Transfers of personal data to third countries: New standard contractual clauses and EDPB guidelines
On 4 June 2021, the European Commission adopted two sets of standard contractual clauses (SCCs), one for use between controllers and processors and one for the transfer of personal data to third countries. This was followed by the European Data Protection Board (EDPB) adopting its final version of the Recommendations on supplementary measures for third country transfers on 18 June 2021.
In this article, we have summarized the key compliance steps to be taken in light of the EDPB Recommendations on supplementary measures and highlighted the main changes made to the final version of the Recommendations. We have also included a reminder of the deadlines for implementing the new SCCs for third country transfers; the first deadline is soon approaching, as the old SCCs may no longer be used in any new data transfer agreements as of 27 September 2021.
Recommendations of the European Data Protection Board
Following the ruling of the Court of Justice of the European Union (CJEU) in the Schrems II case (case C-311/18) on 16 July 2020, the European Data Protection Board (EDPB) has released detailed Recommendations on how to meet the burdensome requirements outlined by the CJEU in third country transfers. In the Schrems II case, the CJEU required organizations relying on appropriate safeguards (such as the SCCs) to transfer personal data outside the EU/EEA under Article 46 of the EU General Data Protection Regulation (GDPR), to verify, on a case-by-case basis, whether the law of the destination country ensures a level of protection for the personal data that is essentially equivalent to that in the EU/EEA. If the level of protection is not essentially equivalent, organizations must assess whether technical, contractual and/or organizational supplementary measures should be implemented.
In its Recommendations, the EDPB outlines a six-step roadmap to help organizations in the assessment of third countries, and in the identification and implementation of the necessary supplementary measures for the transfer of personal data outside the EEA:
- Know your transfers, i.e. map your data and analyze your data transfers to third countries
- Identify the transfer tool your transfer relies upon
- Assess the effectiveness of your transfer tool in light of the law and practice in the third country
- Adopt and implement adequate supplementary measures, if needed
- Take any required formal procedural steps
- Re-evaluate at appropriate intervals
Key changes from the previous draft recommendations published in November 2020 include:
- A harder line against reliance on the derogations under Article 49 of the GDPR.
- More focus on the actual practice of the authorities in the third country concerned, including e.g. whether authorities may seek access to the data with or without the importer’s knowledge taking into account the laws and practices in the context of the specific data transferred. This seems to indicate a more risk-based approach, which was missing from the first draft and for which the draft Recommendations were criticized during the consultation round.
- Further detail concerning possible sources of information that businesses should consider when carrying out the assessment of the laws and practices in the third country.
- Clarification that supplementary measures might be required for some personal data transfers to third countries (e.g. those including special category data), while transfers of other personal data to that jurisdiction might not require implementation of the supplementary measures.
- Confirmation that the Schrems II judgement is relevant for intra-group transfers relying on BCRs too.
The final Recommendations can be found here.
New Standard Contractual Clauses for Transfers to Third Countries
Two sets of new standard contractual clauses (SCCs) governing cross-border data transfers (the transfer SCCs) and data exchanges between controllers and processors (Article 28 SCCs) were published by the European Commission on 4 June 2021. The most important novelties in the new SCCs include:
- A requirement in the transfer SCCs for the contracting parties to carry out a mandatory data transfer impact assessment.
- A modular approach in the transfer SCCs, and now also providing safeguards for data transfers from a processor to a processor (P2P, Module 3) or from a processor to a controller (P2C; Module 4) in addition to the controller to controller (C2C; Module 1) and controller to processor (C2P; Module 2) clauses.
- Enhancement in GDPR compliance in data transfers by targeting the insufficiencies of the current SCCs.
- A possibility for data subjects to be able to enforce the transfer SCCs as third-party beneficiaries with respect to obligations of the data exporter and data importer, subject to some exceptions.
- The possibility for more than two parties to adhere to the SCCs, allowing additional controllers and processors to accede to the SCCs as data exporters or importers throughout the lifecycle of the contract.
- Appropriate safeguards for transfers of personal data from controllers to processors and processors to sub-processors respectively, pursuant to Article 28 of the GDPR. Where a contract is concluded on the basis of the SCCs, the conclusion of an additional data processing agreement is no longer required (except in Module 4).
Key timelines in relation to the new SCCs for third country transfers:
- The new SCCs took effect on 27 June 2021.
- The old SCCs can still be used for new data transfers during a three-month transition period that ends on 27 September 2021.
- Existing data transfers relying on the old SCCs can continue to be used until 27 December 2022, by which time all data transfers relying on the old SCCs must be moved over to the new SCCs. However, if the underlying processing activities change, organizations must start using the new SCCs already when implementing the changes to the processing activities.
Our previous summary of the new standard contractual clauses for cross-border transfers of personal data can be found here.
Article 28 SCCs
The transfer SCCs and the Article 28 SCCs address different issues. The Article 28 SCCs are optional and are intended to satisfy the requirements of Article 28 of the GDPR. Organizations are permitted to add provisions or safeguards to the Article 28 SCCs, provided that they do not contradict the clauses or detract from the fundamental rights or freedoms of data subjects. Making additional changes or alterations will lead to the organizations themselves being responsible for ensuring that the agreement complies with Article 28 of the GDPR.
The first step in implementing the possible supplementary measures and the new SCCs into data transfer agreements is to map all transfers of personal data to identify the cases in which personal data is transferred outside the EU/EEA, and thereafter assess the level of protection in the third country, to examine whether there is a need to update the transfer mechanism (e.g. implementation of the new SCCs) and introduce additional safeguards (e.g. technical measures such as encryption).
Since these assessments and implementing steps require a lot of time, including contract negotiations with several contracting parties in the value chain, it will be very challenging to have all steps completed within the transitional periods for the implementation of the new SCCs. It should also be noted that there is no grace period for implementing the supplementary measures under the Schrems II decision. It is therefore important to speed up the data mapping and transfer impact assessment projects and make clear prioritization plans.
Article written by Partner Johanna Lilja and Associate Dan Valli.