“All the world’s a stage, and all the men and women merely players.” The words of William Shakespeare certainly ring true in the context of a number of a notable developments in the area of international transfers of personal data in recent weeks.
First, the EU Commission issued new draft standard contractual clauses (SCCs) to facilitate compliant transfers of personal data out of the European Union (EU). Hot on the heels of the EU Commission, the European Data Protection Board (EDPB) – the European privacy regulators meeting together – issued draft guidance on the measures that should supplement SCCs in respect of international transfers. These developments, combined with the implications of Brexit, make for a very complex international transfers regime.
What rules apply to the transfers of personal data outside the European Economic Area (EEA)?
Under the General Data Protection Regulation (GDPR), the starting position for companies that want to transfer personal data out of the EU is to check whether the third country has the “seal of approval” from the EU Commission in the form of an “adequacy decision”. The existence of an adequacy decision means that the EU Commission considers that the third country has an adequate standard of data protection.
If an adequacy decision is in place, companies do not need to take any further steps to comply with the international transfer rules under the GDPR, other than monitoring that the adequacy decision remains in force. In the absence of such an adequacy decision, companies have a number of options for transferring personal data in a compliant way.
One frequently used transfer tool is standard contractual clauses, which businesses put in place between the EU-based data exporter and the data importer in the non-EEA country. The SCCs are contractual clauses approved by the EU Commission that are intended to achieve “essential equivalence” of data protection in respect of the personal data being transferred. To be compliant, companies must put these clauses in place on a word-for-word basis (although they may supplement the SCCs with additional commercial terms).
Why is the EU Commission seeking to introduce new standard contractual clauses?
The bottom line is that the existing SCCs are out of date. First, they do not take account of the introduction of the GDPR. Therefore, they do not contain certain provisions that are required to be included in a contract between a controller (a company that is making the decisions about how personal data is used) and a processor (a service provider providing cloud storage or other IT or analytics services to the data controller).
Neither do they take account of the involvement of different actors. Many data transfers involve more than just a straightforward transfer from a controller in the EEA to a processor outside the EEA. In some cases, there may be an initial transfer from an EEA-based controller to an EEA-based processor and then an onward transfer to a sub-processor based outside the EEA. The existing SCCs do not currently cater for that scenario.
Finally, the current SCCs do not take account of the implications of the decision of the highest court of the EU (the Court of Justice of the EU) in the Schrems II case (handed down in July of this year). This decision made clear that businesses may only rely on SCCs as long as there is nothing in the law or practice of the third country that impinges on their effectiveness. It also declared that EU-US Privacy Shield is no longer valid for the purposes of making GDPR-compliant transfers of personal data to the US.
In other words, when relying on SCCs, companies transferring personal data must be satisfied overall that there is still essential equivalence of data protection.
So what is new in the draft SCCs?
The good news is that the new draft SCCs are modular in nature and cater to a number of different scenarios in which there may be multiple actors having different data protection roles.
The bad news is that businesses will need to repaper their existing arrangements. Further, the new terms include commercial liability clauses and other clauses that are commercial in nature, so there will be inevitable conflicts with existing agreed terms. Even though businesses are likely to have 12 months to repaper their arrangements (from the date of approval of the new SCCs), doing so involves potentially cumbersome contract drafting and renegotiation.
The other key challenge is how to address the Schrems II requirements – to assess whether, if relying on SCCs, there is still overall essential equivalence of data protection in the third country. In its draft guidance, the EDPB has taken a very conservative approach to addressing the implications of the court’s decision. In particular, it is somewhat unrealistic in its expectation that businesses will be in a position to assess “essential equivalence” of data protection in all countries to which they send personal data. Further, the new draft SCCs contain onerous Schrems II obligations on data importers to resist access requests from public authorities (for example, to “exhaust all available remedies to challenge the request”).
One of the key takeaways from the EDPB guidance is that, if the law or practice of the third country allows disproportionate access to personal data by public authorities, then SCCs only work for compliance purposes if additional technical supplementary measures make law enforcement access to the data transferred impossible or ineffective. An example of such measures is strong encryption where the encryption keys remain under the control of the data exporter (and such encryption meets other strict criteria).
