Written by Stephen Ragan, Principal Privacy Consultant at Wrangu
On January 15, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) released a statement announcing they had adopted joint opinions on the two sets of the European Commission’s draft Standard Contractual Clauses (SCCs). One opinion covers the draft SCCs for contracts between controllers and processors(‘the Controller-Processor SCCs’). The other addresses the draft SCCs for the transfer of personal data to third countries(‘the Third Country Transfer SCCs’).
The opinions of the EDPB and EDPS were issued in response to the publication by the EU Commission of the Draft Implementing Decision on November 12.
At the outset, the opinion on SCCs between controllers and processors criticized the Implementing Decision for a lack of clarity and scope. While the opinion understood the Commission’s intention as controlling intra-EU situations for ‘the Controller-Processor SCCs.’ The opinion argues this limitation is misguided as the SCCs should be suitable to include controllers/processors outside of the EU in a country with an adequacy decision.
One welcome change is Clause 5 of the Draft SCCs, which creates the option for an entity to accede to the existing SCCs and become a new party to the contract. This is known as the ‘Docking Clause.’ The opinion stresses that it should still be clearly indicated what processing is carried out by which processor and this should include the purpose for processing.
The “Third Country Transfer SCCs” were reviewed by the EDPB and EDPS as overall satisfactory. The Implementing Decision provided a framework for transferring data to third countries ensuring“ essentially equivalent” protections as guaranteed within the EU. In particular the joint opinion noted with satisfaction the provisions aimed at:
- Third Country’s law affecting compliance with the Draft SCCs
- Access requests received by the data importer and issued by third country’s public authorities; and
- Optional ad-hoc redress mechanism to the benefit of data subjects.
The Draft SCCs combined general clauses with four modules for data transfers and were reviewed favorably by the joint opinion. The modules in question covered data transfers from:
- Controller to Controller;
- Controller to Processor;
- Processor to Processor;
- Processor to Controller.
One of the big issues stemming from the Schrems II decision was a determination on the part of data importers that they could comply with the “essential equivalence” of the GDPR supported by the standard contractual clauses. This required a determination of legislation of the third country. Specifically, whether access to personal data could be compelled under surveillance practices.
The joint opinion stressed when assessing the legislation of the third country the determination be made on objective factors emphasizing that the likelihood of a request should not play into the determination. Those objective factors include:
- Purposes for which the data are transferred and processed (e.g. marketing, HR, storage, etc.)
- Types of entities involved in the processing (e.g. public/private, controller/processor)
- Sector in which the transfer occurs (e.g. ad tech, telecommunication, financial)
- Categories of personal data transferred (e.g. personal data relating to children)
- Whether the data will be stored in the third country or whether there is only remote access
- Format of the data transferred (i.e. in plain text/pseudonymised or encrypted);
- Possibility that the data may be subject to onward transfers from the third contrary to another third country.
Finally, it is worth reiterating that the EDPB released Recommendations on supplementary measures, and the joint opinion notes the supplementary measures will remain relevant after the adoption of the Draft SCCs. For this reason they have been listed below.
Six Supplementary Measures Recommended by the EDPB
- Exporters of Data should Know your Transfers: This requires a mapping of all data transfers of personal data to third countries. Be aware of where the personal data goes and “ensure essentially equivalent” levels of protection where the data is processed. This requires a review of the third countries practices related to surveillance and collection of personal data.
- Verify the Transfer Tool Your Organisation Relies on: Transferring data to third countries means that the country where the data is transferred has been declared an adequate region under Article 45 of the GDPR or includes the additional safeguards listed under Article 46.
- Assess the Laws and Practices of the Third Country: Focus on laws that may undermine the levels of protection included in the additional safeguards. For example, the surveillance practices in the United States undermined the protections afforded to data subjects under GDPR. This is one of the reasons the CJEU invalidated the Privacy Shield governing data transfers from the EU to the US. When considering the laws of the third country, a red flag is where the legislation governing the access to data by public authorities is ambiguous or not publicly available. Further recommendations for considering the laws of third countries are available in the EDPB European Essential Guarantees recommendations.
- Identify and Adopt Supplementary Measures: Because of third country surveillance laws, some of the supplementary measures may not be effective. You are responsible for assessing the effectiveness of the supplementary measures. Where no measures can provide “essential equivalence,” you must suspend or terminate the data transfers. It is prudent to document your findings in the case of an audit.
- Take Formal Procedural Steps to Adopt Supplementary Measures
- Regularly Re-evaluate the Level of Protection Afforded to the Data you Transfer
Now that the EDPB and the EDPS have released its opinion, we await a vote by the EU Member States on the final set of SCCs. Stay tuned!