Press enter to search, esc to close
Our Data privacy and cybersecurity team look at what the clauses mean for international data transfers.
On 16 July 2020, the CJEU handed down its judgment in the Schrems II case; a decision that sent shockwaves through the data protection community and had significant implications for how organisations in the EU and UK manage their international transfers of personal data.
The judgment has presented many challenges for EU and UK exporters of personal data, but one welcome consequence was that the European Commission finally revised the long out-of-date EU standard contractual clauses for transfers to third countries (SCCs).
Adopted on 4 June 2021, the clauses plug some major historic gaps, but have their own challenges and questions.
Nearly a year to the day after the Schrems II judgment, we delved into some key issues:
How should organisations use the new “modular” approach?
What are the implications for existing data processing agreements? and
Can you really do away with SCCs altogether if the importer is subject to the GDPR’s extraterritorial scope?
14 July 2021
The European Commission’s adequacy decisions for the UK have been very much welcomed by organisations across the UK who regularly receive data transfers from the EU. Adequacy goes a long way to simplifying the process of ensuring data protection compliance for data flowing between the UK and EU and means that the SCCs are not required for those transfers. Whilst predominately UK centred organisations might be able to relax for now, for global entities UK adequacy does not mean that you can forget about the EU SCCs entirely – first, those organisations will need to implement the EU SCCs for any data transfers from the EU to third countries (other than the UK) that aren’t already deemed adequate and, second, it is likely that the UK will take a similar approach in its own SCCs so it is worth familiarising yourself with the approach now. The key, as always, is to map your data flows so that you understand (and, crucially, have documented) whether the EU SCCs are required for your organisation or not.
The European Commission granted UK ‘adequacy’ status at the start of last month. Because of this, data transfers from the EU to the UK can continue without the need for contracts implementing the new SCCs. However, transfers of personal data from the UK to a third country are not covered by the new SCCs – they are EU specific.
The ICO currently only recognises the old SCCs as an adequate transfer mechanism for international data transfers which originate from the UK. As a result, we would expect data exporters from the UK to continue using the old SCCs for the time being. Despite this, the ICO has stated that it is working on bespoke UK SCCs for international data transfers – we expect these to be published soon. Whilst the layout and language used within the UK SCCs may differ from the EU approach, we do not anticipate any substantial deviation from the substance of the EU’s approach to the new SCCs for any future UK SCCs.
In order to prepare for the UK SCCs, businesses should look to map all processing relationships with suppliers, or at the very least review them. They should look to identify all transfers that will need to use the UK SCCs. This will help the process of repapering those contracts which are impacted in due course, to implement the UK SCCs once they are finalised.
The new EU SCCs take a modular approach, covering a variety of processing relationships. This includes processor to sub-processor (P2P) relationships. However, there is currently no mechanism for sub-processor to sub-sub-processor arrangements, so organisations will need to give thought as to how best to flow down the SCCs in multi-tiered supply chain relationships.
Where there are global data transfers across a group, it is possible that both the EU and UK SCCs will need to be used. This will depend on which legislation the transfers of personal data are subject to. Data mapping will be key; large groups of companies should carefully review all data flows to establish which transfers are subject to the EU GDPR and which are subject to the UK GDPR. If there are transfers that are subject to both (for example, for a multinational B2C retailer, transfers of personal data relating to EU consumers from the UK affiliate to the US affiliate), then both sets of SCCs could be required. It is possible that the ICO could introduce a mechanism to recognise the EU SCCs as a valid transfer mechanism for UK transfers, in which case it may be that only the EU SCCs would be needed in that scenario, but this remains to be seen.
This is not currently clear from the drafting. The SCCs state that they prevail over any contradictory provisions in any “related agreements” between the parties, which suggests that the SCCs could prevail over contradicting provisions in a data processing agreement (DPA) even in respect of processing of personal data within the EU. However, this is unlikely to be the intention as it goes beyond the scope of the SCCs and their applicability. Controllers using the new EU SCCs may wish to consider including some wording in the wider services agreement or DPA making it clear that the SCCs prevail over any contradictory provisions only to the extent that personal data is transferred outside the EU.
