As the preferred new Information Commissioner appeared before the DCMS Select Committee for pre-appointment scrutiny today, we consider some of the key elements of the UK’s ambitious package of post-Brexit global data plans (“UK Global Data Plans“). Continue reading
Tag: data transfers
China’s Personal Information Protection Law (“PIPL”) was passed on 20 August 2021. PIPL presents certain challenges for compliance, which is required when it comes into force on 1 November 2021.
- Lack of clarity over what constitutes consent
- Lack of clarity over “contract necessity” as a complete exception to consent
- Safeguards for transferring personal information outside China
- Restrictions in relation to automated individual decision-making
- Our China data and cyber law offering
PIPL is a generally applicable data protection law governing the processing of personal information being introduced in China.
Similar to the General Data Protection Regulation (“GDPR“), it also contains an express extra-territorial scope provision, provides data subjects with enhanced data subject rights, and the administrative fine for non-compliance is linked to a percentage of annual turnover.
However, despite these similarities, there are also notable differences which render compliance with PIPL challenging and burdensome, particularly in relation to consent and applying certain exceptions, stringent safeguards for transferring personal information outside China and restrictions on automated individual decision-making. See further below.
China already has a consent-based regime in relation to personal information, and PIPL is consistent in that regard.
Under PIPL, consent remains the only legal basis for processing personal information.
There are a number of exceptions to this under PIPL, which resemble the alternative legal basis under GDPR, e.g. processing being necessary for:
- the conclusion or performance of a contract (namely the “contract necessity exception“);
- performing legal obligations; or
- protecting the life, health and property safety (i.e. vital interests) of individuals during emergencies.
However, PIPL does not have an equivalent to the controllers’ legitimate interests exception under GDPR.
The consent-based approach has also been adopted by the 2020 version of the Information Security Technology—Personal Information Security Specification (“Specification”), which remains relevant as the recommended best practice on processing of personal information in China. The terminology used in the Specification is more consistent with GDPR, e.g. “controller” is used in the Specification and GDPR, whereas “processor” is used in PIPL to refer to the concept of “controller” under GDPR. Another notable example is that “explicit consent” is used in the Specification and GDPR, whereas “consent” and “separate consent” are used in PIPL.
Under PIPL, various types of data processing activities require either “consent” or “separate consent” to be obtained. For example:
- entrusting a third party to process personal information requires “consent” to be obtained; and
- “separate consent” is required for (i) disclosure of personal information to other personal information processors, (ii) publicizing personal information, (iii) using personal images and identification information collected from CCTV for purposes other than maintaining public safety, (iv) processing sensitive personal information, or (v) transferring personal information outside China.
The terms “consent’ and “separate consent” have not been defined in PIPL. In particular, PIPL does not contain any details of what constitutes “separate consent”.
Until further guidance is provided by the competent PRC authorities, it may make sense to equate “separate consent” with “explicit consent”, which is the higher standard of consent required for processing sensitive personal data under GDPR. Under GDPR, the term “explicit” refers to the way consent is expressed by the data subject.
It is not entirely clear to what extent the contract necessity exception could trump requirements for “consent” or “separate consent” under PIPL.
For example, given that various data processing activities under PIPL specifically require “separate consent” to be given, if the contract necessity exception was interpreted narrowly then it may be that “separate consent” would still be required (or required to some extent) even in the case of contractual necessity.
Unlike the global approach for data privacy laws which only requires one of the appropriate safeguards to be in place before personal information can be transferred overseas, PIPL requires each of the following.
The data exporter must meet one of the three conditions linked to the Cyberspace Administration of China (“CAC“), namely it must:
- pass the security review organised by the CAC;
- conduct personal information protection certification via professional institutions in accordance with the regulations of the CAC; or
- adopt the standard contract formulated by the CAC in its data transfer contract with the overseas data recipient to stipulate the rights and obligation of both parties.
There is a data localisation requirement imposed on Critical Information Infrastructure Operators (“CIIO“), or organisations which process large amounts of personal information (with the exact threshold to be stipulated by the CAC). The personal information collected and generated by them in China must be stored within China. If the personal information is required to be transferred overseas, a security assessment organised by the CAC must be passed (see the first condition above).
As regards the threshold for organisations to be regarded as high-volume processor, while the threshold is still pending guidance from the CAC, our view (based on two draft Measures published for the Cybersecurity Law and the Data Security Law, and the Specification) is that the threshold is likely to fall between 500,000 and 1,000,000 for personal information, and the threshold for sensitive personal information is likely to be even lower.
The data exporter must inform the individual of the details of the overseas data recipient, and obtain the individual’s separate consent.
A personal information impact assessment must be conducted before personal information is transferred outside of China.
PIPL is unique globally because it requires several safeguards to be provided at the same time so compliance could be burdensome.
Please note that we have summarised the major Chinese laws which affect the transfer of data/personal information out of China in our previous article.
Not only does PIPL provide individuals with a right to object to their personal information being used in automated individual decision-making which would have a significant impact on their interests, PIPL also requires organisations to:
- observe the transparency principle and keep individuals informed of such use of their personal information; and
- ensure that the outcome of automated decision-making would be fair to individuals who are subject to such processing.
- preferential pricing based on automated individual decision-making is not allowed by PIPL; and
- individuals must be provided with a convenient way to opt-out from online behavioural advertising or given other alternatives which are not generated by automated individual decision-making.
All of these new restrictions on the use of artificial intelligence in pricing/marketing would significantly impact the way online e-commerce platforms currently conduct businesses in China.
Businesses operating in China should review their online marketing strategy in light of these requirements.
We are an award-winning data and cybersecurity team globally and in China.
We have extensive experience assisting companies in complying with data and cybersecurity laws, and dealing with data and cybersecurity issues, in China and across Asia Pacific and the world.
We have been helping clients understand how the new laws in China impact their business, identify key risk areas and gaps, and make recommendations on their data strategy and action plans.
We are also partnering with clients in this evolving area to anticipate and support their needs.
