In July 2020, the Court of Justice of the European Union (CJEU)1 issued the Schrems II judgment (C-311/18)2 invalidating the European Commission's (EC’s) decision (2016/1250) on the adequacy of the data protection provided by the EU-US Privacy Shield.3 But equally important, this judgment more broadly defined the impact of data transfers4 on third countries cited in the GDPR.5 This will profoundly impact commercial and contractual solutions and obligations. You need to act now to avoid regulatory and commercial issues.
Small and medium-sized businesses from diverse sectors and countries face considerable uncertainty about how to manage data transfers. Today’s methods are more complex, confusing and costly – to potentially dip compliance and commercial decisions into murky water. This does not only affect the current EU-USA transfers -- but the problem is also worldwide. What’s behind it and how can we respond?
Policymakers in all affected areas should realize that trade and innovation is at stake here, and therefore, they should expedite both bilateral and global operations to improve the framework for data protection and digital trade. Doing this has been especially critical during the current COVID-19 pandemic and recovery efforts.
The ruling also assessed the so-called standard contractual clauses and, in general, the rules regarding personal data transfer to third countries. In other words, simply entering standard contractual clauses into a contract does not ensure the transfer of personal data remains lawful. That is why the controller for each party to a contract should further analyze the legality of such a transfer.
The situation is different and more difficult than what occurred after the CJEU judgment in Schrems I case6 declaring invalid the Safe-Harbour Decision, the predecessor of the Privacy Shield. It happened because the 2015 judgment did not deal with standard contractual clauses which greatly facilitated the rapid introduction of another basis for data transfers to the US; however, after the Schrems II judgment was agreed, this process is no longer so easy.
CJEU judgment – who is affected?
The CJEU noted first that under the Intelligence Control Act 10 in force in the United States, it is possible to carry out surveillance activities on non-US citizens. Article 7027 of this act provides the legal basis for the PRISM and UPSTREAM surveillance programs.8 Under the former, Internet Service Providers (ISPs) are required to provide the National Security Agency (NSA) with all outgoing or incoming communications. Some of them also transfer to the US Federal Bureau of Investigation (FBI) and the US Central Intelligence Agency (CIA).
Under the second program, telecommunications companies using cables, network switches and routers are obliged to allow the NSA to copy and filter data traffic to extract messages. In doing so, the NSA gains access to both the metadata and the content of the messages.
Based on the US President's Executive Order 12333,9 the NSA also has access to data that is in the process of being transmitted towards the United States via cables on the bottom of the Atlantic Ocean. This data can be collected.
But none of these activities are regulated by law! The CJEU stressed that the EU citizens do not have access to judicial remedies within the United States to defend themselves against the processing of personal data by the above agencies. Such possibilities are only available to US citizens. These findings are central to the CJEU's decision in this case.
The CJEU, in relation to the assessment of the Decision on standard clauses, emphasised that the EC, by issuing the Standard Clauses Decision,10 is not obliged to investigate whether the third countries to which personal data may be transferred on that basis, can ensure an adequate level of protection of personal data. This is understandable since the standard clauses can be applied to any third country -- including the European Commission adequacy decisions as well -- so such an examination on the part of the EC would be difficult to perform. For this reason, the CJEU found the Standard Clauses Decision to be valid.
However, the CJEU made some important remarks surrounding the reasoning of its judgment regarding the possibility of using the standard data protection clauses as a basis for transferring personal data to the United States. Indeed, the Court emphasised that the controller or processor wanting to transfer personal data based on such clauses must first analyze -- in cooperation with the entity in the third country -- whether that entity ensures adequate protection of personal data.
This adequate protection is to be assessed through the prism of EU law. If this verification reveals insufficient protection, the standard clauses should be supplemented with additional provisions. If, on the other hand, no contractual measures can be put in place to remove the identified risks, then the transfer of personal data to a third country cannot take place under the standard clauses.
Six steps to compliance
To resolve these many challenges, the European Data Protection Board (EDPB) issued transfer recommendations that should make it easier to achieve compliance. Based on Article 70(1)(e) of the GDPR, on 10 November 2020, the EDPB adopted Recommendation 1/202011 on measures complementing data transfer tools to ensure compliance with the level of protection of EU personal data. The EDPB presented a comprehensive methodology, structured in six steps. Clearly it is still a commercial, contractual, and organizational challenge even for the largest companies.
