Several important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller and a processor within the EEA and to countries outside the EEA.
Transfers of Personal Data to Third Countries
In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers – the so-called Schrems II judgment (see our post on this topic) – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).
The following documents have been published in relation to implementation of Schrems II.
EDPB documents published on 11 November 2020
Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data – version for public consultation This document describes the various elements to be taken into account, the steps to follow, potential sources of information, and examples of supplementary measures that could be put in place to ensure a sufficient level of protection when personal data is transferred outside the European Economic Area (EEA) to countries or destinations not benefiting from an adequacy decision issued by the European Commission.
Organizations will be reassured to read that transfers to third countries that are deemed “adequate” by decision of the European Commission will not require further steps. This being said, the Recommendations stress that international transfers are generally complex and that companies must, as a first step, map all of the these transfers (including onward transfers).
For transfers to countries that are not covered by a European Commission adequacy decision, the recommendations take a very strict position on the conditions under which international transfers to such third countries will be permitted under the any of the available transfers mechanisms (SCCs, BCRs, codes of conduct, certifications, etc).
The recommendations list a number of scenarios and use cases among those in which “no effective measures could be found” to legitimize the transfers. These include “Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear” and “Use Case 7: Remote access to data for business purposes” (a typical example being transfers between legal entities belonging to the same group of undertakings, or group of enterprises engaged in a joint economic activity).
The EDPB also indicates that organizations may be able to rely on one of the derogations provided for in Article 49 GDPR, but only in cases of occasional and non-repetitive transfers and if the organizations meet the conditions for the relevant derogation.
The EDPB has also produced a graphic roadmap illustrating the 6 steps outlined in its recommendations. The recommendations incorporate the points raised by the case law of the CJEU and in particular the Schrems II judgment.
This document is subject to consultation and comments may be submitted through 30 November 2020. Given the importance and complexity of these recommendations, stakeholders have asked for an extension to the consultation which had not yet been decided on at the time of this writing.
Recommendations 02/2020 on the European Essential Guarantees for surveillance measures This document expands on an analysis prepared by the EDPB’s predecessor, the Article 29 Working Party, pursuant to the 1995 General Data Protection Directive after the CJEU’s “Schrems I” decision invalidated the Safe Harbor framework. The document considers the justification for interference with the fundamental rights to privacy and the protection of personal data resulting from surveillance measures applied during the transfer of personal data. It integrates in particular the CJEU’s case law in relation to Articles 7, 8 and 47 of the Charter of Fundamental Rights and the case law of the European Court of Human Rights (ECHR) in relation to Article 8 of the European Convention on Human Rights.
Recommendations 02/2020 are a guide to one of the steps proposed in the above-mentioned 01/2020 recommendations, i.e. Step 3, which is to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools the organization is relying on, in the context of the specific transfer.
European Commission Documents
The Standard Contractual Clauses are a transfer tool that may serve to ensure, by means of contract, an essentially equivalent level of protection for EU personal data that is transferred to third countries.
On 12 November 2020, the European Commission published a draft decision and draft standard contractual clauses (SCCs) for the transfer of personal data to third countries. The proposed draft is meant to replace the current versions of the SCCs that were adopted pursuant to the former 1995 General Data Protection Directive (i.e. both the Controller to Processor SCCs and the Controller to Controller SCCs)
The new draft of the SCCs addresses four different scenarios: as under the current SCCs transfers from Controller to Controller (C2C) and from Controller to Processor (C2P) but also as a new addition transfers from Processor to Processor (P2P) and from Processor to Controller (P2C) as well as subsequent transfers. They can be used by controllers or processors that are not established in the EU, for processing activities that are subject to GDPR as a result of the targeting criterion of article 3 (2) GDPR. Reflecting actual practice, the draft SCCs envision that there may be multiple parties to the agreements with new parties being added and adhering to the terms over time.
The new SCCs are onerous and impose GDPR-like obligations on data importers. They contain amongst other provisions the rights of data subjects as third party beneficiaries, liability (including in some cases joint and several liability of the parties vis a vis data subjects) and indemnification as well as supervision by EU member State supervisory authorities.
As with the existing SCCs, the proposed clauses may be supplemented but may not contradict the text of the SCCs nor limit data subjects’ fundamental rights.
The SCCs are also intended to allow the transfer of data in compliance with Regulation (EU) 2018/1725, which lays down lays down the data protection rules which apply to EU institutions.
These documents are subject to consultation through 10 December 2020 under this link. In addition to the consultation, the European Commission will seek an opinion from the European Data Protection Supervisor and from the EDPB (which may issue a joint opinion). These steps are considered to be important to minimize any divergence of the SCCs from the above-mentioned EDPB Recommendations. The SCCs will become final only after a positive decision from a committee of representatives of EU Member States (expected in early 2021).
Once the new form of the SCCs is adopted, organizations will have one year to replace the existing SCCs following the date of their final approval.
Contracts Between Data Controllers and Processors in the EU (Article 28 GDPR)
On 7 September 2020, the EDPB published draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (on which we have published a series of posts which may be found here ). These guidelines deal among other things with contractual relations between data controllers and processors under article 28 GDPR.
Following up on these Guidelines, on 12 November 2020, the European Commission published a draft decision and draft Standard Contractual Clauses between controllers and processors within the EU/EEA, covering the requirements set out in Article 28 (3) and (4) of the GDPR . These intra-EU SCCs do not incorporate the level of detail set out in the above-mentioned EDPB draft Guidelines, but reproduce some of the C2P provisions contained in the draft SCCs governing international transfers between controllers and processors. The interaction between these clauses and the SCCs covering international C2P transfers may still have to be worked out.
Like the international SCCs, these SCCs are also intended to legitimize the transfer of data by EU institutions (see above).
It will not be mandatory to use the approved intra-EU SCCs, as parties will remain free to negotiate a different variations of data processing agreements as long as they comply with the Article 28 GDPR; however, the approved SCCs will provide a degree of certainty to parties that the clauses are legally sufficient in line with the GDPR requirements.
These documents are subject to consultation until 10 December 2020. The same approval process as described above will apply.