The future of international data transfers: new SCCs and EDPB guidance

Christmas seems to have come early this year for everyone who is involved in data protection.

First, the European Data Protection Board (“EDPB”) published earlier this week two sets of recommendations on how companies should respond to the landmark Schrems II decision of the Court of Justice of the European Union on international data transfers (read here).

Second, the European Commission also released a draft of the long-awaited revised set of standard data protection clauses (or standard contractual clauses, “SCCs”), a template contract to put in place appropriate safeguards to enable data transfers.

But is this really the gift we have all been waiting for?

Standard contractual clauses

For a couple of years now, the standard contractual clauses have been under review. Publication was due to occur earlier this year but was postponed when the CJEU’s Schrems II decision was rendered.

The new draft SCCs consist of a long, modular template covering no fewer than four scenarios. The published document not only incorporates the traditional scenarios of controller-controller transfers and controller-processor transfers, but now also adds processor-processor transfers and processor-controller transfers, thereby aiming to solve a number of gaps and uncertainties that have existed in particular since the GDPR came into force.

The draft SCCs also resolve a number of outstanding issues such as the lack of processor language (required by Article 28 GDPR) in the current SCCs, the concerns raised by the Schrems II decision and finally drafting to use them in a multi-party setting.

Our preliminary assessment is that the new SCCs will likely provide a flexible and business-friendly instrument, provided the draft is effectively adopted.  They are a significant step forward on the current SCCs.

Data exporters should also note that the old SCCs are grandfathered for a year but then approval for them will fall away, meaning an important repapering exercise can be expected to take place in 2021-2022. At least businesses have 12 months to do that exercise.

EDPB guidance - A six stage process

Earlier this week, the EDPB also published its guidance on how to assess data transfers after the Schrems II decision.

In Schrems II, the CJEU confirmed that SCCs remain a valid transfer instrument to enable data transfers outside the EU. However, the CJEU also indicated that this is subject to a proper risk assessment and, where identified by the risk assessment, the putting in place of supplementary measures above and beyond the SCCs to ensure an essentially equivalent level of protection in the relevant third countries. Absent essential equivalence, transfers are prohibited, even when using SCCs.

The EDPB’s recommendations have two parts:

  • one setting out the process for the risk assessment and, in particular, setting out some measures that could supplement transfer tools to ensure compliance with the EU level of protection of personal data (still in draft), and
  • one aimed at helping assess the legal regime of a third party country to which personal data is being sent (which is already in final version). This is referred as the European Essential Guarantees for surveillance measures.

To properly assess the risks related to transfers, the EDPB proposes a six-stage process. These steps include:

  • Step 1: Identifying your data transfers (including onward transfers).
  • Step 2: Identifying the transfer tools we are relying on, e.g. adequacy decision, SCCs, BCRs, derogations.
  • Step 3: Where relying on SCCs or BCRs, assessing whether the transfer tool is effective in light of the European Essential Guarantees for surveillance measures.
  • Step 4: Adopting supplementary measures where necessary, some of which are described in the guidance.
  • Step 5: Considering whether any procedural steps are required, e.g. approval by a data protection authority.
  • Step 6: Re-evaluating at appropriate intervals.

The recommendations and supplementary measures proposed by the EDPB can either be technical (e.g. using enhanced encryption or pseudonymisation), contractual (e.g. requiring the importer to challenge access requests or the publication of transparency reports on government access) and/or organisational (e.g. having an internal policy in place on how to handle government access requests within the organisation). The measures can impose a heavy burden on companies and be particularly hard to implement in practice.

The recommendations of the EDPB also provides for use cases and considers which technical measures would be sufficient and which not.

These recommendations indicate that technical security measures, like encryption, will not be sufficient on their own for remote access to EU hosted data and, even more importantly, cloud-based solutions in countries which do not meet the European data protection standards. EU established businesses will need to look to additional contractual and organisational protections, as well as technical measures, to demonstrate essential equivalence.

What next?

Although the EDPB recommendation on supplementary measures is applicable after publication, it is now open for consultation until 30 November, after which a final version will be adopted. The European Commission’s public consultation on the new SCCs is open until 10 December.

Both the European Commission and the EDPB understand the urgent need for guidance, so final versions are expected by the end of this year or early next year at the latest.

In the meantime, we recommend in line with the EDPB guidance to urgently (re)assess your EU to non-EU data transfers and consider whether any further steps should be taken.

The EDPB’s draft Recommendation on complying with Schrems II is here and final Recommendation on European Essential Guarantees for surveillance measures is here.

The new draft SCCs are available here and here.

By Tanguy Van Overstraeten, Guillaume Couneson and Emma Ottoy