SIX ASSESSMENT STEPS FOR MANAGING DATA TRANSFERS
- Analyze the transfer operations carried out by the organization (data exporter), which requires "mapping" (knowing your transfers) and considering all the entities involved (data importers), the so-called onward transfer operations and the destinations (third countries and international organizations). Again, remember other adequacy decisions by the European Commission are country specific.
- Verify the transfer instruments (mechanisms) used, included in Chapter V of the GDPR in relation to individual data transfer operations identified in step one. Derogations must be interpreted in a narrow way so they do not become 'the rule' in practice.
Assess the effectiveness of the safeguards arising from the transfer instrument adopted under Article 46 of the GDPR. The EDPB points out that as part of the third step, we must assess whether there is anything in the law or practice of the third country (e.g., access to data by public authorities either with or without knowledge of the importer) that may affect the effectiveness of adequate safeguards of the transfer tools relied upon by the data controller within the context of the transfer. No doubt this assessment should focus primarily on the laws of the third country relevant to the specific transfer operation which may render the data importer unable to comply with its obligations under the transfer agreement (standard contractual clauses).
The EDPB -- knowing that the mere task of identifying the relevant foreign law(s) may be difficult – must base the assessment on legislation publicly available while seeking further assistance from the data importer to provide relevant sources and information on the third country where the laws have relevance and where the laws apply to the data transfer.
However, the responsibility for the results of the third country law analysis rests with the data exporter anyway. Not all business partners will have resources to help with such requests.
The EDPB Recommendations11 contain a list of criteria to determine the legal framework within the law of the third country whose analysis is required. The criteria include among other things:
- the purposes of the data transfer;
- the type of entities involved in the data processing in the third country; and
- the sector within which the processing takes place (e.g., financial sector, health sector -- whichever may be subject to specific additional regulations in the third country).
These criteria do not allow omitting step three by not performing the required analysis. Indeed, the obligations included in the Recommendations have not been calibrated in any way to reflect considerations such as the nature of the data transferred or the size of the data exporter's business.
Therefore, an analysis of the third country law will be required regardless of the situation, whether it is a mass transfer of sensitive data (e.g., health data) by a multinational corporation or by a micro-entrepreneur who might relate to the performance of a contract for the supply of his/her products; or conclude a contract with a client from a third country or include only basic contact details of the entrepreneur's employees.
The analysis of the third country law should be performed considering the provisions of EU law -- including the Charter of Fundamental Rights12 considering the case law of the CJEU and the European Court of Human Rights. The requirements to be met by the foreign law to be assessed have been compiled by the EDPB and are presented in Recommendations 2/2020.13
In addition, in case the third country legislation is problematic, considering practical experience, the EDPB states to:
- suspend the transfer;
- proceed with supplementary measures;
- or proceed without implementing supplementary measures in certain cases only.
The required analysis should be carried out with due diligence and be thoroughly documented by data exporters, because authorities will hold them accountable for their decision on this basis.
- Design and implement necessary follow-up measures. In case the analysis in step three shows that the law (and practice) of the third country does not in any way affect the effectiveness of the relevant safeguards under the model clauses (or other transfer instrument under consideration), no additional measures (safeguards) need to be adopted.
On the other hand, a negative assessment (should be assumed lack of capacity or competence to carry out such an assessment) requires further work by the data exporter including significant involvement of the data importer. This work should include identifying, developing, and implementing the necessary complementary measures. The most typical measures of this kind appearing in Recommendations are divided into in three categories:
- technical measures such as data encryption that accounts for the specific requirements defined by the EDPB such as:
- encryption key remaining with the data controller;
- transfer of pseudonymised data;
- appropriate 'splitting' of data between separate data importers (mitigates the risk of a breach of data confidentiality if, for example, an intrusion into the data center occurs for one of the importers involved); and
- data splitting and multi-party processing.
- contractual measures providing additional obligations in the transfer contract for the data importer to implement data access requests made by public authorities of a third country.
