New Draft Standard Contractual Clauses by the European Commission published
In its decision of 16 July 2020, the European Court of Justice (hereinafter “CJEU”) declared the EU-US Privacy Shield to be invalid in the so-called “Schrems II” case (C-311/18). Although companies might still use Standard Contractual Clauses (hereinafter “SCCs”) for data transfers, the mere conclusion of a contract is not sufficient for this purpose. The CJEU has thus clarified in its decision that data transfers to the USA are no longer possible only on the basis of SCCs alone. Rather, such data exporters must in addition assess whether the laws in the country importing the data don’t impinge on the obligations for data protection that would make complying with the SCCs impossible. Where appropriate, this must occur in collaboration with the data importer in the third country. Therefore, this decision of the CJEU poses significant problems for companies and organisations.
This assessment must be done on a case-by-case basis. Thus, it is necessary to assess: i) the concrete transmission path of the data, especially if risks to the protection level may arise, for example, from government surveillance of networks (e.g. data transmitted to the USA by overseas cable may be subject to surveillance by US intelligence services, that may not be carried out by any other means of transmission). Furthermore, ii) the risks posed by the data storage at a specific recipient must be assessed: Differences may arise, for example, from sector-specific legislation that might force certain recipients (e.g. telecommunications providers) to cooperate with intelligence services. In addition, the exporting company must assess iii) whether reasonable alternatives exist that do not require international data transfers (e.g. service providers established in the EU/EEA).
If this assessment reveals that the level of protection is not comparable to the European level where the General Data Protection Regulation (hereinafter “GDPR”) apples and/or that the laws of the data importing country could lead to surveillance of the personal data, the data exporter must take “supplementary measures” to the SCCs to guarantee the protection of the data before the transfer. If these measures are not sufficient, personal data may no longer be transferred on the basis of SCCs.
To help companies making this assessment, the European Data Protection Board (hereinafter “EDPB”) issued this month recommendations on measures that supplement transfer tools to ensure compliance with the EU level of data protection in case of data transfers to third countries outside the EU and the EEA (hereinafter “EDPB Recommendations”) taking into account the Schrems II decision. Pursuant to the EDPB, the EDPB Recommendations shall provide data exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place:
- As a first step, all transfers should be known to the data exporter even though mapping all transfers of personal data to third countries can be a difficult exercise.
- As a second step, data exporters should verify the transfer tool they rely on: If the European Commission has already declared the data protection level of a country, region or sector to which a data transfer shall take place as adequate, and as long as such decision is still in force, a data exporter would not need to take any further steps, other than monitoring that the adequacy decision remains valid.
- If the European Commission did not declare yet a country, region or sector as adequate, the data exporter would be obligated to assess, as third step, if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools the data exporter relies on.
- A fourth step would be to identify and to adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.
- After a fifth step containing formal procedural steps, as sixth and final step, a data exporter would have the duty to re-evaluate at appropriate intervals the level of protection afforded to the data transferred to third countries and to monitor if there have been or there will be any developments that may affect it.
Shortly afterwards on 12 November 2020, the European Commission has published a proposal for new SCCs (hereinafter “Draft SCCs”). The publication of the Draft SCCs aims to carry out a short consultation procedure until 10 December 2020. At the end, new SCCs shall be published. These possible new SCCs, together with EDPB Recommendations, could provide more legal certainty for users. The Draft SCCs design is modular. This means that there should be a SCCs version that covers the following four scenarios through text modules: i) Transmissions between two (or more) responsible persons (“controller-controller”), ii) Transmissions from one responsible person to one (or more) processor(s) (“controller-processor”), iii) Transmissions from one processor to one (or more) processor(s) (“processor-processor”) and iv) Transmissions from a processor to a (or more) controller(s) (“processor-controller”).
The Draft SCCs have already been criticised during the consultation procedure so far because they would not ultimately prevent secret access to data by state authorities. Therefore, a central problem of the Schrems II decision would not be solved with the Draft SCCs. Nevertheless, the Draft SCCs were also praised since they would contain good approaches to provide legal users with an update on a very important tool for international data transfer. However, as the Draft SCCs themself do not contain any technical and/or organisational safeguards, the EDPB Recommendations would need to be used in parallel. If these Draft SCCs would be adopted, existing (old) SCCs would have to be revised and updated within one year.