For an overview of why this matters to businesses, see our introductory article here. In this Insight, we look at each of the different elements in turn in a bit more detail.
The EDPB draft recommendations are designed to help data exporters with the complex tasks of assessing whether the legal regime of a third country is problematic from a data transfer perspective and identifying appropriate supplementary measures (where these are required). The EDPB emphasises the principle of accountability, with regular reminders for data exporters to document their decision-making processes and to conduct assessments carefully and diligently.
However, data importers will also be impacted by the recommendations, as they face a more detailed examination of their position and the relevant laws in their jurisdiction, as well as more detailed negotiation of transfer terms and a greater focus of specific technical measures for the receipt and use of personal data.
The EDPB has set out six steps for exporters to follow when undertaking assessments:
|Step||Objective||EDPB commentary / actions|
|1||Know your transfers||Record and map all transfers of personal data to third countries:
|2||Identify and select transfer tools||Identify the appropriate transfer mechanisms as contemplated in the GDPR:
|3||Assess effectiveness in the destination country||Assess the laws and practices in the destination country:
Document your full and proper due diligence:
Draw the right conclusion:
|4||Adopt supplementary measures||Select an appropriate blend of technical, organisational and contractual measures:
Manage your compliance:
|5||Implement supplementary measures||Execute the additional documentation to enhance your SCCs:
If you have BCRs or ad-hoc clauses:
|6||Re-evaluate||Any data transfers to third countries must be monitored and – in particular where there have been legal developments in a respective jurisdiction capable of affecting the effectiveness of the transfer mechanism – the initial assessment re-evaluated.|
Surveillance laws are one of the most essential components of assessing the effectiveness of protection in the destination country.
To help exporters with that burden, the European Essential Guarantees (EEG) recommendations provide criteria to assess whether surveillance measures in a third country are too invasive and compromise fundamental rights to privacy and data protection (Articles 7 and 8 of the EU Charter of Fundamental Rights) to too great an extent. The recommendations concern the impact of surveillance (including interception) interference only and do not provide a framework to assess the protection provided by a legal regime as a whole.
Surveillance measures should not enable access, retention and further use of personal data by public authorities beyond that which is strictly necessary and proportionate in a democratic society. The EDPB sets out four essential guarantees which must be respected in order to legally limit privacy and data protection rights:
- Processing should be based on clear, precise and accessible rules – in essence, interception and surveillance should (to an extent) be foreseeable and grounded in laws which an individual could invoke before a court.
- Processing should be limited to that which is necessary and proportionate with regard to the legitimate objectives pursued;
- An independent oversight mechanism should exist.
- Effective remedies must to be available to the individual.
Where these guarantees are observed, then the interference by surveillance is considered within the bounds of what is necessary and proportionate in a democratic society.
While the U.S. has been in the spotlight with the Schrems II judgment, all destination countries are potentially "under investigation": experience has shown that striking the right balance when defining surveillance measures is a tough task for lawmakers (including within the EU itself).
European Commission’s draft updated SCCs
The European Commission in previous decisions (Commission Decision 2001/497/EC5 and Commission Decision 2010/87/EU6) adopted SCCs to facilitate the transfer of personal data from a data controller established in the EU to other controllers or processors. Its latest decision sets out an updated and restructured approach to the SCCs, while also seeking to take account of the more extensive requirements of GDPR and the CJEU's decision in Schrems II.
Structurally, the new SCCs adopt a modular approach such that the one set of terms can cover four different potential data transfer scenarios:
- Controller to controller
- Controller to processor
- Processor to processor
- Processor to controller
In each case, the first named role is in the EEA, and the second named is outside the EEA.
The details of the parties and the transfers are largely set out in Annexes, in part to facilitate multi-party arrangements being covered via one core set of SCCs to which new parties can accede by executing an Annex. This, together with the modular structure, should help businesses enter into SCCs more easily in a broader range of scenarios.
The GDPR-related provisions are largely as one might expect – replicating the approach and wording of GDPR in relation to its core principles, such as those relating to transparency, security, retention and data subject rights.
In terms of Schrems II related provisions, these build on wording in the existing SCCs. For example, there are:
- Specific warranties from both parties around the laws of the destination country.
- Declarations by the parties as to the due diligence they have undertaken.
- Requirements around keeping the position under review, and notifying the other party and the competent supervisory authority.
- Provisions on how to address non-compliance, including suspension and termination.
Many of these provisions dovetail with the contractual commitment elements of the EDPB recommendations discussed above.
Once the new decision has entered into force, the previous Commission decisions permitting the use of existing SCCs will be repealed. Exporters and importers will be able to continue to rely on these “old SCCs” for one year from that date, provided that:
- the contract was concluded before the new decision’s entry into force; and
- the contract has remained unchanged, other than the adoption of any supplementary measures (see above).
After that period (which is rather short in practice), data exporters and data importers will be required to update their contracts with the new SCCs.
What should businesses do now?
There are steps that companies can take now in anticipation of the implementation of new SCCs whilst we wait for the consultation to complete. Many of these steps may already be in progress in response to the Schrems II decision and companies could consider combining communications and actions to meet the recommendations of the EDPB described above as well as to facilitate the introduction of new SCCs:
- Monitor the situation: Watch for updates on the outcome of the consultation and any resulting changes to the draft of the new SCCs, which will also set the one year deadline for use of the existing SCCs to be phased out.
- Identify which transfers will be affected: Ensure you have a record of the transfers being made under the existing SCCs and which will need to be transitioned to the new SCCs before the deadline.
- Check existing agreements for change mechanisms: Review existing agreements with customers and service providers to check what steps the contract requires the parties to take in order to amend it to implement the new SCCs;
- Build SCC successor clauses into new contracts: For contracts being entered into before the new SCCs are in force, ensure that there are obligations in any relevant contracts to assist with the replacement of existing SCCs.
- Consider how to scale the implementation of the new SCCs: Prepare draft communications and variation agreements to contact customers and service providers to roll out new SCCs which will help to scale the process.