Data transfers to third countries - new “travel rules”
Travel has long since ceased to be the sole preserve of people, goods and commodities. Data are also being sent off on their “travels” from A to B. The pandemic has caused passenger travel to be subject to numerous new regulations. New EU standard contractual clauses are also bringing reforms for the "travel" of data to third countries. We are introducing you to the most important new features and simultaneously providing you with the appropriate tool to easily compile the appropriate clauses.
The EU Commission has issued new binding EU standard contractual clauses for companies. These allow a more extensive application than the old documents and cover a greater number of use cases. In addition, the European Data Protection Board (EDPB), the central body of the supervisory authorities of the EU member states, has revised and finalised its recommendations paper on the implementation of the ECJ's Schrems II decision. In contrast to passenger travel, it will be easier for data to travel to the UK: the EU Commission has recognised the United Kingdom - for a limited period of four years - as a safe third country. For data transfers to the United Kingdom, neither standard contractual clauses nor the additional review steps of the EDPB are required.
Summary of the new features
The new EU standard contractual clauses essentially contain the following innovations:
- The recast now provides for a modular mode of operation. Read more here...
- Furthermore, the recast provides for a significant extension of the use cases. Read more here...
- Besides clauses that are based on the old version, there are also new clauses. Read more here...
- The proposal contains several clauses explicitly designed to implement the Schrems II decision. In particular, it provides for examination and documentation obligations regarding the legal situation and the access powers of authorities in the third country. Read more here...
- The new standard contractual clauses can be used immediately. At the end of 2022, the previous standard contractual clauses will no longer be valid. Read more here...
- The Oppenhoff SCC generator will help you apply them. Read more here...
The final version of the EDPB’s recommendations paper envisages the following innovations:
- The new recommendations paper of the EDPB serves to concretise the requirements formulated by the ECJ in its Schrems II decision. Read more here...
- In order to review the permissibility of data transfers to third countries, the EDPB recommends - as already in the draft version of the paper - a comprehensive review of transfers to third countries and specifies in some use cases the "additional safeguards" demanded for certain cases by the ECJ in its Schrems II decision. Read more here...
- New and of extreme practical relevance compared to the previously published draft version of the Guidelines is that greater weight is given to the so-called risk-based approach. In individual cases, even the transfer of data to "problematic third countries" such as the USA should be possible without additional safeguards. Read more here...
The adequacy decision for the United Kingdom will facilitate data transfers to the UK:
- Shortly before the end of the transition period according to the Brexit Agreement, the EU Commission issued on 28 June 2021 an adequacy decision recognising the UK as a safe third country. Read more here...
- The adequacy decision is valid for four years and can subsequently be extended by the EU Commission. The Commission has announced that it will continue to monitor the legal situation in the United Kingdom during these four years. Read more here...
- For European companies, the adequacy decision means the facilitation of data transfers, as these are possible without the agreement of additional guarantees, such as EU standard contractual clauses. However, companies still have basic obligations. Read more here...
Recast of the EU standard contractual clauses
The EU standard contractual clauses for data protection of the EU Commission are an instrument under Article 46 (2) No. 2c GDPR to ensure an adequate level of data protection between the transferor of personal data and the recipient in a third country. Especially after the ECJ decision (Schrems II), which declared the EU-US Privacy Shield invalid, the importance of standard contractual clauses in practice has increased further.
On 4 June 2021, the EU Commission published the recast of the EU standard contractual clauses. This consists of the decision itself with its recitals and the model clauses annexed to the decision. They are intended both to remedy deficits that have been well-known for some time and to take the new requirements of the ECJ into account.
There have been three different versions of the standard contractual clauses to date (two for transfers to controllers, one for transfers to processors). There is now going to be a uniform set of contractual clauses with different modules for different transfer variants. However, the functioning and structure have remained the same, i.e. there are fixed contractual clauses which cannot be changed without the approval of the supervisory authorities, but which can be supplemented with non-conflicting clauses. Variable information mandatorily has to be included in the annexes.
(New) use cases
The use cases for the standard contractual clauses are being extended. There are now four different modules, one of which must be selected. Depending on which module is selected, the standard contractual clauses have different components.
- Module 1: As before, a transfer from a controller in the EU to another controller outside the EU can take place. A new feature is a use also by controllers in a third country who fall within the scope of the GDPR according to Article 3 (2) GDPR.
- Module 2: As before, a transfer by a controller in the EU (or in a third country, who falls within the scope of the GDPR according to Article 3 (2) of the GDPR) may be made to a processor outside the EU.
- Module 3: A new feature is the use for a transfer from one processor in the EU to another processor in a third country. This should also apply if the processor is located in the third country but falls within the scope of the GDPR according to Article 3 (2) GDPR (although this case should not have much practical relevance).
- Module 4: A further new feature is also the transfer from a processor in the EU to a controller in a third country.
In each case, the use is possible for several parties as respective transferors or recipients, also a subsequent accession.
