This article focuses on the recent changes to transfers of personal data out of the EEA/UK (i.e. the Schrems II ruling earlier this year, the recent draft recommendations and guidance from the European Data Protection Board and the new set of draft Standard Contractual Clauses). It examines the challenges to compliance, which will impact the UK organisations even more if, in the absence of an EU adequacy decision at the end of the transition period, the UK will become a non-adequate third country for the purpose of data transfers out of the EEA.

Transferring data outside the EEA/UK: the Schrems II judgement

In July 2020, in its landmark judgement referred to commonly as ‘Schrems II’, the Court of Justice of the European Union (the CJEU) declared the Privacy Shield invalid as a data transfer mechanism and clarified that the validity of Standard Contractual Clauses (SCCs) in each particular case will depend on whether personal data can be protected to the level required under EU law. This means that a data exporter is allowed to transfer personal data outside the EEA based on SCCs only if a case-by-case assessment (which may be referred to as a “data transfer impact assessment”) concludes that SCCs on its own or along with supplementary measures, guarantee the level of protection that is “essentially equivalent” to that under EU law. This is to ensure that EU standards of data protection travel with European personal data when it leaves the EEA.

The main factor undermining the protection of EEA personal data in third countries is the scope of access to that data by law enforcement and intelligence agencies. In Schrems II, the CJEU pointed out the lack of limitation on the powers under certain US government surveillance programs (for example under FISA 702) and the lack of sufficient guarantees for non-US individuals whose personal data might be affected (including the lack of actionable data subject rights against US authorities.

The Schrems II judgement applies to transfers of personal data to all non-adequate third countries (i.e. countries outside the EEA which do not benefit from an adequacy decision granted by the European Commission). An adequacy decision means that in the European Commission’s opinion, a third country provides a level of protection for EEA personal data that is essentially equivalent to that offered in the EEA and therefore, personal data can flow freely (without restrictions) between an adequate third country and the EEA. Importantly, international transfers of personal data include access to such data from a third country (e.g. in IT-support situations), regardless of where the data is stored.

Transferring data outside the EEA/UK: The EDPB Recommendations

The European Data Protection Board (EDPB) has now provided a draft of its long-awaited guidance on the steps required to ensure that data transfers are lawful in the light of Schrems II. The draft outlines European data protection authorities' expectations for how organisations should approach international data transfers of EEA personal data, including the supplementary measures required to protect against overreaching government surveillance outside of Europe.

The roadmap for compliance laid out by the EDPB includes the following 6 steps:

1. Identify international data transfers

Data exporters must monitor on an ongoing basis developments in the third country that could affect their initial assessment of the effectiveness of supplementary measures.

There is no denying that these 6 requirements can present quite a significant burden but the EDPB confirms that all exporters of personal data, big and small, must satisfy them for every transfer of personal data outside the EEA.

Such steps will depend on the transfer mechanism used.

2. Identify data transfer mechanisms

For most organisations, the best (and in most cases, the only) transfer mechanism will be SCCs.

It is still possible to transfer personal data to non-adequate third countries on the basis of derogations (in Article 49 GDPR) but such an option is available only in very limited circumstances.

3. Assess the law in the third country

Data exporters are required to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of SCCs in the context of each specific transfer. The EDPB recommends that data exporters reach out to the non-EEA data importer to request information on the relevant legislation applicable to it and use other sources of information to research legislation applicable to the data importer. It will be a difficult task, especially for smaller organisations without access to local counsel and limited resources.

4. Adopt supplementary measures

Where step 3 reveals that the local legislation undermines the effectiveness of the transfer mechanism, data exporters are required to implement supplementary measures to bring the level of protection up to being essentially equivalent to European law. A non-exhaustive list of possible supplementary measures includes certain contractual, organisational and technical measures (encryption, pseudonymisation and split processing), which can be combined to adequately address the risks.)

The EDPB emphasises that data exporters remain responsible for ensuring the effectiveness of these measures in the context of a particular transfer and will be held accountable for their decisions.

It is clear from some use cases provided by the EDPB, that for some processing scenarios (for example, sending clear (non-encrypted) data to a US-based service provider) there may be no appropriate supplementary measures.

5. Adopt necessary procedural steps

Such steps will depend on the transfer mechanism used.

6. Re-evaluate at appropriate intervals

Data exporters must monitor on an ongoing basis developments in the third country that could affect their initial assessment of the effectiveness of supplementary measures.

Summary

There is no denying that these 6 requirements can present quite a significant burden but the EDPB confirms that all exporters of personal data, big and small, must satisfy them for every transfer of personal data outside the EEA.

Transferring data outside the EEA/UK: New EU Standard Contractual Clauses

On 12 November 2020, the European Commission published a long-awaited draft of new EU SCCs, which are expected to be finalised at the beginning of 2021. New SCCs have a modular format enabling the parties to select appropriate clauses. Along with other features, they bring a significant improvement, finally providing a tool that covers all types of data transfer scenarios.

There will be a one year grace period to implement the new SCCs from the date of their entry into force.

Understanding international data transfers and how to comply?

Complying with these requirements is likely to be challenging but burying heads in the sand is not a prudent option. We suggest that organisations focus on what can be done and when working through the 6 steps laid out by the EDPB, take a pragmatic, risk-based approach. The strength and adequacy of any available safeguards will need to be assessed in relation to the vulnerability of personal data transferred and the risks presented by the laws applicable to the data importer. You should identify data transfers that are critical to your organisation and seek data importer’s input when possible. It may be helpful to consider all data transfers in a broader context of other data protection obligations (especially relating to the security of processing and data protection by design and default). Where necessary, consider switching to European service providers (this may be a last resort measure and may come with a price tag). In the absence of an EU adequacy decision for the UK, at the end of the transition period (31 December 2020) the UK will become a non-adequate third party in relation to the EEA states, which will add another layer of complexity to international transfers of personal data. Remember to document your data transfer risk assessments and decisions, to satisfy accountability requirements. If in doubt, seek legal advice.

There have been no fines for illegal cross-border data transfers to date. However, following Schrems II, NOYB (a non-profit privacy organisation based in Vienna) has lodged 101 complaints against companies throughout the EU for transferring data in an illegal way (for example where companies use Google Analytics and Facebook Connect on their websites, thereby transferring personal data to Google and Facebook in the US). These complaints are intended as a wake-up call for DPAs and given that the DPAs are obliged to react, increase the probability of regulatory enforcement.