appointed to deal with government requests), privacy policies based on ISO norms etc.
(v) Verify the formalities. Depending on the transfer tool that is used, certain formalities may still have to be completed. If the transfer is based on SCCs and if, as a supplementary measure, certain clauses have been added that directly or indirectly contradict the SCCs, the authorisation of the data protection authority will first have to be sought;
(vi) Re-evaluate at appropriate intervals. Finally, transfers to third countries should be re-evaluated from time to time to ensure that the level of protection remains guaranteed.
Draft new standard contractual clauses
In addition, on 12 November 2020, the European Commission published draft new standard contractual clauses (SCCs), for which a feedback period is currently running until 10 December 2020. The new SCCs have, among others, been revised in line with the Schrems II judgment and, for the first time, provide not only for clauses emanating from a data controller but also for clauses on the transfer of data from “processor” to “processor”.
The final version of the new SCCs can be expected at the beginning of 2021, after which there will be a transition period of one year. During this transition period, the old SCCs will remain valid in existing contracts insofar as the parties do not change the contracts. On the other hand, for new data processing agreements and for changes to existing contracts, the new SCCs will have to be used immediately (unless it only concerns an amendment introducing supplementary measures to provide an equivalent level of data protection).