Changes to the contents of the clauses
In principle, the clauses are similar to the previous standard contracts. New features are, in particular:
- Unless expressly stated, all clauses have third-party beneficiary effect for the data subjects (reversal of the rule-exception relationship), whereby the list of exceptions has been extended since the draft.
- In the case of transfers to processors (modules 2 and 3), the following applies:
- According to EC (9) of the Commission Decision, the requirements of Article 28 GDPR are fulfilled by the standard contractual clauses. The view held by the German supervisory authorities that additional clauses may be needed should then no longer apply.
- A point of particularly relevance for cloud computing is that the ordering party’s personal right of inspection cannot be completely excluded.
- The clauses for module 3 (processor in the EU transfers to other processors in a third country) do not clearly define who primarily guides and instructs the other processor.
- In the case of module 4 (transfer from a processor in the EU to a controller in a third country), it is envisaged that the processor in the EU will in certain cases have to check the lawfulness of the data processing, which may not be easily possible for it.
- In particular in case of module 1 (transfer from a controller in the EU to a controller in a third country), the data importer essentially has to observe the data subject’s rights under Articles 12 to 22 GDPR.
- It is now mandatory to include a clause on the liability and indemnity between the parties (this was previously optional). Here, it is unclear whether limitations of liability can still be agreed. This is not provided for and could otherwise constitute a change subject to approval.
- The contract must be governed by the law of an EU country and this law must ensure the enforceability of the third-party beneficiary clauses (otherwise, a different EU law must be chosen).
- The Annex on technical-organisational measures now contains a checklist of the points to be regulated.
Implementation of the ECJ decision (Schrems II)
Clauses 14 and 15 in Section III apply to all modules and are for purposes of implementing the requirements of the ECJ (Schrems II):
- According to clause 14, an examination of the legal situation and the corresponding risks, in particular through powers of access by authorities in the third country, must be carried out, documented and, if necessary, submitted to the supervisory authorities. The data importer has a continuous monitoring and notification obligation. In the event of corresponding problems and violations, the data exporter has the right (and the obligation) to suspend and, if necessary, terminate the data processing, if additional safeguards are not sufficient. This in turn is linked to an obligation to report to the European supervisory authorities.
- Clause 15 contains detailed obligations of the data importer to notify the data exporter of access by its national authorities, to
- Ultimately, according to clause 13, the data importer has to submit to the decisions of EU supervisory authorities and EU courts in any event. This may cause conflicts with the principle of territoriality in the recipient state.
The new standard contractual clauses can now be used as an alternative to the previous standard contractual clauses with immediate effect. As of 27 September 2021, the previous standard contractual clauses will cease to apply; then, only the new contractual clauses can still be used. All previous standard contractual clauses that were already agreed or are still agreed by 27 September 2021 will cease to be valid on 27 December 2022 and are to be replaced with the new clauses by that date.
The Oppenhoff SCC generator
To make it easier for you to use the new standard contractual clauses (=SCC), we are providing you with an SCC generator on our website. By asking a few questions and making a few selections, the appropriate module with the necessary clauses is provided to you as a Word document. You can find the Oppenhoff SCC generator here. Please note that we initially only provide the tool in English, that you will still need to complete the designated attachments regardless of the module, and that the tool is not a substitute for legal advice.
Finalised Guidelines on additional safeguards
On 18 June 2021, the EDPB adopted the final version of the recommendations paper 1/2020 on the conditions for data transfers to third countries ("Guidelines"). Although the currently available draft version provided a greater degree of legal certainty in some respects, crucial questions have remained unanswered. (You can find our newsletter on the draft version of the Guidelines here.)
For practically relevant data transfers to the USA in particular, the finalised version of the Guidelines now published offers somewhat more leeway in cases where access to the personal data in question by the US intelligence services is very unlikely in practice.
The requirements of the ECJ
The Guidelines are directly related to the Schrems II decision of the European Court of Justice of 16 July 2020 and represent the EU Commission’s reaction to the decision. Although the ECJ ruled that the EU standard contractual clauses continue to apply, they still need to be supplemented by "additional safeguards" in certain cases to enable personal data to be transferred to a third country that does not have an adequate level of data protection. Which specific protective measures are sufficient to justify a concrete data transfer was essentially left open by the ECJ.
Content of the finalised Guidelines
Compared to the draft version of the Guidelines, the EDPB has maintained the basic framework of the steps to be examined. It recommends that controllers determine the extent to which data is transferred to third countries ("know your transfers"), that they identify the transfer tools used in each case (e.g. EU standard contractual clauses), review the effectiveness of the transfer tools in each individual case, identify and implement "additional safeguards" if necessary, and evaluate the situation on an ongoing basis in order to identify any need for change.
In Annex 2 of the Guidelines, the EDPB presents several "use cases" for which it presents specific additional safeguards. Use case 6 concerns cloud computing, a case of particular practical relevance. Here, the EDPB still proceeds on the basis that additional safeguards of a purely contractual nature are not sufficient and that encryption is not possible if the provider has to process the data for the customer. The EDPB considers the encryption - which may then still be possible by the provider - to be insufficient, with the result that no adequate safeguards are evident in this case group. In addition, Annex 2 contains model clauses that can serve as additional contractual safeguards. Compared to the draft version of the Guidelines, the EDPB has significantly expanded the information contained in Annex 3 of the Guidelines on the evaluation of the factual and legal situation in the respective third country, which is relevant to the question of the effectiveness of the transfer tool used.
