Data transfers to third countries outside the EU have been made considerably more difficult by the Schrems II decision of the European Court of Justice (ECJ) of 16 July 2020. While the EU-US Privacy Shield has been declared null and void, the EU standard contractual clauses, among others, continue to be valid, but in certain cases need to be supplemented by additional protective measures. We had reported on the decision and its background in a Newsletter.
The European Data Protection Board (EDPB), the central body of EU Member States' supervisory authorities and the European Data Protection Supervisor, has now published a draft recommendation paper on the conditions for transferring data to third countries (see point 2).
Almost simultaneously, the EU Commission presented a proposal for the revision of the EU standard contractual clauses (see point 3).
1. Summary of the new features
1.1 The new EDPB Guidelines can – in essence – be summarised as follows:
To assess the admissibility of data transfers to third countries, the EDPB recommends considerung six steps (see point 2.3).
The EDPB emphasises that the data exporter has to thoroughly check whether there are any rules in the respective third country that allow authorities to excessively access the data (see point 2.4).
If this is the case, additional protective measures had to be taken. Technical, contractual and organisational measures came into consideration here, albeit that the latter generally only had a supplementary function (see point 2.5).
In an annex to the Guidelines, the EDPB presents seven "use cases" as examples. It can be concluded from the EDPB's comments on these use cases that the EDPB generally requires the encryption, pseudonymisation or distribution of data as technical measures prior to transferring them to the third country (see point 2.6).
As a further protective measure, the annex to the Guidelines contains additional model contract clauses, which particularly provide for very extensive notification obligations on the part of the recipient regarding possible access by the authorities (see point 2.7).
Overall, the Guidelines reflect an extremely strict position of the EDPB, which will severely restrict the ability of companies to transfer data to the US in the future (see point 2.8).
1.2 The proposal to revise the EU standard contractual clauses contains the following essential new features:
While several clauses are based on the old version, there are also new clauses (see point 3.3).
The proposal contains several clauses explicitly designed to implement the Schrems II decision. In particular, it provides for examination and documentation obligations regarding the legal situation and the access powers of authorities in the third country (see point 3.4).
2. Guidelines on additional protective measures
The EDPB has published a draft for the Recommendations 1/2020 of 11 November 2020 on the requirements for data transfers to third countries ("Guidelines"). While the Guidelines partly provide for a higher degree of legal certainty, crucial questions remain unanswered, especially concerning data transfers to the US, which are of particular practical relevance.
2.1 The requirements of the ECJ
Unless the adequacy of a third country has been established by decision of the EU Commission, each data transfer must be examined on a case-by-case basis to determine whether the level of protection in the respective third country is sufficient and, in particular, whether it ensures an equivalent level of legal protection against access to data by security authorities etc. The EU standard contractual clauses, as the most common instrument, cannot provide for such an equivalent legal protection on their own as they only apply between the parties and cannot bind public authorities. As far as the rights of data subjects could not be sufficiently safeguarded on the basis of standard contractual clauses (or any other transfer tool), the ECJ required the implementation of "supplementary measures", which are now subject to the Guidelines.
2.2 Previous recommendations
For initial orientation purposes, the EDPB had published FAQs on 24 July 2020, which the Guidelines now elaborate. Also on 11 November 2020, the EDPB published the Recommendations 2/2020 on the European Essential Guarantees for Surveillance Measures.
Amongst publications of the German data protection authorities, the Recommendations of the Data Protection Commissioner of Baden-Württemberg of 25 August 2020 were particularly detailed (these are largely reflected in the Guidelines).