- organizational measures include, among other things:
- additional internal policies of the data importer;
- appointment of a dedicated team to deal with requests from public authorities. (The EDPB makes it clear that special attention should be paid to technical safeguards for the transferred data.)
Contractual and organizational measures alone will generally not solve the problem of public authorities of a third country accessing personal data. Only technical measures can prevent this. So, before implementing complementary measures, we should further examine whether the law of the third country precludes the use of a particular measure or renders it ineffective in practice. This is another requirement of the EDPB which may prove extremely difficult to implement.
- Take the necessary formal steps, specifically requesting authorization from the competent supervisory authority for the envisaged data transfer (in accordance with Article 46(3) GDPR). Furthermore, if the data exporter discovers that the importer cannot fulfill obligations under the accepted transfer, but the data exporter fails to stop the transfer -- then the competent authority of this situation needs to be notified.
- Conduct periodic evaluations of the transfer mechanisms used and their effectiveness in accordance with the accountability principle (Article 5(2) GDPR)
Summary: what this is really saying…
The EDPB rules that transfer of personal data to a third country (international organization) is only permissible if the data exporter implements "effective complementary measures." Otherwise, the data transfer process cannot start, and all ongoing transfer operations must be suspended or terminated. If the position of the EDPB is upheld, this will hugely impact companies with the requirement to analyse dozens - or even hundreds - of foreign legal systems.
On 4 June 2021, the European Commission published updated Standard Contractual Clauses (SCCs) under the GDPR for data transfers from controllers or processors in the EU/EEA14 (or others who are subject to the GDPR) to controllers or processors established outside the EU/EEA.
They will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/4615. A grace period has been established between 27 September 2021 and 27 December 2022. Which means from September 2021 organizations are expected to use updated SCCs only. These are not to be confused with SCCs used internally within EU. Given the additional requirements stemming from the EDPB recommendations discussed in this article along with the newly published SCCs, it is advisable to be aware of the issues and the uncertainties surrounding them as early as possible.
The legal opinions in this article are the author’s own, not WorldCC’s, and this is not legal advice.
- Court of Justice of the European Union website
- The Court of Justice of the European Union (CJEU) ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).
- Commission Implementing Decision (EU) 2016/1250, Official Journal of the European Union See also Privacy Shield explained
- What is Data Transfer? Informatica article
- GDPR – General Data Protection Regulation. (See also response by NOYB – Max Schrems’ NGO to EDPB Recommendations 01/2020 guidelines and third country issues.)
- Max Schrems vs Data Protection Commissioner (CJEU – “Safe Harbor Judgment of 6 October 2015 in Case C-362/14”), epic.org article.
- See collection of resources from the Brennan Center for Justice Foreign Intelligence Surveillance (FISA Section 702 Executive Order 12333 and Section 215 of the Patriot Act): A Resource Page
- See article on surveillance programs
- Federal Register Archives, Executive Orders
- See report on Standard Clauses Decision about the Standard Contractual Clauses (SCC), by European Commission
- Final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
- Official Journal of the European Union C 326/391
- Recommendations 02/2020 on the European Essential Guarantees for surveillance measures
- Standard Contractual Clauses (SCC) [ref End Note 15]
- New EU Standard Contractual Clauses for transfers to third countries
ABOUT THE AUTHOR
Piotr Powazka is a consultant and Data Protection Officer (DPO) at ERATRUST.PL with expertise in GDPR, ePrivacy, Information Security, Process Modelling and Internal Control and Compliance. He supports organizations in digital transformation, personal data protection and privacy, contract management, Contract Lifecycle Management (CLM), legal and reg-tech, mar-tech, compliance and internal control and business process modelling. He is a member of The International Association of Privacy Professionals (IAPP) and a certified World CC Contract and Commercial Management Practitioner and Council Member. His 17 years’ experience in contracting, finance, banking, ecommerce, technology and performance measurement has enabled him to become a strong negotiator with substantial experience drafting and reviewing contractual terms for multimillion dollar, complex transactions.
Content reflects views and opinions of the author and do not necessarily reflect the views and opinions of World Commerce & Contracting.