New guidance emerging on cross-border data transfers: what does this mean for businesses?

Written on 17 Nov 2020

Since the Schrems II decision in July 2020, businesses have been wondering what they need to do to undertake transfers of personal data out of the European Economic Area (EEA) in a compliant manner. Now, the first substantive European level guidance has started to emerge.

First, on 11 November 2020, the European Data Protection Board (EDPB) adopted two sets of recommendations which look to build upon the CJEU’s ruling in Schrems II. Then, the next day, the European Commission published a draft decision on updates to the standard contractual clauses (SCCs) for the transfer of personal data to third countries available here.

Both EDPB recommendations are open to public consultation until 30 November 2020 and will be effective from formal publication. The European Commission draft decision on SCCs is open to public consultation until 10 December 2020. Feedback can be submitted online here.

Entities transferring data outside of the EEA on the basis of anything other than a valid adequacy decision would do well to familiarise themselves with the recommendations and draft SCCs and stay tuned for further detail on how to translate this new guidance into practice.

In this Insight, we give an overview of the new draft guidance and why it matters to businesses. In our separate article, here, we provide more detail on what the guidance covers

Why does this guidance matter?

In Schrems II, the CJEU determined that data exporters using the Standard Contractual Clauses (SCCs) to transfer personal data outside of the EEA to a third country are required:

  • to verify, on a case-by-case basis, whether the law of the third country ensures a level of protection for the transferred data that is essentially equivalent to that guaranteed in the EEA; and
  • in relevant (if not in most) cases, to supplement the SCCs with additional measures.

Since the ruling there have been calls for clear guidance for data exporters and importers who were left somewhat in the dark about what additional measures might be required where the SCCs or other safeguarding tools fell short.

What does it cover?

The EDPB's recommendations confirm that the SCCs and other Article 46 data transfer tools remain valid safeguards to transfer data to third counties, and cover:

  • Supplementary measures to Article 46 safeguards, including a framework for the case-by-case assessment of the effectiveness of Article 46 safeguards, a discussion of when supplementary measures might and might not be helpful, and consideration of specific measures (see here for a short overview and initial comments).
  • The European Essential Guarantees (EEGs) for surveillance recommendations to help exporters determine whether the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy. Where interference is justifiable then the effectiveness of the Article 46 safeguard will not be undermined, and no supplementary measures will be needed.

The EDPB's current position on the effectiveness of certain technical supplementary measures may come as a surprise to users and providers of third party services, such as cloud-based services, which entail transfers of data to third countries and access by service providers to personal data in the clear (where that data is not encrypted or pseudonymised). In practice, the EDPB's position on this point is at least debatable.

The European Commission's draft decision on SCCs proposes updating the current sets with a single modular structure covering four different potential data transfer scenarios: controller to controller, controller to processor, processor to processor, and processor to controller.

The latter two scenarios are new, and have long been awaited by businesses trying to undertake these types of data transfers in a compliant manner. The new SCCs also enable multi-party arrangements, and for parties to be able to adhere to an existing set of new SCCs, thereby potentially simplifying the practicalities of executing SCCs.

In addition, the specific terms of the SCCs have been updated, in part to better align with the provisions of GDPR (including in relation to data subject rights), and in part to reflect the CJEU's decision in Schrems II.

More detail on the new SCCs is set out in our separate article, here.

What will this mean in practice?

Once the new SCCs have been adopted, they will likely offer some level of "ready-made" solutions to implement in practice. However, in many cases various supplementary measures will still be needed to alleviate the absence of an "essentially equivalent" protection in the destination country where the importer is located.

As a result, both exporters and importers will still need to carry out assessments of the law in the destination countries and of the particulars of their data transfer operations. If anything, the EDPB guidance invites organisations to design and build a customised set of protective measures, rather than blindly applying all the supplementary measures as a block.