2.3 The examination scheme according to the Guidelines
The EDPB recommends the following six steps to assess the compliance of data transfers:
- Identification of the data transfers to third countries ("know your transfers")
- Identification of the transfer tools used in any case (e.g. EU adequacy decision, EU standard contractual clauses, binding corporate rules)
- Assessment of the effectiveness of the transfer tools and legal risks on a case-by-case basis
- Where necessary, identification of appropriate supplementary measures
- Implementation of supplementary measures
- Regular evaluation of changes and effectiveness of the measures or the obligation to report to supervisory authorities if supplementary measures cannot be implemented
2.4 Examination of the risks of the transfer (step 3)
The EDPB requires the data exporter, in cooperation with the data recipient, to examine the legal framework conditions in the respective third country in order to determine whether there are any access rights by third parties, which require supplementary measures. Laws that allow foreign authorities to access personal data without sufficiently specified requirements and legal remedies are particularly relevant. In case of data transfers to the US, the ECJ considered the provisions of Sec. 702 FISA and Executive Order 12333 to contain such insufficiently specific access rights. The EDPB emphasises that the analysis of the legal framework should take into account the context of the respective data transfer. In particular, the categories of personal data, the purposes of the transfer and the possibility of a transfer to other third countries need to be taken into account.
2.5 Additional protective measures (step 4)
According to the EDPB, contractual, organisational and technical supplementary measures generally come into consideration. However, in the EDPS's view, contractual andorganisational measures alone are not sufficient to prevent access by authorities of the respective third country in most cases. Additional technical measures would therefore have to be implemented regularly. Contractual and organisational measures had more of a supplementary function. The choice of concrete measures should, once again, take into account the concrete circumstances, such as the format of the data and the complexity of the processing chain (i.e. the number of parties involved).
2.6 The examined use cases
In Annex 2 of the Guidelines, the EDPB presents seven use cases:
- In Use Case 1 (data storage for backup and other purposes that do not require access to unencrypted data) and Use Case 3 (transfer or intermediate storage of data), the EDPB requires "strong encryption" during transport and storage. The keys for access must be stored in the European Economic Area or a third country with an adequate level of data protection.
- In Use Case 2 (transfer for "analysis purposes", e.g. for research purposes), data can be transferred without encryption if the data is pseudonymised prior to the transfer in such a way that the data importer cannot identify individual persons without additional information. In Use Case 5 (distributed processing), a similar effect is achieved in that each processing unit receives only parts of the data, but not all of the information necessary to identify individual persons.
- In Use Case 4 (transfer to lawyers or doctors), there is a reduced risk for the rights of the data subjects if the recipients are not obliged under the legal system of the third country to disclose the data to public bodies on grounds of special regulations.
- In Use Case 6 (cloud computing), the EDPB assumes that encryption is not feasible if the provider has to process the data for the customer. The encryption by the provider, which might then still be possible, is deemed insufficient by the EDPB, with the result that no adequate protective measures are available in this case group.
- In Use Case 7 (intra-group data transfers), the EDPB also considers feasible protective measures to be insufficient if, due to the internal distribution of tasks within the group, it is unavoidable that employees of group companies in third countries require unencrypted access to the data. Also for this case group, the EDPB does not provide any apparent solution.
2.7 Supplementary contractual clauses
Annex 2 of the Guidelines further contains model supplementary contractual clauses which can be added to the EU standard contractual clauses (even if such supplementary clauses do not provide sufficient protection on their own). In particular, the clauses include very extensive notification obligations of the recipient about the possibility of access by authorities and, conversely, audit rights, obligations to challenge official requests for information as far as possible, extended rights for data subjects as well as contractual obligations to implement the supplementary protective measures. Corresponding provisions are also proposed for guidelines on the intra-group data sharing.
The recommendations of the EDPB shed some light on the most urgent issues that resulted from the Schrems II decision. However, especially with regard to the crucial supplementary technical measures, the EDPB's position is extremely strict and not particularly practice-oriented. Therefore, it will continue to be extremely difficult for companies to transfer data to third countries in many cases. In particular, the widely-used cloud solutions offered by leading US tech companies regularly require the transfer of "clear data".
