On Nov. 11, 2020, the European Data Protection Board (EDPB) published eagerly anticipated guidance in the wake of the July 2020 European Court of Justice’s (ECJ) decision in Schrems II, outlining a process for ensuring data protections in compliance with the EU’s General Data Protection Regulation (GDPR) for EU-resident personal data that is transferred internationally (full text available here) (EDPB Guidance). The guidance outlines which steps companies should take to ensure that this data receives the same level of protection guaranteed within the EU when it is sent to third countries, the driving concern that led the European Court of Justice to invalidate the U.S.-EU Privacy Shield framework for international data transfer in Schrems II. It requires importers and exporters of the data to play an active role in ensuring this protection and to demonstrate the efforts they took. In conjunction with this guidance, the EDPB issued European Essential Guarantees Recommendations (EDPB Recommendations), which further clarify some of the steps companies should take, for instance how to assess the law or practice of the third country (full text available here).
The next day, on Nov. 12, 2020, the European Commission (EC) proposed a draft decision (EC Draft) updating the available Standard Contractual Clauses (SCCs), which are a primary mechanism recognized by the GDPR to appropriately safeguard EU personal data transferred to third countries (full text available for download here). Crucially, if the decision is adopted and new SCCs are effective, companies will have a 12-month period in which to phase out and replace all existing SCCs. The draft decision provides an Annex with a draft set of new SCCs (available for download here), which include SCCs for multiple data transfer scenarios: processor-to-controller and processor-to-processor, among the primary two. They would plug a significant gap in the data transfer system left following the Schrems II decision. The draft decision is in its comment period until Dec. 10, 2020.
In these newly issued documents, both the EDPB and the EC provide data controllers with post-Schrems II guidance, but there is an interesting divergence in their approaches that is worth noting, namely what weight, if any, should be given to “subjective factors” and to the practical likelihood of government access.
EDPB Guidance: Six-Step Approach
The EDPB Guidance is based on the key principle of accountability in data transfers, which requires exporters and importers of data to play an active role in protecting the data and being able to demonstrate these efforts. The EDPB Guidance thus outlines a six-step approach to ensuring that this accountability is met, particularly in the absence of the Privacy Shield that the Schrems II decision invalidated. These six steps are:
1. “Know Your Transfers”
First, a company must know where the personal data is being transferred to, in order to “ensure that it is afforded an essentially equivalent level of protection wherever it is processed.” Note that this includes “onward transfers,” meaning ones where the processors outside the European Economic Area (EEA) transfer the personal data you entrusted to them to a sub-processor in another third country. “[R]emote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA, is also considered to be a transfer.”
2. “Verify the Transfer Tool your Transfer Relies On, amongst those listed under Chapter V GDPR”
The U.S. is not recognized as providing “adequate” protection according to the EC. Thus, in transferring EU data to the U.S., a company must rely on an Article 46 GDPR transfer tool.
The main types of Article 46 GDPR transfer tools are:
- Standard data protection clauses (SCCs)
- Binding corporate rules (BCRs)
- Codes of conduct
- Certification mechanisms
- Ad hoc contractual clauses
For occasional and nonrepetitive transfers, derogations under Article 49 may apply (under restrictive interpretation).
3. “Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on”
Here, a company must evaluate the legislation of the third country that is relevant to the particular transfer tool being used. The data importer has a key role to play in this assessment and should provide the data exporter with relevant sources and information. The EDPB Recommendations expand on factors to consider, including that:
- “Processing should be based on clear, precise and accessible rules
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- An independent oversight mechanism should exist
- Effective remedies need to be available to the individual”
4. “Identify and Adopt Supplementary Measures”
If the company’s assessment in step 3 reveals that the third-country legislation impacts the effectiveness of the Article 46 GDPR transfer tool it is relying on, supplementary measures must be adopted.
The EDPB Guidance provides a list of factors to consider in choosing the most effective supplementary measures:
- “Format of the data to be transferred (i.e. in plain text/pseudonymised or encrypted);
- Nature of the data;
- Length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them (e.g. do the transfers involve multiple controllers or both controllers and processors, or involvement of processors which will transfer the data from you to your data importer (considering the relevant provisions applicable to them under the legislation of the third country of destination));
- Possibility that the data may be subject to onward transfers, within the same third country or even to other third countries (e.g. involvement of sub-processors of the data importer)”
5. “Take any Formal Procedural Steps”:
These procedural steps may depend on the transfer tool the company is using. The Guidance noted:
- Standard data protection clauses: “the SCCs … [must be] sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined”
- BCRs: “The EDPB will provide more details as soon as possible as to whether any additional commitments may need to be included in the BCRs in the WP256/257 referentials”
- Ad hoc contractual clauses: “The precise impact of the Schrems II judgment on ad hoc clauses is still under discussion. The EDPB will provide more details as soon as possible.”