New: greater emphasis on the risk-based approach
A decisive difference to the draft Guidelines are the new supplemental explanations on the required examination by the controller as to whether the transfer tools used are effective in the individual case and - depending on the outcome of the examination - whether additional safeguards must be implemented (margin No. 28 et seq. of the Guidelines). The supplementations made by the EDPB allow, for the first time, a much stronger weighting of the concrete risk of the state authorities of the third country accessing the personal data transferred. Thus, to a greater extent than before, the EDPB opens up the possibility of data transfers that account for the so-called risk-based approach of the GDPR.
The supplementations provide that, even though the legal situation in the respective third country is "problematic" and the data importer falls within the scope of legislation that allows access by government agencies such as intelligence services, controllers might not have to take additional safeguards in individual cases. This exemption from implementing additional safeguards should apply when the controller "has no reason to believe that the applicable problematic regulations of the third country will be applied in practice to the transferred data and/or the data importer" (margin No. 43.3 of the Guidelines).
Arguably in order to prevent ubiquitous transfers of personal data to the US without additional safeguards, the EDPB emphasises that controllers who wish to transfer data to "problematic third countries" under the described exemption must comprehensively assess and document the risk of access to the data by authorities. In particular, the experience of the data importer and other players in the sector concerned must be taken into consideration.
At first glance, the updated EDPB recommendations contain only a few changes in content compared with the previous draft version. Insofar as additional safeguards are required in individual cases, the focus remains on technical measures, which are often practically impossible to implement, especially for frequently used cloud solutions from US providers. Crucial, however, is the increased emphasis on the so-called risk-based approach, which can ultimately also permit a transfer to cloud providers without additional safeguards if the practical risk of foreign authorities accessing the data is very low. Due to the strict documentation requirements, however, we would recommend closely examining the respective risk in each individual case and that use be made of the new option only in exceptional cases. We assume that the German supervisory authorities, which have already begun to investigate practices at some companies, will attach particular importance to comprehensive and convincing documentation.
Adequacy decision for the United Kingdom
The Brexit Agreement did not contain any agreement on the topic of data protection. At the end of the transition period on 30 June 2021, the UK would not have been a safe third country for data transfers, which would have led to further measures for data exporters and imposed restrictions on data transfers (see paragraph 3 in this respect).
The United Kingdom as a safe third country
Shortly before the expiry of the transition period, the EU Commission adopted and published on 28 June 2021 an adequacy decision for the United Kingdom. This is effective immediately and for the next four years.
In the extensive explanations, the EU Commission has addressed the data protection conditions in the United Kingdom, including in particular the numerous criticised monitoring instruments of the authorities. As a result, the EU Commission has decided that the data protection system in the UK is equivalent to the level of protection provided by the GDPR.
The Commission has also taken into account the possibility of data collection by the state authorities (in particular for reasons of national security). Intelligence services may only collect data where there is a legitimate interest in law enforcement and the securing of evidence. In contrast to the legal situation in the USA, data subjects affected by unlawful surveillance measures can appeal to the Investigatory Powers Tribunal. The UK is also subject to the jurisdiction of the European Court of Human Rights, the European Convention on Human Rights and the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, the only binding international convention in the field of data protection. These obligations under international law are an essential part of the legal framework that was assessed in the two adequacy decisions.
Adequacy decision only valid for four years
The adequacy decision is initially valid for a period of four years. This is the first time that the EU Commission has set a time limit on an adequacy decision. At the end of the four years, the adequacy decision could be renewed if the UK continues to ensure an adequate level of data protection. It is to be expected that the EU Commission will keep an eye on the legal situation in the UK over the next four years and review it regularly.
Excluded from the adequacy decision are data transfers for the United Kingdom’s immigration control practice. The background is a decision of the Court of Appeal of England and Wales on restrictions to data protection rights in this area, which means that certain questions of interpretation have not yet been resolved.
So what does this mean for European companies?
The UK is recognised as a safe third country under the adequacy decision, as have other countries such as Japan and Canada. It is therefore not necessary to provide for data protection safeguards, such as the conclusion of EU standard contractual clauses (see paragraph 2). This will considerably facilitate data transfers to the UK.
However, European companies still need to:
- check whether personal data may be transferred to companies in the UK in individual cases (e.g. for the performance of a contract or on the basis of consent);
- conclude or update existing data processing agreements with processors from the United Kingdom in accordance with Article 28 GDPR, and
- adapt and update the necessary documentation, such as the records of processing activities, data protection notices in accordance with Articles 13, 14 GDPR and existing follow-up data protection impact assessments.
Due to the limited validity of the adequacy decision and the EU Commission’s announcement that it will continue to keep an eye on the legal situation in the UK, companies should monitor the further development of data protection law in the UK and of the adequacy decision.