One of a limited number of firms to do so, our Joint Operation, Herbert Smith Freehills Kewei, enables us to provide an end-to-end legal service integrating PRC law and international law and legal service standards.
It also gives us a deeper understanding of Chinese business methods and corporate culture, and an in-depth knowledge of China’s complex regulatory and political environment.
This year is a pivotal year for data laws in China, with two very significant pieces of new legislation coming into force – the Data Security Law (“DSL“), governing important/core data, and the Personal Information Protection Law (“PIPL“), governing personal information, on 1 September 2021 and 1 November 2021 respectively.
The key issue is how the these new laws will affect the transfer of data out of mainland China. Continue reading
The UK has taken its first big data protection step in a post-Brexit world with the Information Commissioner’s Office (“ICO“) publishing its own version of an international data transfer agreement and accompanying methodology for conducting international risk assessments on 11 August 2021.
The ICO has published the following documents, which all inter-relate with one another:
- a draft international data transfer agreement to address transfers of personal data outside of the UK (“IDTA“) (available here);
- an international transfer risk assessment guidance note and tool (the “Risk Assessment Guidance“) (available here); and
- a UK addendum for inclusion to the European Commission’s standard contractual clauses (the “Addendum“) (available here).
The ICO has launched a consultation seeking views on the IDTA, the Risk Assessment Guidance, and the Addendum which will close on 7 October 2021, following which proposals will be laid before Parliament.
This follows in the footsteps of a busy period for the EU regarding the issue of international transfers of personal data. Over the past few months, we have seen:
- the European Commission publish its final version standard contractual clauses for the international transfer of personal data to third countries (the “New EU SCCs“) (see our blog post here) and Article 28 clauses (see our blog post here);
- the European Commission adopt two adequacy decisions for the UK (under both the GDPR and the Law Enforcement Directive); and
- the EDPB issue its finalised guidance on supplementary tools resulting from the Schrems II judgment from the Court of Justice of the European Union (see our blog post here).
- The UK’s approach – The ICO has adopted a user-friendly, business-focused and streamlined approach to implementing an updated set of Standard Contractual Clauses to address transfers of personal data outside of the UK and has devised a similarly user-oriented and pragmatic mechanism for conducting risk assessments in relation to these transfers (each a “TRA“), required as a result of the Schrems II decision. In addition, the Addendum provides an effective mechanism for UK organisations to interface with EU requirements in relation to transferring personal data outside of the EU and the scope of the consultation highlights the ICO’s willingness to integrate with global privacy positions.
- The IDTA – The IDTA diverges from the approach of the New EU SCCs in its nature and structure in that it is formed of a combination of tables, free text, and mandatory clauses in order to provide organisations with flexibility to adapt it to their circumstances and any pre-existing contractual arrangements, as well as being a relatively simple document for organisations (particularly smaller ones) to contend with. Notably it caters for C2C, C2P, and P2P scenarios but not P2C (each defined below) and does not follow a modular format in the same manner as the New EU SCCs. The mandatory provisions of the IDTA are broadly reasonable in placing obligations on both exporting and importing parties, however they do take on a distinctly English law flavour and include some potentially controversial clauses, for example in relation to incorporating TRAs and commercial positions, English language requirements, and the introduction of an IDTA-specific arbitration scheme.
- The TRA – The Risk Assessment Guidance is a helpful and detailed attempt by the ICO to support organisations with their obligation to undertake a TRA. It adopts a solution-oriented and risk-focused approach that suggests a range of considerations, decision trees, and mitigations which organisations can apply when undertaking a TRA and will form an integral part of putting in place an IDTA.
- Timeline – The ICO has issued the IDTA, Risk Assessment Guidance, and Addendum for consultation to seek industry stakeholder views, notably in the context of legal, economic or policy considerations. The consultation closes on 7 October 2021 following which consultation analysis and finalisation will occur before putting the proposals before Parliament. A finalised IDTA, Risk Assessment Guidance, and Addendum could be expected in late 2021 or early 2022 and, in the consultation, the ICO is also seeking views on transition periods post-implementation, namely: a 3 month grace period for organisations to introduce IDTAs for new arrangements, with a further 21 months (i.e. 24 months in total) to repaper existing arrangements.
Chapter V of the UK GDPR prohibits the transfer of personal data out of the UK to a third country or international organisation unless one of a number of available conditions under the UK GDPR is satisfied.
One of the conditions most often relied upon to legitimise the international transfer of personal data is the use of so-called Standard Contractual Clauses (effectively a contract entered into between the data exporter and the data importer and impose certain data protection obligations on both parties).
Prior to Brexit, the UK utilised two different sets of SCCs which had been approved by the European Commission to cover transfers from: (i) a controller to another controller (“C2C“); and (ii) a controller to a processor (“C2P“) (the “Old EU SCCs“).
Following Brexit, the European Commission has published the New EU SCCs to update the Old EU SCCs in light of GDPR, the Schrems litigation, and to remediate a number of weaknesses in the drafting. However the New EU SCCs do not apply to transfers from the UK to jurisdictions outside the UK, and UK-based organisations have in the meantime needed to rely on the Old EU SCCs when transferring personal data outside of the UK.
As a result, the ICO has been working to establish the UK’s position in relation to legitimising international transfers of personal data out of the UK from a contractual and logistical perspective and the IDTA and Risk Assessment Guidance is the result.
Given the interplay with the New EU SCCs, the UK’s approach has been keenly awaited and in this blog we “summarise” (the IDTA and Risk Assessment Guidance are lengthy) some of the key changes and considerations for organisations and international data flows.
The UK’s approach to standard contractual clauses
In this section, we look at each of the IDTA, Risk Assessment Guidance, and Addendum in more detail.
The IDTA is the document which UK organisations will need to put in place when transferring personal data outside of the UK.
The ICO has adopted a distinct approach to the IDTA, in particular:
- Nature of the agreement: The IDTA has been developed as an agreement which can either act as a standalone data transfer agreement between parties, or be incorporated into a broader commercial agreement or other arrangement (termed “Linked Agreements” by the ICO).