6. “Re-evaluate at appropriate intervals”: Companies must monitor if there have been or will be any developments that may affect the transfer tool they use.
Draft Decision on Standard Contractual Clauses
If the draft decision is adopted, companies will have 12 months to implement its changes, including adopting and/or replacing the updated Standard Contractual Clauses. The following steps would be important:
1. Companies Must Replace Old SCCs with New Draft Ones Provided in the Annex:
The Annex provides a list of acceptable SCCs that will meet GDPR requirements, and companies will need to phase out and replace any old SCCs with these (Annex available for download here). Permissible SCCs listed in the Annex include a range of features like data protection safeguards, rights of data subjects, and technical and organizational data security measures, among others.
2. New Transfer Scenarios Included:
The Annex covers two new data transfer scenarios, bringing flexibility and recognizing that processors often export personal data to sub-processors or controllers:
- Controller to Controller
- Controller to Processor
- Processor to Controller (NEW)
- Processor to Processor (NEW)
3. More than Two Parties can Adhere or Accede to a Single Set of Contractual Clauses:
This change helpfully diminishes the number of separate contracts companies must sign when onboarding new vendors or service providers, which is currently a burdensome task.
4. Potential shift in approach from a territory-based to a jurisdiction-based conception of data transfers, which may need further clarification:
At least one scholar points out the ambiguity in the draft decision, which may indicate in certain sections “that data transfer mechanisms may not be needed when personal data is transferred to a company outside of the EU that is already subject to the GDPR under Article 3(2).”
Interplay and Some Tension Between EDPB Guidance and EC Draft Decision
The two documents have the same goal of providing further clarification in light of the summer decision by the ECJ in Schrems II. There are also some similarities between the two. For instance, the EC Draft decision includes placeholders to reference the EDPB Recommendations on supplementary measures. Further, the EC Draft decision and Annex directly incorporate some of the supplementary safeguards mentioned by the EDPB. However, there is a key tension worth noting: what weight to give to “subjective factors” and the likelihood of government access.
Though both documents provide factors for a company to consider when evaluating whether local law allows it to comply with its obligations to protect the data, the factors differ. The EC Draft decision appears to allow data importers to consider the practical likelihood of government access by evaluating “relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.” On the other hand, the EDPB warned data importers away from “subjective factors,” including “the likelihood of public authorities’ access to your data in a manner not in line with EU standards.” Both documents do note that all “applicable” laws must be evaluated.
Takeaways From the EDPB Guidance and EC Draft Decision:
In response to this EDPB Guidance and EC Draft decision, companies should:
- Understand the company’s data flows and identify affected transfers
- Review existing agreements and catalogue those that will require updated SCCs
- For co-controllers or processors, assess to what third-party vendors or processors the company is forwarding or transferring EU data for processing and flag for update any SCCs utilized in those relationships
- Determine how to satisfy the necessary supplemental measures (contractually, organizationally or technically)
- Draft new SCCs as applicable — from the four options — to replace the existing ones
- Communicate with co-controllers and processors to roll out the new SCCs
After the uncertainty following this summer’s Schrems II decision, the EDPB and EC draft SCCs provide some clarity, but companies will also take time to fully assess their data flows, their transfer justifications and how best to implement new SCCs in a GDPR-compliant manner.
 Caitlin Fennessy, New EU SCCs: A modernized approach, IAPP, available at: https://iapp.org/news/a/new-eu-standard-contractual-clauses-a-modernized-approach/?mkt_tok=eyJpIjoiTlRCak9USmlNRFV6TkRndyIsInQiOiJoN2RNMWdLNlNQKzlGUzkzcjZUMU1hSkdGVVdBUUpiT1RaUG41VzJSTFwvMnVlaVNnbitqWmM5WENDeGQzNFdcL1QrY0FWcWFtWDlLeUhsNWExOUlMdWQ2UXgyeVVNOEFzRk1CN0NGR05cL1dUQXBNMGhmU0w4UUh2Mm5BM0NWQ0xJaiJ9.
Under Article 3(2), a controller or processor not established in the EU is subject to the GDPR when it processes EU personal data in connection with (i) “the offering of goods or services” or (ii) “monitoring” the behavior of individuals in the EU. See GDPR Article 3(2).