Another possible measure is heavy pseudonymisation, which again must meet a number of strict criteria. In effect, the EDPB guidance seems to suggest that, unless the data is heavily pseudonymised, data importers should not be able to view or access personal data “in the clear” in such circumstances, which effectively rules out the provision of many different types of services.
Where does Brexit fit into these developments?
Transfers of personal data from the UK to countries outside the EEA
Once the UK is no longer subject to EU law as from 1 January 2021, the GDPR will still remain law in the UK under legislation that the UK has passed during the Brexit process – and will be called the “UK GDPR”. Consequently, the UK GDPR will govern transfers of personal data from the UK to countries outside the UK – the UK will recognise the EEA as providing “adequate” data protection.
If the new draft SCCs were in place before 31 December 2020, they would be automatically recognised by the UK GDPR. However, this is unlikely as the consultation period ended on 10 December. Consequently, there is a strong possibility that the UK will introduce its own revamped standard contractual clauses for use in conjunction with the international transfer provisions of the UK GDPR.
The existence of UK- and EU-approved standard contractual clauses will inevitably introduce a further degree of complexity, including in relation to any “intra-group” arrangements that international groups have for transferring data amongst themselves, such as to and from the UK and the EEA.
As regards the implications of the Schrems II decision, the UK Information Commissioner has already taken a more pragmatic stance in its reaction to the EDPB guidance by indicating that it will take a risk-based approach to enforcement. Consequently, it seems unlikely that the UK Information Commissioner would target enforcement activities at low-risk transfer scenarios, for example, if the nature of the data is not particularly sensitive or the data is unlikely in practice to be requested by law enforcement authorities, and data exporters and importers have put appropriate supplementary contractual and organisational measures in place to protect it. However, this more pragmatic approach is of little comfort to organisations that are also making transfers of personal data from the EEA.
Transfers of personal data from the EEA to the UK
As regards transfers from the EEA to the UK, much will depend on whether the UK has the benefit of an adequacy decision from the EU Commission, negotiations on which are part of the wider trade negotiations. In the absence of such a decision, EEA-based companies will need to consider putting in place SCCs in relation to transfers of personal data to the UK.
Further, such companies will need to consider the implications of the Schrems II decision and to decide whether they can rely on SCCs alone in respect of such transfers. An assessment of whether the UK provides essential equivalence of data protection will require an assessment of potential access to personal data by UK public authorities. In particular, such assessment will need to consider whether such access is proportionate having regard to European rules. The UK will argue that there is essential equivalence of data protection, not least because of its historic membership of the EU.
Balancing the risk
In view of the EDPB guidance, it will be very difficult for companies to be comfortable about GDPR compliance in respect of transfers of personal data to certain countries, given the extent of potential law enforcement access to personal data in those countries.
Unless political solutions are implemented (for example, EU-US Privacy Shield 2.0 for data transfers to the US) or businesses choose to localise fully their data processing activities within the EU, many companies will be forced to accept the risk of enforcement action by EU data protection authorities in respect of transfers of personal data. In theory, such enforcement action could result in fines of up to 4% of total worldwide annual turnover for the preceding financial year, or €20m (whichever is greater).
However, given the challenges also faced by supervisory authorities in lifting the bonnet on these arrangements (for example, resourcing challenges in relation to assessing the laws and practices of third countries), large fines would seem unlikely at least in the short term. In this context, many companies will take a risk-based approach in the hope that EU data protection authorities will follow the likely approach of the UK Information Commissioner in practice.
Some practical risk-based measures are likely to include:
- Understanding the relevant data flows (revisiting data mapping);
- Identifying an appropriate transfer mechanism (such as SCCs);
- Documenting a transfer impact assessment (which takes account of the law enforcement regime in the country to which the data is being transferred as well as other risk factors);
- Implementing appropriate technical, contractual and organisational measures that protect the personal data as far as practicable (while still allowing the data importer to provide the relevant services).
Data importers are likely to receive longer due diligence questionnaires seeking information on the law and practice governing public authority access to personal data in the relevant third country.
Ultimately, the complexities of the current law and guidance on international transfers beg the question as to whether the paperwork that companies will be forced to put in place will trump meaningful data protection compliance in practice.
Leonie Power is a partner (privacy, security and information law) at Fieldfisher LLP.