- Structure: We discuss the structure in more detail below, but broadly it consists of a combination of tables alongside a set of mandatory operative provisions and free text sections. This appears to have been designed to enable the parties to it to adapt it to their particular needs and broader contracting arrangements.
- Controller and processor data flows: As with the New EU SCCs, the ICO has ensured that the IDTA is appropriate for use in C2C, C2P, and processor to processor (“P2P“) scenarios. The IDTA does not, however, contain any clauses to address cross-border transfers from processors to controllers (“P2C“), which the European Commission controversially introduced in the New EU SCCs.
- Application of the relevant provisions: The IDTA does not follow a strictly modular structure (as per the New EU SCCs) and has instead developed provisions which are designed to be applicable depending on the factual circumstances of the parties (e.g. if the importer’s processing is subject to UK data protection law, then the importer does not need to comply with clauses regarding data subject rights (on the basis that they will be directly applicable)). The IDTA does provide that non-applicable provisions can be removed but, as discussed below, this does not appear to be mandatory and therefore is unlikely to happen in practice when organisations start implementing the IDTA.
The approach taken by the ICO appears to provide a more streamlined, flexible, and business-friendly mechanism for organisations to deploy the IDTA where necessary, certainly in terms of its non-modular nature and accessible manner in detailing the necessary elements of a transfer. In comparison to the New EU SCCs, the removal of a potentially complex and time-consuming analysis to implement the appropriate combination of modules is to be welcomed, although the ‘if applicable’ approach of the IDTA mandatory clauses does present its own challenges of interpretation, not only to the uninitiated.
Considering the IDTA at a more granular level, it has been arranged in four parts:
- A series of four tables to detail the nature of the transfer and any further protections (this includes population of the relevant details of the importer and exporter, a string of check-boxes to document information on the transfer itself and data involved, and a free text area to including additional security requirements which have been identified as necessary further to a TRA).
- A section where additional technical, organisational, and contractual protections can be set out which have been identified as necessary following a TRA (and for which the ICO’s TRA tool provides examples). This section envisages being able to cross-refer to relevant other areas (e.g. relevant parts of a Linked Agreement or the security requirements sections of the first part of the IDTA).
- A section for commercial clauses which, while perhaps useful for smaller organisations and low-risk arrangements, is likely to have limited utility with parties almost certainly having a distinct commercial arrangement (i.e. a Linked Agreement) and requiring one in a C2P scenario in order to have in place appropriate Article 28 clauses.
- The mandatory clauses which, ultimately, are the most important, operative part of the IDTA and are discussed in detail below.
This structure provides an adaptable model which organisations should find relatively simple to both populate and review, which should assist organisations will putting in place, and feeling comfortable about, a compliant international data transfer arrangement.
The fourth part of the IDTA is an area which will attract a significant amount of scrutiny given the mandatory nature of the clauses, and indeed it proposes some particularly notable positions:
- Amendments: The IDTA does not permit any amendments other than: to update cross-references where amendments to parts one to three of the IDTA require it; in order to render the IDTA multi-party; and to dis-apply any non-applicable provisions.
In relation to the latter point, as noted above, the IDTA is not strictly modular, however the mandatory clauses contain a range of caveat drafting across them which dis-applies certain clauses depending on the nature of the party (controller, processor). While simplifying the approach in terms of incorporating the IDTA (i.e. rather than choosing specific modules as per the EU’s mechanism), the interoperability of clauses is not always clear. Additionally, where parties do dis-apply provisions, given it would appear that dis-applied provisions will apply regardless if they were incorrectly dis-applied, there is perhaps little utility to undertaking such a task. The publication by the ICO of worked versions of amended mandatory clauses would perhaps be useful in this regard.
- Precedence: The terms of the IDTA will take precedence over any Linked Agreement or other agreement (which could include the New EU SCCs), unless there is greater protection provided by other terms or the other terms are a requirement due to Article 28 of UK GDPR. A potential conflict between EU and UK positions (each of the IDTA and New EU SCCs claim precedence) has, from a UK perspective, been to some extent fudged in leaving it to a consideration of the relative level of a protection of a term.
- TRAs: There is a somewhat unsatisfactory circular contractual position whereby the exporter is under a duty to provide the importer with a copy of any TRA the exporter has undertaken, but the importer is bound to a contractual promise that prior to entering the IDTA it has provided the exporter with “all relevant information” which is “complete and accurate” (a high bar) regarding the local laws of the importing country in order to enable the importer to undertake the TRA. The importer is also under a continuing obligation to verify whether local laws change and inform an exporter if such change would impact its ability to comply with its obligations under the IDTA.
Given the broad definition of ‘local laws’ under the IDTA, this raises several issues including the implications for pre-contractual representations and information provision, the quality of knowledge of an importer, and the extent to which importers will or can comply with such an onerous obligation.
- ICO involvement: The IDTA provides that both importer and exporter agree to provide the ICO with certain information (including the IDTA, any TRA, and the importer’s information regarding local laws) where it reasonably requests it. As well as providing the ICO with an avenue to access a substantial amount of information on local law requirements and risk assessments, these provisions place a direct obligation on an importing entity who perhaps might have no other link to the UK, to provide information to a UK-based regulatory information request (of particular relevance to entities further down in a chain of processors).
- Data subject requests: The IDTA provides that, where a data subject requests a copy of the IDTA from the exporter or importer, this must be provided to them. It is accepted that Linked Agreements do not need to be provided however, if the commercial clauses section of the IDTA is used, while they can be redacted for the purposes of sending to a data subject, a summary of the information must be provided. As such it seems unlikely that parties would complete this section of the IDTA given the potential for disclosure.
- English language requirement: Where a controller is the importer, there is an obligation on them to be able to easily communicate with data subjects in English and without undue delay, which is a potentially onerous expectation.
- Commercial provisions: The IDTA incorporates a range of commercial positions and provisions which, given the precedence of the IDTA over a Linked Agreement, could have broader implications as, depending on the importance of the data transfer element to the agreement, commercially agreed positions may be frustrated by positions under the IDTA:
- Liability: There is an uncapped liability regime in relation to a party’s breach of the IDTA causing damage to a data subject, with a fairly high bar for proving non-involvement in an incident causing damage.
