Under the Spotlight: Untangling the EU Data Transfer Knot

The Schrems II decision is having a seismic impact on organizations’ data transfer practices months after being delivered by the Court of Justice of the European Union (CJEU). While the case itself was limited to considering EU-U.S. data transfer mechanisms, the effects of the decision have quickly turned out to be wider reaching. In light of the uncertainties and confusion arising out of this decision, three documents issued by the European authorities – the Supplementary Measures Recommendations, the Essential Guarantees and the New SCCs (all introduced below) – will likely be welcome news to organizations that have struggled since July to interpret the CJEU’s ruling and implement it in a meaningful and practical way.

But we are not there yet; the Supplementary Measures Recommendations and the New SCCs, in particular, are not quite the pragmatic and actionable guidance that the privacy community was seeking. It is hoped that the drafts of these two documents will evolve during the consultation process and provide more practical solutions than their current versions. (Readers should note that the public consultation for the Supplementary Measures Recommendations is open until December 21, 2020; however, the consultation for the New SCCs is now closed.)

As a reminder, the Schrems II decision (i) invalidated the EU-U.S. Privacy Shield and (ii) added a new burden on organizations to assess (prior to transfer) whether a third country provides an adequate level of protection for personal information. The CJEU, however, did not give any practical insight as to how organizations should carry out an assessment of third country adequacy or what kind of supplemental measures they should consider to validate their data transfers.

With businesses facing a risk of noncompliance simply because of the uncertainties that the Schrems II decision creates, the EU authorities have finally stepped in with much-needed documents:

• Draft recommendations issued by the European Data Protection Board (EDPB) for public consultation to assist data exporters with identifying and implementing appropriate “supplementary measures” when transferring personal information to third countries (the “Supplementary Measures Recommendations”);
• A new set of recommendations, also issued by the EDPB, outlining how organizations should assess third country’s surveillance measures (the “Essential Guarantees”); and
• Draft Standard Contractual Clauses (the “New SCCs”) issued by the European Commission for public consultation.

We provide below a summary of key takeaways from the:

• Supplementary Measures Recommendations
• Essential Guarantees
• New SCCs

The Supplementary Measures Recommendations

The Supplementary Measures Recommendations set out a six-step plan for organizations exporting data outside the EEA (“data exporters”) to follow when transferring personal information to organizations in a non-EEA country (“data importers”).

• Step 1: Know your transfers. Organizations should record and map all data transfers of personal information, including onward transfers. In other words, organizations must identify (and document) the destinations where the personal information will be transferred (or where that information will be accessed). The EDPB acknowledges the complexity of this task and suggests that organizations should leverage other internal records or mapping exercises required by the GDPR as a starting point. The EDPB suggests that organizations will need to know where their cloud storage providers are keeping data. This presents a significant challenge for large organizations and cloud storage providers.
• Step 2: Identify the correct Transfer Tool. If an organization relies on an Article 46 GDPR transfer tool (“Transfer Tool”), such as standard contractual clauses (SCCs) or binding corporate rules (BCRs), data exporters must ensure that the level of protection of personal information will be essentially equivalent to EU standards. The BCRs are specifically called out as being subject to the same requirements as the SCCs.
• Step 3: Assess the effectiveness of the Transfer Tool. Organizations should:
  
  • Assess (where appropriate, in collaboration with the data importer), whether there is anything in the law or practice of the third country that may undermine the effectiveness of the Transfer Tool in the context of each specific transfer.
  • Pay specific attention to relevant local laws, such as those laying down requirements to disclose personal information to public authorities or granting such authorities powers of access to personal information (for example, for criminal law enforcement and national security purposes).
  • Where legislation in a third country is lacking, look into other relevant and objective factors to make the assessment. Subjective factors, such as the likelihood of public authorities’ access to personal information, should not be considered.
  • Continuously monitor developments in the third country that could affect the initial assessment.
• Step 4: Adopt supplementary measures. If it concludes that the chosen Transfer Tool is not effective, a data exporter must identify on a case-by-case basis appropriate contractual, technical, or organizational supplementary measures that will reinforce that Transfer Tool.
  
  • An example of a contractual measure would be that the data importer agrees to assess the legality of a disclosure order issued by a foreign authority and challenge it where possible.
  • An example of a technical measure would be pseudonymization of personal information before transfer. Encryption can also be an effective measure. However, encryption by a data exporter will not be considered effective if the data importer has the ability to decrypt the information (e.g., by having access to the decryption key).
  • An example of an organizational measure would be the adoption of internal policies that clearly allocate responsibility for (i) data transfers, (ii) reporting channels, and (iii) standard operating procedures where an organization receives a governmental request to access personal information.
• Step 5: Determine if any procedural steps are needed to implement supplementary measures, depending on the Transfer Tool in use. For example, when implementing supplementary measures in addition to SCCs, organizations do not need to request prior authorization from the competent data protection authority to add them. This means there is no need for additional procedural steps, unless the supplementary measures contradict the SCCs in some way.
• Step 6: Re-evaluate at appropriate intervals. Organizations must continuously monitor developments in the third countries where they have transferred personal information, in case the status quo changes.

The concepts within the Supplementary Measures Recommendations are useful starting points. As currently drafted, however, they lack proportionality and practicality. The process for implementing supplemental measures would greatly benefit from a more risk-based approach. For example, the EDPB’s current draft suggests that certain supplementary measures must be implemented in order to transfer any personal information without regard to the sensitivity of the information or, most significantly, the risks to the rights and freedoms of the individuals.

