As organisations grapple with the reality of an impending “no deal” Brexit against the backdrop of a continuing global pandemic, the scope of compliance obligations is far from diminishing. For many, this expansive burden is already testing internal resourcing as well as increasing the reliance on external specialist support, and coming at a time of unparalleled workforce complication and economic uncertainty. As if this environment wasn't already challenging enough, organisations are now likely to encounter additional complexity with regard to international data transfers under data protection laws, regardless of whether those transfers are executed in an intragroup capacity or involve external parties.
This added layer of complication may come as a surprise to some. Having seen the dismantling of the Privacy Shield in the Court of Justice of the European Union's decision in the Schrems II litigation, more clarity around the extent of the issues was given last week when the European Data Protection Board (EDPB) issued draft guidance and the European Commission (EC) issued a series of draft standard contractual clauses designed to replace the existing model. Although something of a moving target, in this update we consider where the current state of play leaves us in relation to transferring data and what action can be taken now to safeguard against non-compliance with the GDPR.
The old status quo
In the midst of the Brexit fog there was one shining light: the UK Government has stated that it will award an adequacy determination to the EU, meaning that exports of UK origin data to the bloc could continue uninterrupted. Similarly, the UK Government has indicated that it will adopt existing EU adequacy decisions so that any ongoing transfers to jurisdictions having the benefit of those decisions, can continue unimpeded. Good news – no need for extra contracts!
For other jurisdictions, exporting organisations have been navigating the regulatory framework to ensure that those transfers are compliant. Beyond the limited ad hoc derogations available under the GDPR, this has effectively resulted in a rather limited choice. For those organisations wishing to transfer data internationally in an exclusively intragroup capacity, reliance on Binding Corporate Rules (BCRs) is a possibility. However, given the cost and inherent complexity of achieving regulatory approval and implementation of such rules, the reality is that historically, in relative terms, very few organisations have followed this route. In addition, given their limited application to intragroup data transfers, this has not been a solution for transfers to external recipients.
Consequently, many firms were relying on the Privacy Shield framework for transfers of data to self-certified US-based data importers where possible, but otherwise had no choice except to rely on EC approved Standard Contractual Clauses (SCCs) in order to adduce adequate safeguards in line with the regulations. These clauses have no doubt in many cases been imperfect: being rigid in nature they have allowed for very little amendment by the contracting parties and have not catered for the types of data sharing relationships commonly relied upon by organisations. In particular, gaps in the regulatory framework meant that, in terms of contractual safeguards, there was really no accepted solution for transfers executed by data processors. These gaps, despite having been seemingly recognised and accepted by regulators, have nevertheless remained unabated for a period of some years.
The effect of Schrems II
Those familiar with the facts of Schrems II will be aware that the focus of the case centred on the use of the US Privacy Shield framework as a means of providing an adequate level of protection, specifically in the context of transfers of EU origin personal data to the US. However, with the abolition of that framework as a result of the judgment in Schrems II, this has placed added pressure on the use of contractual measures to ensure the level of protection afforded in the destination jurisdiction.
As well as finding that the Privacy Framework is not an adequate transfer mechanism, the Court also cast doubt on the use of SCCs in certain scenarios, indicating that the problem was not the transfer mechanism but the level of protection afforded in the jurisdiction to which the data is transferred. Furthermore, the court stated that it is incumbent on the data exporter to assess the level of protection offered in the destination jurisdiction to ensure that it is “essentially equivalent” to that guaranteed in the EU. The court opined that such an assessment must take into account relevant aspects of the destination jurisdiction's legal system, including the extent of permissible access to data by public authorities under those laws. To the extent that such an assessment reveals irredeemable characteristics in the destination legal system, exporters should terminate the transfer agreement.
As a result, the decision in Schrems II has triggered a wider discussion regarding the use of SCCs and has seemingly forced the hand of legislators/advisers in the EU who are now scrambling to revise the regulatory framework/guidance, apparently with the intention of achieving this before the end of this year.