- Significant Harmful Impact: The IDTA introduces the concept of ‘Significant Harmful Impact’ whereby, if there is more than a minimal risk of a breach to the IDTA which may cause indirect or direct significant damage to a data subject or a party, this will be a trigger for various termination rights. This appears to be looking to align with the approach to data breaches, however the various rights to terminate resulting from this make this a material contractual consideration.
- Third party rights: Data subjects have a range of provisions under the IDTA under which they can bring a claim against either the exporter or importer (as applicable) and the ICO also has more limited direct rights under the IDTA.
- Boilerplate: Provisions regarding notice, assignment, sub-contracting, and severance (amongst others) have been included and this could cause issues, for example where a Linked Agreement permits unrestricted assignment, this would not be able to occur as the IDTA requires the consent of the other party.
- Arbitration: The IDTA suggests that a specific IDTA arbitration scheme could be introduced as an optional dispute resolution mechanism for use in claims between the parties or involving the ICO or data subjects. A data transfer-specific arbitration scheme would be a novel mechanism in this context.
Risk Assessment Guidance and TRA
The ICO has produced the Risk Assessment Guidance in light of the decision in Schrems II in order to assist organisations with carrying out a TRA as part of putting in place an IDTA. It consists of guidance pertaining to general considerations for organisations conducting a TRA, as well as a detailed TRA tool.
Some of the key points emerging from this are:
- Not an adequacy assessment: The Risk Assessment Guidance contains a disclaimer that a TRA should not amount to a mini-adequacy assessment, but rather a consideration of whether the destination jurisdiction “shares certain key principles which underpin [their] law and practice“, and should focus on two key aspects: (i) enforceability of the IDTA’s provisions; and (ii) third party access to data. If these aspects are sufficiently similar, then the IDTA’s provisions should provide sufficient protection within that jurisdiction.
The Risk Assessment Guidance further notes that the assessment should not involve a consideration of the whole country’s legal regime, but only the aspects which are relevant to the transfer. The extent to which this is practicable is perhaps questionable, particularly in light of the factors that the ICO suggests need to be considered, although the narrow focus of the assessment, which is supplemented by the detailed information in the ICO’s TRA tool, provides some comfort (see below).
- Factors to consider: The ICO highlights a range of factors to consider in relation to: (i) the particular facts of the transfer (type of data, purpose, movement, etc.); (ii) the facts of the jurisdiction destination (human rights record, legal system, laws and practices regarding third party access); and (iii) the potential impact on data subjects and any risk of harm. The ICO notes that some jurisdictions should be obvious, for instance where there is rule of law or robust regulation of third party access to data (although there is no “shortcut” TRA approach for obvious jurisdictions), but there will likely be a range of liminal countries where a granular analysis will be technical and time consuming, even more so in complex multijurisdictional transfer scenarios.
- Assessment and reassessment: The Risk Assessment Guidance (and the IDTA) make clear that ongoing review of a transfer arrangement will be required both where the context changes (such as due to a change in law, nature of the transfer evolves, or there are technical developments) and periodically. Indeed, given that the ICO will have both a regulatory and contractual mechanism for requesting TRAs, ensuring that there is an internal, operational mechanism to undertake the necessary TRAs, and ensure that they do not become historic, will be important.
- The TRA tool: The ICO’s TRA tool is structured around a three part process (transfer assessment followed by consideration of an IDTA’s enforceability and the protection from third party access to data which are afforded in the importing jurisdiction) in order to ascertain whether and how, in routine transfer scenarios, any supplemental measures need to be incorporated into the IDTA:
- Analysis support: Each stage of the TRA has been designed with decision trees and detailed guidance which will assist organisations with considering and developing their documented TRAs.
Of particular assistance are a range of tables which: detail the types of data and context within which a red, amber, green risk rating can be applied (e.g. basic contact details of consumers would likely be low risk/green); note considerations to inform whether enforceability and access are sufficiently similar to the UK; and highlight factors which may develop and adjust an organisation’s consideration of a risk level (e.g. an intra-group transfer lowering the risk, versus a large volume of data about an individual likely increasing the risk).
- Supplementary measures: Following each step of the analysis, the Risk Assessment Guidance provides practical technical, organisational, and contractual steps which can be taken depending on the level of risk identified (e.g. a spectrum of encryption or more robust contractual complaint mechanisms).
- Risk: Notably the tool highlights the importance of focusing on “risk” where an opinion on a jurisdiction is difficult to form. This approach, allied to the pragmatic risk mitigations given, provides practical and considered support which recognises the importance of maintaining data flows while providing sufficient protections, which organisations will likely find very helpful.
- Complex scenarios: More complex transfer scenarios will require a more forensic analysis and the ICO highlights situations such as multijurisdictional arrangements, novel technology usage, and countries with a questionable human rights record that could produce a high risk and where relying on the tool will not be sufficient. That said, the range of user-friendly and focused guidance and considerations in the tool will no doubt assist organisations with undertaking a more complex analysis.
The ICO has produced an Addendum which is designed to be used in combination with the New EU SCCs in order to validate international transfers to a third country and provides for a range of non-controversial amendments to the New EU SCCs to adapt them to apply in a UK context. The intention appears to be to provide an alternative to the IDTA route whereby a UK organisation could utilise the New EU SCCs in combination with the Addendum in order to validate a transfer from the UK (i.e. in a similar way to which the Old EU SCCs are currently used).
Should this route be taken instead of, or in addition to, that of the IDTA, for organisations with an EU and UK nexus it would simplify the contractual process (for both new contracts and any repapering exercise) in that a single, consistent approach could be taken (i.e. implement the New EU SCCs incorporating as necessary the Addendum). However if only the Addendum route was taken, then UK organisations would need to adopt the modular mechanism and become cognisant of the complexities regarding the New EU SCCs.
