New guidance emerging on cross-border data transfers: an overview

Written on 17 Nov 2020

Businesses wondering what they need to do to ensure their cross-border data transfers remain compliant will welcome new European-level guidance that is emerging

For an overview of why this matters to businesses, see our introductory article here. In this Insight, we look at each of the different elements in turn in a bit more detail.

Supplementary measures

The EDPB draft recommendations are designed to help data exporters with the complex tasks of assessing whether the legal regime of a third country is problematic from a data transfer perspective and identifying appropriate supplementary measures (where these are required). The EDPB emphasises the principle of accountability, with regular reminders for data exporters to document their decision-making processes and to conduct assessments carefully and diligently.

However, data importers will also be impacted by the recommendations, as they face a more detailed examination of their position and the relevant laws in their jurisdiction, as well as more detailed negotiation of transfer terms and a greater focus of specific technical measures for the receipt and use of personal data.

The EDPB has set out six steps for exporters to follow when undertaking assessments:

Step Objective EDPB commentary / actions
1 Know your transfers Record and map all transfers of personal data to third countries:

  • When available, existing records under Article 30 of the GDPR may help.
  • EDPB understands "transfer" to include remote access from a third country or storage in a cloud situated outside the EEA.
  • Exporters must also map out the "onward transfers" (further transfers from one recipient outside the EEA to another).
2 Identify and select transfer tools Identify the appropriate transfer mechanisms as contemplated in the GDPR:

  • Where there is an adequacy decision, exporters still need to verify the exact scope or limitations of the decision, and whether it remains valid in time. But they need not take any further action before proceeding with the transfer.
  • For other regular and on-going transfers, alternative tools such as the SCCs and BCRs will be in order and exporters must assess the effectiveness of protection and the need for  supplementary measures (see steps 3 onward).
  • For occasional and non-repetitive transfers, the derogations set out in Article 49 GDPR may apply, although these are interpreted restrictively.
3 Assess effectiveness in the destination country Assess the laws and practices in the destination country:

  • The Schrems II ruling requires exporters to assess whether the laws in the destination country could undermine the effectiveness of the protection afforded by the SCCs.
  • In particular, government access to data is likely to render these contractual safeguards ineffective in practice, unless such access is governed by clear and transparent rules, offering a sound legal basis and setting out measures that are proportionate and necessary in a democratic society, judging by European standards.

Document your full and proper due diligence:

  • The EDPB guidance makes clear that this is more than a routine exercise. The EEG recommendations (see below) are a guide, but other aspects of the destination country's legal system will also be relevant, such as observing the rule of law, or adherence to international instruments.
  • The investigation should thus include existing sources of information on the national and international applicable laws, even where written legislation is lacking.
  • It must also encompass the full lifecycle of the data and the different entities involved in the processing operations.
  • Data importers should play an active part in the exercise, or perhaps hold themselves ready to provide data exporters with the necessary level of information.

Draw the right conclusion:

  • If effective protection cannot be guaranteed, data should not be transferred unless the supplementary measures (step 4 below) are implemented, including possibly technical steps to render access to the data ineffective or impossible.
  • Whether the burden and risks of the assessment will shift to data exporters or importers is a matter for the parties to decide; the guidance leaves that unanswered.
4 Adopt supplementary measures Select an appropriate blend of technical, organisational and contractual measures:

  • Based on the assessment above, a combination of measures will be required to achieve a more effective protection.
  • Finding the right balance will require all the factual circumstances, including the level of risks for data subjects, to be weighed up.
  • In some cases, technical measures could be the only way to overcome an unjustifiable access to data for surveillance purposes. But access may also result from indirect identification through the use of device identifiers, applications or protocols used in other contexts.
  • Technical measures considered by the EDPB include: strong encryption, pseudonymization, and split or multi-party processing. The EDPB sets out certain practical or technical requirements that it wishes organisations to abide by.
  • Contractual measures can mean commitments to use certain specifications, to report access requests, to obtain certification, to refrain from onward transfers, to review and possibly challenge access requests, and to assist data subjects when exercising their rights.
  • Organisational measures include the adoption of policies and best practices, but also documenting data access requests by government agencies, to the extent admissible under applicable laws.

Manage your compliance:

  • It may be that these measures do not suffice, even in combination. For example, when unencrypted personal data is technically necessary for the provision of the service by the processor, even the most complex technical encryption measures will not render the data inaccessible or illegible. In such cases, the EDPB suggests that exporters should avoid, suspend or terminate the transfer.
  • If this is not feasible, exporters should inform the competent supervisory authority, which will suspend or prohibit the transfer and impose corrective measures if required (for example, fines).
5 Implement  supplementary measures Execute the additional documentation to enhance your SCCs:

  • The EDPB clarifies that there is no need to request an authorisation from the supervisory authority to add these supplementary measures to existing SCCs, on the understanding that the SCCs are not modified nor contradicted by the additional measures.