Furthermore, under Step 3, the burden on organizations of assessing a country’s level of adequacy remains significant, even though the EDPB suggests that data importers assist with the assessment and provides a shortlist of the sources of law that might be consulted. The risk is that organizations are likely to each make different and inconsistent assessments of adequacy for the same countries. This could in turn lead to unwanted fragmentation—something that the GDPR was designed to overcome. It will be interesting to see whether the finalized version of the Supplementary Measures Recommendations changes in this area.

The Essential Guarantees

The EDPB has also updated its Essential Guarantees to help organizations assess third countries’ surveillance measures and legal frameworks. The four Essential Guarantees are:

A. Processing of personal information should be based on clear, precise, and accessible rules. Which category of individuals is subject to surveillance? Is there a limitation on the duration of the surveillance measures? Are the necessary safeguards in place? Surveillance measures should not be arbitrarily applied to individuals.

B. Any limitations imposed on individuals’ rights and freedoms as a result of surveillance measures must be necessary and proportionate. For example, is surveillance limited to situations where there is a genuine or present threat to national security?

C. Any interference in the right to privacy should be subject to an independent oversight mechanism. This oversight can be either by a judge or by another entity that is sufficiently independent from political pressures and can be publicly scrutinized.

D. Individuals should have access to effective remedies. This means that individuals should have the opportunity to bring legal action before an independent and impartial court, either to gain access to their personal information or ask for rectification/deletion of their information. In addition, third countries’ laws should give courts/tribunals the power to pass decisions that are binding on public authorities (including intelligence services).

The Essential Guarantees provide organizations with itemized criteria to help assess a third country’s level of data protection. At the same time, they suffer from the same overarching issue that challenges the Supplementary Measures Recommendations; it is inherently inefficient and unreasonable to expect every organization to independently assess third countries’ laws. Moreover, this approach will likely result in diverging and inconsistent assessments for the same countries.

Notably, the assessment framework in the Essential Guarantees is the same as the one that the European Commission is required to apply in the context of an adequacy decision. This raises a valid question: Should the European Commission guide the analysis for each third country’s adequacy, rather than leaving the assessment to individual organizations?

New Standard Contractual Clauses

The New SCCs are a long-awaited and much-needed development; the existing SCCs date back to the pre-GDPR era of 2004 and 2010. While it has been working on updating the existing SCCs for a while now, the European Commission delayed publication pending the Schrems II decision in order to take the CJEU’s ruling into account in the New SCCs.

Under the current proposal, organizations will be required to replace all of their existing SCCs with the New SCCs within one year following adoption of the New SCCs. This tight transitional period could create substantial problems for organizations. For many, this will mean having to address hundreds if not thousands of agreements in need of remediation, potentially re-opening entire relationships to more negotiations, all within one year. This is a major departure from the approach that the European Commission took when it issued the current controller-processor SCCs in 2010; organizations were then allowed to continue relying on the previous version SCCs that were already concluded, provided that the subject matter remained unchanged. Hopefully, the European Commission will choose to apply the same approach again and not insist on a period that would impose unnecessary burden and cost on organizations.

The key changes proposed under the New SCCs include:

• Modular approach, also including P2P and P2C. The current SCCs provide separate forms for controller-processor and controller-controller transfers. The New SCCs now cater to various transfer scenarios within a single document and include the long-awaited processor-processor and processor-controller transfers.
• Use by non-EU controllers. The New SCCs provide a transfer mechanism for non-EU controllers (for example, a company in the United States) using an EU service provider/processor.
• Adequacy of destination country’s laws. Similar to the existing SCCs, under the New SCCs the signatories must warrant that they have no reason to believe that the laws in the data importer’s country prevent the data importer from fulfilling its obligations. Unlike the existing SCCs, however, the New SCCs make explicit reference to additional safeguards where they would be required. This language has been inserted because of the Schrems II decision.
• No additional Article 28 GDPR agreement. Where the New SCCs are used for transfers to non-EU processors, the current SCCs already contain the provisions required under Article 28 GDPR (data processing terms needed for use between controllers and processors). In other words, concluding the New SCCs with non-EU processors will not require the parties to sign a separate Article 28 GDPR agreement.

It is important to be aware that the New SCCs impose a number of additional obligations on data importers that go well beyond the GDPR’s requirements. For example:

• Breach notification: The New SCCs require importing data controllers to provide notice not only to the authorities and individuals in case of a security breach, but also to exporting data controllers, irrespective of whether the parties involved are independent or joint controllers. It is not clear how this will interplay with joint controller arrangements, which already requires joint controllers to set out their agreed division of responsibilities, including the GDPR-required notices to authorities and individuals.
• Sub-processors: The New SCCs prevent data importers acting as sub-processors from continuing further subcontracting activities performed on behalf of the exporting processor without prior specific written authorization of the controller. It is far from clear how sub-processors could obtain such authorizations from controllers with whom they have no contractual relationship. To circumvent the exporting processor that has a direct relationship with the controller and therefore functions as a safety valve, intermediary, and the party liable for the performance of its sub-processors would create confusing, overly burdensome and bureaucratic situations that are best avoided in practice.

****

Nobody would dispute that 2020 has been a turbulent year for international data transfers, compounded by the COVID-19 pandemic placing additional burdens on organizations’ privacy and data protection compliance practices. While the guidance and New SCCs are a step in the right direction, they do not provide all of the answers. Organizations should be prepared for all of work that will be required for their data transfer compliance programs next year. We will keep you informed as the situation develops.