Indeed it is interesting to note that the ICO’s consultation document is seeking views on the adoption of the Addendum in the context of the New EU SCCs, but also whether there are any other model data transfer agreements for which such a path could be taken (calling out also New Zealand and the Association of Southeast Asian Nations’ model clauses). It may be then that the result of the consultation brings about various routes by which a transfer from the UK can be legitimised for UK organisations (perhaps based on the importing jurisdiction), which would be consistent with the UK’s stated business-friendly, flexible approach to international data flows.
The ICO has devised a detailed and well-considered approach to address international transfers of personal data out of the UK in a post-Brexit world which has clearly been designed to interface with EU and global data protection and privacy laws and practice. As such, early concerns raised in relation to the UK adopting a drastically different mechanism to that of the EU (with the potential to cause chaos for multi-national organisations transferring personal data in and out of both the UK and EU), have been somewhat quelled.
Certainly the TRA is a document which will likely provide great assistance to UK (and potentially EU-based) organisations as they grapple with the risk assessment requirement brought about by Schrems II. Indeed it is perhaps difficult to see what more the ICO could have done in this regard as the TRA is practical, solution-oriented, and user-friendly.
The IDTA does diverge from the approach taken by the EU in relation to the New EU SCCs, but the IDTA’s combination of tables, free text, and mandatory clauses is once again more business-focused and streamlined. The format enables parties to be flexible depending on their current and future arrangements and, by way of the Addendum, provide effective interoperability with the New EU SCCs. The mandatory clauses of the IDTA do, however, raise some questions, in particular those which have a distinctly English contract law flavour, and may result in some robust discussions with non-English counterparties.
It will be fascinating to see what responses the ICO will receive as part of the consultation and what ICO’s final approach (including in relation to timeframes for implementation) will be.
With the interim data transfer window under the Brexit Trade Agreement expiring yesterday, on 28 June 2021 the European Commission adopted two adequacy decisions confirming the UK as an adequate jurisdiction for GDPR and Law Enforcement Directive purposes – just in time to allow the uninterrupted free flow of personal data from the European Union to the UK. Continue reading
Seven months after the European Commission published its draft new Standard Contractual Clauses for data transfers between EU and non-EU countries (the “Draft SCCs“) for consultation (see our blog post here (the “Draft SCCs Blog“)), they have now published a finalised set of Standard Contractual Clauses (“Final SCCs“) with little fanfare (available here).
It should also be noted that alongside the Final SCCs, the European Commission have published a finalised set of non-mandatory Article 28 clauses for use between controllers and processors in the EU (see our blog post here on the draft version) in relation to which we will be publishing a follow-up shortly.
It will be mandatory, however, for organisations to implement and comply with the Final SCCs and in this blog post we consider the movement from the Draft SCCs to the Final SCCs (as well as the key points raised by them), the practical impact that this will have on organisations and the UK’s position.
- The Draft SCCs and the Final SCCs – In comparison to the Draft SCCs, the Final SCCs provide some cause for hope, in particular an extended grace period of 18 months, a 3 month window during which organisations may continue to put in place the current SCCs to address international transfers of personal data, and the softening of some provisions such as the approach to challenging public authority access. However, other aspects of the Final SCCs may cause increased friction, notably a more nebulous approach to the warranty regarding impact assessments.
- Practical Considerations from the Final SCCs – The Final SCCs serve to confirm that a repapering exercise is looming for most organisations and that a re-evaluation of current agreements, training, and contracting support will be required so as to have in place mechanisms to implement agreements with appropriate iterations of the Final SCCs on an ongoing basis. Beyond this, more granular considerations including the interplay of the Final SCCs with negotiated clauses will require some more careful, context-specific scrutiny.
- The UK’s Way Forward – The current SCCs will continue to apply for transfers of data from the UK to third countries while the ICO prepares a set of its own standard contractual clauses, independent of the Final SCCs. The extent to which these deviate will inform how much more complex putting in place and maintaining the necessary contractual provisions will be for organisations, particularly those with multifaceted data flows between the UK, EU and third countries.
Please refer to the Draft SCCs Blog for more detailed background, but by way of summary, the GDPR prohibits the transfer of personal data from the EEA to a third country or international organisation outside of the EEA unless an available condition under the GDPR is satisfied.
One of these conditions is the use of Standard Contractual Clauses (“SCCs“) which are effectively a contract ‘pre-approved’ by the European Commission to be entered into between the data exporter and the data importer and which impose certain data protection obligations on both parties. However, the current SCCs had some issues including the fact that they were not updated when the GDPR came into force (referencing the old EU Data Protection Directive rather than GDPR) and there were only two sets of SCCs (covering transfers from one controller to another controller (“C2C“) or from a controller to a processor (“C2P“) which meant that they did not cover situations such as processor to processor (“P2P“) or processor to controller (“P2C“) transfers).
The Draft SCCs looked to address these issues, as well as the impact of the Schrems II decision (see our blog post on the Schrems II case here). The Schrems II judgment made it clear that where SCCs are being used, a level of due diligence needs to take place before any transfer can be made. This is to ensure that personal data originating in the EEA always carries with it protections which are essentially equivalent to those in the EEA. In parallel, to help data exporters in that assessment, on 10 November 2020 the EDPB issued draft guidance on how to carry out the due diligence exercise in practice (see our blog post on the draft guidance here). We are imminently expecting the finalised EDPB guidance on these supplementary measures, potentially as early as next week if the authorities are able to agree them during this month’s plenary meeting on 15 June 2021.
Following a period of consultation and some delay to finalisation, the European Commission published the Final SCCs in final working documents on 4th June with publication in the Official Journal expected swiftly.
The Draft SCCs and the Final SCCs
The Final SCCs broadly adopt the same approach as the Draft SCCs, although there is some deviation both to soften provisions and provide more flexibility to organisations than originally envisioned by the Draft SCCs, although in some instances the approach has been toughened. We detail the material deviations and summarise the changes from the Draft SCCs below.