3. Revision of the EU standard contractual clauses
The EU standard contractual clauses for data protection of the EU Commission are an instrument under Art. 46 (1) No. 2c GDPR to ensure an adequate level of data protection between the transferor of personal data and the recipient in a third country. Especially after the ECJ ruling (Schrems II), which declared the EU-US Privacy Shield invalid, the practical importance of standard contractual clauses has increased further.
On 12 November 2020, the EU Commission has now published a Proposal for a Revision of the EU Standard Contractual Clauses. The new proposal intents both to remedy deficits that have already been known for a long time and to take the new requirements of the ECJ into account.
3.1 Modular functionality
Until now, there have been three different versions of the standard contractual clauses (two for transfers to controllers, one for transfers to processors). There is now going to be a uniform set of contracts with different modules for different transfer variants. However, the functioning and structure of the clauses will remain the same, i.e. the intention is to have firm contractual clauses, which cannot be changed without the approval of the supervisory authorities. Variable information is to be added mandatorily.
3.2 (New) use cases
The use cases for the standard contractual clauses will be extended significantly.
To date, there have been contractual clauses for transfers by a controller to another controller or processor. The following cases are new:
- The transfer from a processor in the EU to another processor in a third country.
- The transfer from a processor in the EU to a controller in a third country.
- The use also by controllers or processors in a third country who fall under the scope of GDPR according to Art. 3 (2) GDPR.
- The use for several parties, in each case as a transferor or recipient.
3.3 Changes to the content of the clauses
Most clauses are similar to the previous standard contracts. The following are new:
- Unless expressly stated, all clauses have a third-party beneficiary effect for the affected persons (reversal of the rule-exception relationship).
- In case of transfers to processors, the following applies: (a) According to recital (9) of the decision, the requirements of Article 28 GDPR are fulfilled by the standard contractual clauses. In this case, the view of the German supervisory authorities that additional clauses may be needed should no longer be valid. (b) It is particularly relevant for cloud computing that a personal right of inspection by the client cannot be completely excluded. (c) The different clauses for the case group of processors in the EU and further processors in third countries do not distinctly define who primarily controls and instructs the other processor in this case.
- In case of a transfer by a processor in the EU to a controller in a third country, it is envisaged that, in certain cases, the processor in the EU will have to check the legality of the processing, which may be burdensome in many cases.
- In particular in case of a transfer by a controller in the EU to a controller in a third country, the data importer essentially has to observe the rights of the data subject pursuant to Arts. 12 to 22 GDPR.
- It is now mandatory to include a clause on liability and indemnity between the parties (this was previously optional). In this regard, it is unclear whether the parties can still agree on limitations of liability as this is not provided for and could otherwise constitute a change that is subject to approval.
- The contract must be governed by the law of an EU country and this law must ensure the enforceability of the third-party beneficiary clauses (otherwise, the law of another EU country must be chosen).
- The Annex on technical-organisational measures now contains a checklist of the points that need to be regulated.
3.4 Implementation of the ECJ judgement (Schrems II)
Various clauses serve to implement the requirements of the ECJ (Schrems II):
- An examination of the legal situation and the corresponding risks, in particular through access powers of authorities in the third country, as stipulated by the EU data protection authorities, must be carried out, documented and, if necessary, submitted to the supervisory authorities.
- The contract contains detailed obligations of the data importer to notify the data exporter of accesses to data by its national authorities and to take legal action against such access, where necessary.
- Finally, the data importer must submit to the decisions of EU supervisory authorities and EU courts. This may raise conflicts with the principle of territoriality in the respective third country.
- In the event of such problems and violations, the data exporter has the right (and the obligation) to suspend and, if necessary, terminate the data processing. This is linked to an obligation to report to the European supervisory authorities.
3.5 Implementation period
At present, the proposal is only a draft of the EU Commission with the possibility to submit comments within the framework of public consultation. The apparent intention is to adopt the new clauses in January or February 2021. As of this date, the new standard contractual clauses must be used for any new data transfers or changes to existing transfers. Previously adopted contractual clauses lose their validity and must be replaced by the new clauses within one year.