EU takes further steps to align data transfer practice to GDPR requirements
On 12 November 2020, more than two years after the GDPR came into force, the EU Commission has published a draft of the new standard contractual clauses (SCCs) for the public consultation purposes. The delay was caused by expecting a judgement in the case widely known as ‘Schrems II’.
The following key changes are expected in the new draft SCCs:
– two additional scenarios for data transfers not anticipated by the currently effective SCCs: processor-processor and processor-controller transfers;
– currently lacking Article 28 processor related wording is expected to be added;
– changes resulting from the Schrems II judgement:
- new contractual requirement to perform and record an assessment of laws of the importing country to determine whether the SCCs ensure the equivalent level of protection;
- if the assessment reveals the inefficiency of SCCs alone in a particular situation, supplementary measures shall be taken by the data exporter;
- obligation of the data importer to notify the data exporter of the public authorities’ request for the imported data. Where such notification is prohibited by the local laws, the data importer shall take its best efforts to obtain the respective waiver;
– transfer of data to and from multiple parties (i.e., including more than one data exporter and one data importer).
The new SCCs are expected to be business-friendly and cover all currently existing gaps. Parties to data transfers will be able to use current SCCs for one year upon the date of the new SCCs coming into force.
The same week, in light of the Schrems II judgement, the European Data Protection Board (EDPB) responsible for ensuring the consistent application of GDPR published its recommendations on the supplementary measures and the roadmap for evaluating the necessity of their application by data exporters in order to efficiently protect personal data as per the GDPR standards. The roadmap includes the following six steps.
1. Record and map your transfers (as the data exporter), including any onward transfers to be performed by data importers to their sub-processors. Special attention should be paid to the international cloud infrastructure with the potential transfer of data to countries outside of the EEA. This exercise should be performed before conducting any new/continuing existing transfers.
2. Identify the transfer tools you are relying on, e.g., adequacy decision, SCCs, binding corporate rules (BCRs), codes of conduct or derogations.
3. If using a transfer tool under Article 46 GDPR, assess whether such a transfer tool is effective in light of the law and practice of the importing country. The assessment should cover the following aspects of transfers: purposes of data transfer and processing, types of entities involved, the industry of the occurred transfer (e.g., fintech, telecom), the categories and format of the transferred data (e.g., plain text, pseudonymised data), potential onward transfers of data and whether the data will be stored in the third country or whether there is only remote access available to the data stored within the EU/EEA.
4. Where the assessed transfer tool is not fully effective, adopt supplementary measures in addition to the transfer tool. Such measures can be:
- technical (e.g., using enhanced pseudonymisation where the EU data exporter solely has the technical possibility of reidentification)
- contractual (e.g., audit by data exporter of the government access to the imported data or obligation of the data importer to provide a prompt advance notice of its inability to comply with its contractual commitments); and/or
- organisational (e.g., an internal policy on handling public authorities’ access requests).
5. Apply formal procedural steps, e.g., consulting with and getting approval from the competent supervisory authorities.
6. Re-evaluate the effectiveness of transfer tools, including supplementary ones.