- Extended Grace Period and Limited Grandfathering Period
The Draft SCCs contemplated a one year grace period within which organisations had to ensure compliance and the Final SCCs have both extended this period and made it more nuanced by introducing a limited grandfathering period during which organisations may continue to implement the current SCCs. From the date of publication in the Official Journal (plus 20 days), organisations will now:
- have 3 months to continue to put in place the current SCCs; and
- have 15 months from the end of the 3 month period within which they must implement the Final SCCs and can continue to rely on the current SCCs (provided there is no change to the processing activities during this time and any necessary supplemental measures are in place).
While the extended grace period is positive in the context of the EU-US Privacy Shield being immediately invalidated as a result of the Schrems II decision and thereby requiring instant contractual and organisational remediation, the result of the Final SCCs is that organisations will still be required to re-paper their existing contracts in the medium term (by likely December 2022) and put in place mechanisms to begin incorporating the Final SCCs into new agreements in the short term (likely starting from June 2021 but by no later than September 2021) (see ‘practical considerations’ section below).
- Modular Structure and Scope
The Final SCCs have retained the modular format allowing for adaptation to different factual scenarios covering both C2C and C2P transfers already provided for under the current SCCs. They now also cater for P2P and P2C situations which were not provided for and enable other parties to ‘dock’ into the Final SCCs (of particular importance where sub-processors are introduced to a pre-existing arrangement).
Additionally the set of processor clauses required by Article 28 GDPR remains incorporated into the Final SCCs, continuing not as a separate module and explicitly prevailing over any conflicting provisions.
While elements of the modules have been somewhat rearranged, materially they provide the same flexibility, but also issues, as discussed in the ‘structure’ and ‘scope’ sections of the Draft SCCs Blog.
The requirement for data importers who are controllers to notify a competent EU supervisory authority (discussed in the ‘extraterritoriality’ section of the Draft SCCs Blog) remains but rather than the threshold being a ‘significant adverse effect’, this has been lowered to ‘a risk to the rights and freedoms of natural persons’ (with an attendant notification obligation to data subjects where there is a ‘high risk’). This aligns with the thresholds in the GDPR, but arguably makes notification a more likely requirement for importers.
Additionally, the approach of the Final SCCs imposes on data importers requirements that will be familiar to those already subject to the GDPR, such as obligations of transparency, security, limits to the purpose of processing, complying with data subject rights amongst others. In binding importers to obligations similar in nature to the requirements of the GDPR, the Final SCCs can be seen as further step in extending the reach of GDPR.
Like the Draft SCCs, the Final SCCs to include provisions which address the challenges of the Schrems II case (discussed in the ‘Schrems’ section of the Draft SCCs Blog) with only minor changes made to the Final SCCs in this regard.
Perhaps most notably, however, the warranty that the parties are required to provide that they have no reason to believe that the ‘laws’ of the importer country prevent the importer from fulfilling its obligations under the Final SCCs, has been expanded to make reference to ‘laws and practices’. The Final SCCs contain a footnote which provides some examples of the elements which may be considered as part of this impact assessment, but this more nebulous phrasing further emphasises the difficultly organisations are likely to have in being able to confidently undertake and document such an assessment and warrant such a claim.
One position that has been softened from the Draft SCCs is that the requirement on importers to exhaust all available legal remedies when challenging a public authority access request has been amended to grant the importer a degree of discretion in circumstances when it believes that there are ‘reasonable grounds to consider that the request is unlawful…’ and so challenge it. This caveat (underlining added) gives importers some leeway in approaching such requests.
The more detailed liability provisions set out in the Draft SCCs remain in the Final SCCs, as does the uncapped liability position. Given the precedence taken by the Final SCCs over any other terms in an agreement to which the Final SCCs are attached, it would have been helpful if the European Commission had provided some clarity in relation to these points. Unfortunately, however, it is still unclear as to how both the detailed liability provisions and uncapped liability position set out in the Final SCCs are supposed to align with any pre-existing liability provisions set out in an agreement to which the Final SCCs are attached, especially if such pre-existing liability provisions include a cap on data protection liability, as they often do.
Absent further guidance, It would appear that attempts to limit or exclude liability would conflict with, and then be subordinate to, the approach taken by the Final SCCs.
Practical Considerations from the Final SCCs
Despite the positive and negative changes brought about by the Final SCCs, they do at least provide some clarity for organisations regarding what next steps they should take and what thinking should be done:
- In-Flight Projects
While there is a limited 3 month period within which organisations can continue to put the current SCCs in place, they will only be able to be rely on them for a further 15 months from the end of that 3 month window. As such, where the contractual arrangements for an in-flight project are likely to last beyond December 2022, it may make most sense for organisations to consider and implement the Final SCCs during this window.
For contracts with a duration likely to end before this window ends, or which will come up for renewal, then in the interests of expediency it would perhaps be preferable to implement the current SCCs at this stage and begin implementing and, where necessary, repapering the Final SCCs over the subsequent 15 months whereupon further guidance is likely to have been published and the market is more likely to have adopted a more settled approach.
- Repapering and Expertise
As noted in the ‘repapering (again)’ section of the Draft SCCs Blog, the Final SCCs confirm that a further, more complex repapering exercise is required.
As well as requiring organisations to analyse the perhaps thousands of contractual arrangements in place to determine the data flows and relationships between parties to replace them with the appropriate combination of Final SCC modules, organisations will also need to ensure that they have in place the appropriate expertise, support, and training to be able to begin putting in place the appropriate combinations by the end of the 3 month grandfathering period.
The earlier organisations begin to engage with the approach taken by the Final SCCs and put in place mechanisms sufficient to prepare and implement combinations of modular Final SCCs, the easier the transition will be.
- Final SCCs and Negotiated Clauses
As well as the repapering exercise (which will not be a ‘rip and replace’ exercise of the current SCCs to the Final SCCs), at a more granular level organisations will also need to consider the interplay between the Final SCCs and negotiated operative clauses in the main body of agreements incorporating the Final SCCs. For example:
- Operative provisions which refer out to the Final SCCs will need to be appropriately tailored to ensure that there is no conflict in multifaceted relationships (e.g. where various parties may be acting as controllers, processors, and sub-processors in relation to different data as part of the same arrangement) to enable the operative provisions and relevant modules to align.