If you have BCRs or ad-hoc clauses:

  • BCRs and ad-hoc contractual clauses rely on the same principle as SCCs, as all these instruments are contractual in nature.
  • However, the EDPB acknowledges that the impact of Schrems II on these transfer tools is still under discussion
6 Re-evaluate Any data transfers to third countries must be monitored and – in particular where there have been legal developments in a respective jurisdiction capable of affecting the effectiveness of the transfer mechanism – the initial assessment re-evaluated.

EEG recommendations

Surveillance laws are one of the most essential components of assessing the effectiveness of protection in the destination country.

To help exporters with that burden, the European Essential Guarantees (EEG) recommendations provide criteria to assess whether surveillance measures in a third country are too invasive and compromise fundamental rights to privacy and data protection (Articles 7 and 8 of the EU Charter of Fundamental Rights) to too great an extent. The recommendations concern the impact of surveillance (including interception) interference only and do not provide a framework to assess the protection provided by a legal regime as a whole.

Surveillance measures should not enable access, retention and further use of personal data by public authorities beyond that which is strictly necessary and proportionate in a democratic society. The EDPB sets out four essential guarantees which must be respected in order to legally limit privacy and data protection rights:

  • Processing should be based on clear, precise and accessible rules – in essence, interception and surveillance should (to an extent) be foreseeable and grounded in laws which an individual could invoke before a court.
  • Processing should be limited to that which is necessary and proportionate with regard to the legitimate objectives pursued;
  • An independent oversight mechanism should exist.
  • Effective remedies must to be available to the individual.

Where these guarantees are observed, then the interference by surveillance is considered within the bounds of what is necessary and proportionate in a democratic society.

While the U.S. has been in the spotlight with the Schrems II judgment, all destination countries are potentially "under investigation": experience has shown that striking the right balance when defining surveillance measures is a tough task for lawmakers (including within the EU itself).

European Commission’s draft updated SCCs

The European Commission in previous decisions (Commission Decision 2001/497/EC5 and Commission Decision 2010/87/EU6) adopted SCCs to facilitate the transfer of personal data from a data controller established in the EU to other controllers or processors. Its latest decision sets out an updated and restructured approach to the SCCs, while also seeking to take account of the more extensive requirements of GDPR and the CJEU's decision in Schrems II.

The consultation on the new decision and updated SCCs is open until 10 December.

Structurally, the new SCCs adopt a modular approach such that the one set of terms can cover four different potential data transfer scenarios:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

In each case, the first named role is in the EEA, and the second named is outside the EEA.

The details of the parties and the transfers are largely set out in Annexes, in part to facilitate multi-party arrangements being covered via one core set of SCCs to which new parties can accede by executing an Annex. This, together with the modular structure, should help businesses enter into SCCs more easily in a broader range of scenarios.

The GDPR-related provisions are largely as one might expect – replicating the approach and wording of GDPR in relation to its core principles, such as those relating to transparency, security, retention and data subject rights.

In terms of Schrems II related provisions, these build on wording in the existing SCCs. For example, there are:

  • Specific warranties from both parties around the laws of the destination country.
  • Declarations by the parties as to the due diligence they have undertaken.
  • Requirements around keeping the position under review, and notifying the other party and the competent supervisory authority.
  • Provisions on how to address non-compliance, including suspension and termination.

Many of these provisions dovetail with the contractual commitment elements of the EDPB recommendations discussed above.

Once the new decision has entered into force, the previous Commission decisions permitting the use of existing SCCs will be repealed. Exporters and importers will be able to continue to rely on these “old SCCs” for one year from that date, provided that:

  • the contract was concluded before the new decision’s entry into force; and
  • the contract has remained unchanged, other than the adoption of any supplementary measures (see above).

After that period (which is rather short in practice), data exporters and data importers will be required to update their contracts with the new SCCs.

What should businesses do now?

There are steps that companies can take now in anticipation of the implementation of new SCCs whilst we wait for the consultation to complete. Many of these steps may already be in progress in response to the Schrems II decision and companies could consider combining communications and actions to meet the recommendations of the EDPB described above as well as to facilitate the introduction of new SCCs:

  1. Monitor the situation: Watch for updates on the outcome of the consultation and any resulting changes to the draft of the new SCCs, which will also set the one year deadline for use of the existing SCCs to be phased out.
  2. Identify which transfers will be affected: Ensure you have a record of the transfers being made under the existing SCCs and which will need to be transitioned to the new SCCs before the deadline.
  3. Check existing agreements for change mechanisms: Review existing agreements with customers and service providers to check what steps the contract requires the parties to take in order to amend it to implement the new SCCs;
  4. Build SCC successor clauses into new contracts: For contracts being entered into before the new SCCs are in force, ensure that there are obligations in any relevant contracts to assist with the replacement of existing SCCs.
  5. Consider how to scale the implementation of the new SCCs:  Prepare draft communications and variation agreements to contact customers and service providers to roll out new SCCs which will help to scale the process.