Most commonly organisations have been taking the approach of adopting additional contractual measures in order to address the supplementary measures requirement. To be more effective, these clauses usually look to impose obligations on the data importer to use specific technical measures (like encryption or pseudonymisation, where possible), to notify the data exporter of any government requests for data access and to challenge any such requests. As well as this, from the data exporter’s perspective, it is sensible to include a provision allowing the exporter to terminate the contract/instruct the importer to stop the processing if government access is required. These clauses are usually included, in addition to the SCCs, in relevant data protection clauses in commercial agreements. Alongside these contractual measures, organisations should not underestimate the importance of also focussing on organisational measures – it is crucial to ensure that internal policies governing data transfers are robust, that any government access requests are fully documented and justified, and that the role of the data protection officer in international data transfer matters is properly considered and documented.
Whilst we have seen some variations to the approaches taken by clients to date, one main consistent theme is having a detailed, documented analysis of the data protection laws and practices of the third country, which also considers the extent to which those are essentially equivalent to the UK position. This inevitably makes for quite a labour-intensive exercise.
In order to streamline the process as much as possible, most clients we work with have completed a DTIA at a national level (e.g. examining the USA position generally), and then supplemented that with a much shorter form project-specific risk assessment for larger or higher risk projects. Where we have completed DTIAs for clients, we generally also provide six monthly updates, to record any significant changes in laws, customs and practices in the third country, so that this can be reflected in the DTIA (which remains a living document).
The security measures annex to the new SCCs contains examples of the types of measures that should be included but is not prescriptive as to what these look like. Other regulatory guidance on data processing agreements more generally suggests that the security measures included in the contract should be as specific as possible, but our view is that minimum standards will be acceptable provided that both parties are clear from a technical perspective as to what those minimum standards mean and the controller is able to explain to a regulator and/or to data subjects what those measures are and why they are considered to be sufficient.
Thus far, the European Data Protection Board (EDPB) has not indicated that data localisation/repatriation is required for compliance. However, there are certainly challenges for DPOs in analysing third country laws and so we may start to see organisations looking to work with providers who will commit to keeping their personal data at all times within the UK and/or the EU. We may also see big players on the tech scene move towards data localisation policies for EU/UK customers; Microsoft has already announced that, by the end of 2022, it will build the necessary infrastructure to ensure that data of EU customers remains within the EU at all times, even for backup, failover and support purposes. There is no indication yet as to whether/how this will apply to UK customers, but other providers may start to follow suit. We may also see smaller tech providers starting to offer UK/EU data boundaries to give them a competitive edge over their larger counterparts (although this may come at a higher cost).
The obligations are certainly onerous and far more challenging for SMEs with limited resource than for big corporates. We may well start to see regulators playing a more useful role in helping smaller organisations to make these assessments, either by signposting to more helpful resources or by going further and providing their own resources relating to specific countries to assist SMEs. Localisation of data is often more expensive so the alternative to transferring data abroad comes with its own cost that SMEs will have to consider in deciding which providers to use.
There are mixed views on this question. The benefits of implementing BCRs remain largely as they were before the Schrems II case. The main reason that BCRs now appear to be a more attractive option is that they have not (yet) formed the focus of a significant legal challenge. The EU-US Privacy Shield (and previously Safe Harbour), plus the SCCs, are far more widely used and therefore have been a more obvious target for legal challenges. In this respect, BCRs may provide something of a safe haven for international organisations, as they are still less likely to be a target for direct legal action than the SCCs (and future adequacy decisions made by the EU and the UK).
The main disadvantages with BCRs also remain, however. It is still a lengthy and comparatively expensive exercise to implement BCRs, plus there is now the added challenge of having to consider the UK position separately from the EU position. But for those organisations which are willing to accept the up-front time and cost investments, the longer term benefits remain attractive and in many cases are now even more attractive given the challenges with the Privacy Shield and SCCs. There will still be a need to undertake a Data Transfer Impact Assessment in respect of third countries, but this would be likely to form part of an organisation’s preparation for the BCR application in any event.
We have certainly seen an increase in the number of clients considering making a BCR application, with many now simply waiting for the right time. For many larger international organisations, it is increasingly a matter of when, not if, to lodge an application.