Regulatory guidance on contractual safeguards
There was surely still some hope in the minds of busy contract/outsourcing lawyers that the potential impact of Schrems II might be mitigated by some softer guidance from the regulators, after all many organisations need to transfer data to third countries (including the US) as part of their day to day businesses. But, on 10 November 2020 that bubble was burst when the EDPB released two sets of draft recommendations: one on the European Essential Guarantees for surveillance measures and another on measures that could be used to supplement data transfer tools. These recommendations are under consultation and are yet to be approved in final form, but do offer an insight into what regulators might expect of data exporters/importers in the future. Among these expectations are significantly more onerous requirements on the contracting parties, including the action points listed below. Also of interest is the EDPB's stated view that the rationale in the Schrems II case applies equally to all contractual mechanisms, including BCRs and any ad hoc clauses approved by a relevant supervisory authority. Although, they have said that BCRs will be subject to further specific guidance.
Just a few days later on 13 November 2020, the Information Commissioner's Office (ICO) released its own statement on the EDPB proposals. However, while many of us would have hoped for some clarity on what the ICO's position will be, even if that amounted only to an acknowledgment that the EDPB guidance will be adopted or substantially replicated, unfortunately that was not forthcoming. In fact, the extent of the ICO's suggestions was that “organisations should take stock of the international transfers they make, and update their practices as guidance and advice become available”. It is not yet clear what that advice or guidance might be or indeed when it might be made available, arguably leaving UK firms at a disadvantage to their European counterparts.
Then, hot on the heels of the EDPB guidance, the EC indicated that it intends to introduce new forms of SCCs to reflect the increased complexity of the technological landscape. This new form of SCCs includes modules designed to address the regulatory gaps that have plagued parties on both sides of the data transfer relationship and could be adopted by the UK in regulations applicable to post-Brexit data transfers. They will essentially cover four scenarios: controller to processor, controller to controller, processor to processor and processor to controller. The EC has indicated that, if the new SCCs are implemented, then organisations will have 12 months to move from current forms of SCCs to the new modules. So, subject to any other contractual variations in the interim, the old sets of SCCs will automatically cease to be valid at the end of that 12 month period. Many of the additional commitments that are discussed in the EDPB guidance are included in the new SCC modules.
The prospect of properly functioning SCCs will no doubt be music to the ears of data lawyers all over, but what isn't clear is how the new recommendations will affect the transatlantic data corridor. Of course, if the primary basis of the finding in Schrems II is EU concern over the effects of US intelligence gathering activities, then how can that be overcome by any form of SCCs? The litigation has concentrated on two surveillance programs in particular, both administered at the federal level, with the Court also identifying the lack of entitlement of non-US citizens to constitutional protections (in particular under the 4th Amendment), resulting in the lack of any available redress against the US government. How these aspects of US federal law will be overcome is yet to be seen, but with the immensity of data traffic and financial value connected to the transatlantic corridor being what it is, one can only assume a pragmatic solution will emerge.
Steps organisations can take now
- As a throwback to the early GDPR preparation days – map your data transfers/flows! Understand where your data is flowing so that you are ready and prepared to take the necessary actions coming out of new guidance and new SCCs, if and when they are implemented.
- Conduct a risk assessment of the nature of the transfers, the recipient and any other actors involved in the arrangements, as well as the protections offered by the legal systems of any relevant third countries. A key issue will be whether the third country has laws that allow public authorities to have access to personal data (for example in connection with crime and national security). If these powers do not go beyond what would be considered necessary and proportionate in a democratic society, then transfers to that country under the SCCs or BCRs should be fine, provided you comply with all the associated requirements.
- For existing data transfer agreements, if the decision to adopt new SCCs is implemented you will need to establish a plan and timetable for executing appropriate contractual amendments prior to expiry of the grace period, as well as any supplementary measures that can be taken in the interim.
- For new data transfer agreements that are to be entered into before the end of the grace period, consider additional contractual protections that can be incorporated as well as any organisational or technical and solutions for improving the protection of data. The move towards permitting greater amendment of SCCs will be interesting – the guidance suggests warranties can be included in the SCCs from a data importer about the laws and regulations in the relevant country, and whether there is anything in those laws which would prevent the data importer complying with GDPR obligations. These additional warranties are likely to become more important in the overall international data compliance framework.
- Re-evaluate international data sharing relationships on a continuing basis, taking into account any adverse changes of law in the destination jurisdiction or to the nature of the parties involved in data flows.
- Assess each situation carefully, but in the short term it may be necessary to build into your data protection clauses the fact that there is uncertainty and that during the agreement the parties may need to update and replace the transfer mechanisms in place.
- Look to use technical and organisational tools that are already available under the GDPR. Implementing measures like data minimisation, pseudonymisation and encryption are all likely to be components of a combined data protection regime.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.