- The Final SCCs contain embedded Article 28 provisions and so, where negotiated and bespoke operative Article 28 provisions are in place, ensuring alignment between them so as not to produce a conflict resulting in the inapplicability of tailored positions will be necessary to preserve commercial certainty.
- Contradictions may also arise for which straightforward resolution may not be possible, such as the apparent conflict between uncapped liability under the Final SCCs and commonly capped negotiated positions, or where a tailored Article 28 provision cannot be aligned with those in the Final SCCs.
- The imposition of obligations on importers will also mean that they may seek more protection from operative contractual clauses, for example the importer’s transparency obligation will likely necessitate the inclusion of operative provisions to detail the responsibility between the parties of discharging such obligations (i.e. certainty of the provision of information).
- The European Commission’s decision to address P2P transfers in the Final SCCs will finally allow parties to simplify the operative clauses that controllers enter into with processors that engage subprocessors based outside of the EU. The absence of any P2P mechanism in the current SCCs has long required parties to shoehorn in the C2P clauses to address transfers between processors and subprocessors, often to unsatisfactory effect given that there is usually an absence of direct contractual nexus between controller and subprocessor. The new P2P module should serve to simplify and speed up the drafting and negotiation of these operative provisions going forward.
Where contracts are remediated, or standard template agreements will be updated, a careful approach will need to be taken to ensure regulatory compliance while also achieving an appropriate balance of commercial risk, depending on the particular factual matrix.
- The Data Importer’s Position
Where a data importer contracts with an exporter on the basis of the Final SCCs, the fact that the Final SCCs impose a range of substantive obligations on importers (see ‘extraterritoriality’ section above) will require importers to take considerable care to determine whether they do in fact have the technical, organisational, and contractual means to satisfy the various obligations placed upon them.
The potential risks of litigation and cost of simply signing and doing what has always been done have never been higher.
The UK’s Way Forward
The ICO has stated that it has been drafting its own standard contractual clauses during the course of 2021 (with a period of consultation also expected) (the “UK SCCs“), in a process distinct from the Final SCCs. It will be interesting to see the extent to which, if at all, the UK SCCs leverage the positions in the current SCCs, Draft SCCs, and Final SCCs, or whether a completely novel route is taken.
While some mood music suggests that the UK will pursue a more relaxed, business-minded approach to data (and so the UK SCCs can perhaps be expected to impose less stringent requirements on organisations), such an approach will need to be carefully balanced against the UK’s position on data vis-à-vis the EU, in particular to ensure the UK SCCs are seen as sufficiently protective if the UK is to benefit from an adequacy decision from the EU.
In addition, the ICO has also previously emphasised that international data transfers would need to account for the impact of the Schrems II decision and in their response to the UK’s National Data Strategy highlighted the importance of building on the rights, principals, and protections of data which are currently in place. Therefore a novel approach or substantial deviation from the EU’s approach (be that the current SCCs or Final SCCs) may be unlikely.
From a practical perspective, the Final SCCs are not currently regarded as an “adequate safeguard” for UK GDPR purposes for transfers from the UK to third countries and will therefore not be officially compliant from a UK GDPR perspective at the moment. Absent the UK SCCs and / or approval of the Final SCCs, the current SCCs may therefore continue to be relevant.
Furthermore, for organisations with data flows between the EU, UK and third countries, the implementation of a further set of standard contractual clauses which may deviate from or potentially conflict with the Final SCCs would be a headache that they could do without, with further repapering and more complex contractual arrangements to introduce and align the Final SCCs with UK SCCs potentially required. That is unless the ICO approves the Final SCCs (in addition to any UK SCCs), giving organisations the option of which set of clauses to select based on their respective data flows and contracting approach to international data transfers to third countries.
The UK’s approach will therefore be important to monitor over the coming months and until such time as UK SCCs are brought into force, the current SCCs continue to remain relevant.
The publication of the Final SCCs provides organisations with a long-awaited update to the current SCCs and, for better or worse, provides clarity in relation to the steps and considerations that organisations will need to take if they are to continue making international transfers of personal data, as well as time (by way of the grace period and limited grandfathering period) to take these steps.
Most organisations will have been through this process before and, while it may be slightly more complex in execution, the principles of previous repapering exercises, as well as more developed processes regarding records of processing, data audits, and data mapping in the years since the GDPR came into force, should provide organisations with many of the tools needed to adopt and implement the Final SCCs (although for importers that are not used to the GDPR, the increased GDPR rigour of the Final SCCs may make this more challenging).
The most important step for organisations will be to understand the new modular approach to the Final SCCs, the most material departure from the current SCCs, as organisations will need to start the process of implementing the Final SCCs in 3 months’ time. Organisations that have template agreements and processes in place which include data protection provisions incorporating the current SCCs will also need to update these template agreements and processes and provide appropriate training to those tasked with maintaining these arrangements. In the longer term, repapering will be flavour of the month once more.
As most in the data community are aware, the EU-UK Trade and Cooperation Agreement (the “Brexit Deal”) was agreed on Christmas Eve and provides for an interim period (up to a maximum of six months ending on 30 June 2021) whereby data transfers from Europe to the UK will not be treated as transfers to a third country subject to Chapter V of the GDPR following the end of the transition period on 1 January 2021, provided the UK complies with certain conditions during the interim period (discussed in our blog here).
Following this, both the European Data Protection Board (“EDPB”) and the UK’s supervisory authority (the Information Commissioner’s Office (“ICO”)) have issued either updated or new responses which provide some more clarity on areas of focus and what to expect over the coming year.
The EDPB’s Response
Prior to the Brexit Deal being agreed, in mid-December the EDPB adopted its ‘Statement on the end of the Brexit transition period’ (here) (the “Statement”) and an ‘Information note on data transfers under the GDPR to the United Kingdom after the transition period’ (here) (the “Information Note”) which highlighted some key considerations of the EDPB.
Following the agreement and implementation of the Brexit Deal from the beginning of 2021, the EDPB has now updated the Statement and Information Note.
- The interim data transfer window
In line with Article FINPROV.10A of the Brexit Deal, the update to the Statement and Information Note emphasises that data transfers to the UK can continue to take place without the requirement of a transfer tool under Article 46, or relying on the derogations list under Article 49, until 30 June 2021 (at the latest) provided that the UK’s current data protection regime stays in place.
- Preparing for an adequacy decision (or lack of one)
The EDPB provides no further view on the adequacy of the UK’s data protection regime other than that the timeline for a favourable decision has now been pushed to the end of June. If a favourable adequacy decision is not taken by 30 June 2021, the EDPB emphasises in the Statement and Information Note that transfers between entities regulated by the GDPR to the UK will become subject to Chapter V of the GDPR. This will mean that transfers to the UK will require adequate safeguards such as standard data protection clauses, binding corporate rules, intra-group agreements, codes of conduct etc. to be put in place along with ensuring enforceable data subject rights and effective legal remedies for data subjects as required by Article 46.
The Information Note further reminds controllers and processors that, absent an adequacy decision, from the end of the interim period compliance with other GDPR obligations will come into sharper focus, including:
- updating privacy notices and records of processing to account for data transfers to the UK;
- taking caution if intending to rely on grounds under Article 49 in the absence of safeguards under Article 46, as such grounds are to be interpreted restrictively, only being fit for occasional and non-repetitive transfers; and
- considering whether any supplementary tools may need to be put in place, a relatively complex and time-consuming consideration discussed further here (albeit the fact that the UK’s data law is the application of the GDPR then such consideration should theoretically be straightforward).
- One-Stop-Shop mechanism
While not affected by the EDPB’s updates, it is worth noting that the Statement and Information Note also clarify the applicability of the One-Stop-Shop (“OSS”) mechanism envisioned by the GDPR within the UK.
The OSS mechanism provides that the supervisory authority in the jurisdiction of an entity’s main establishment will act as the lead supervisory authority and carry out compliance and regulatory functions on behalf of supervisory authorities in each EU jurisdiction in relation to that entity.
From 1 January 2021, the OSS will not apply in the UK so that the ICO will not be able to act as a lead supervisory authority (i.e. the Brexit Deal did not extend this mechanism). The EDPB notes that it has engaged with supervisory authorities and the ICO to ensure a smooth transition of existing cross-border cases.
The Statement and Information Note goes on to remind controllers and processors that they remain free to establish a main establishment in an EU jurisdiction under Article 4(16) to utilise the OSS mechanism (although the feasibility of this for many entities may well be impracticable). If this is not in place, entities will need to designate a representative under Article 27 as long as their activities are subject to the GDPR under Article 3(2).
The ICO’s Response
In a blog posted on 22nd January (here), the ICO’s Information Commission Elizabeth Denham responded to the Brexit Deal (the “ICO Response”) by welcoming the long-term commitments made by the EU and UK, most notably, to promoting high international standards of data protection, developing a regulatory relationship, and co-operating on enforcement activity.
The ICO Response considered the interim period allowing data transfers between Europe and the UK as the “best possible outcome for UK organisations” in light of the risks and impacts to digital trade if this had not been put in place. However, given this interim period will end in either four or six months under the Brexit Deal, the importance of a positive adequacy decision for UK data flows is clear in the ICO Response, emphasised by the reference to the EU’s commitment to considering the UK’s adequacy position “promptly” in a declaration accompanying the Brexit Deal. Although the ICO Response also sounds the warning that adequacy is not guaranteed and so organisations should be putting in place appropriate safeguards during this window.
Finally, as well as some specific commentary regarding data sharing in the context of law enforcement and noting that the UK must also notify the EU-UK Partnership Council, as far as reasonably possible, of any new international transfers of personal data between public authorities for international transfers of personal data, the ICO Response also highlights that the process for any decisions in a range of areas (including UK adequacy decisions, approving international transfer mechanisms, or standard contractual clauses) must be put before the EU-UK Partnership Council. Given this requirement, it may be that material departure from the current UK data protection position is unlikely in the imminent future.
On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.
However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.
The interim data transfer window
Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.
The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.
Implications for adequacy
It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.
The Schrems II judgment from the Court of Justice of the European Union (read our blog post here) raised the bar for transfers of personal data to third countries by making clear that where Standard Contractual Clauses (“SCCs”) are being used, a level of due diligence needs to take place before any transfer can be made. This is to ensure that personal data originating in the EEA always carries with it protections which are essentially equivalent to those in the EEA. To help data exporters in that assessment, the EDPB has now issued guidance on how to carry out the due diligence exercise in practice (available here).
Whilst the “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” are subject to consultation until the end of November, it seems doubtful that significant/material changes will be made post-consultation to the final version of the guidance without substantial lobbying.
Unfortunately for both data exporters and data importers, although the requirements are now relatively clear, the framework is complicated and will require focus and considerable effort to ensure that all transfers are taking place in a compliant manner. There also remains a significant question mark over certain data transfers and whether or not they will continue to be possible in the future in a GDPR compliant manner.
We have set out below our key takeaways and initial thoughts in short form. We have then provided a more detailed view of the suggested steps for those who are more interested in the detail but perhaps not all 50+ pages of it!
- The long and winding road to compliance: As mentioned above, the proposed exercise to be undertaken by organisations on a transfer by transfer basis is extensive and likely to be resource heavy and time consuming. Coming off the back of extensive re-papering exercises for Safe Harbor, GDPR, and Privacy Shield, as well as Brexit preparations, this is unlikely to be welcome news for privacy professionals seeking budgetary sign-off for another data protection compliance and re-papering project.
- Mapping and then more mapping: The data mapping exercise alone suggested by the EDPB requires organisations to understand data flows not only to their processors, but also onwards transfers all the way down the chain to subprocessors, their subprocessors, and beyond. It is unlikely that many controller organisations will have this information readily to hand at the level of granularity required. Some may argue this shows a lack of compliance with the record of processing activity (“ROPA”) requirements of the GDPR, but for large global organisations with complex data flows, this will likely just reinforce the impracticality of the ROPA requirements themselves as well as the proposed guidance.
- Mini adequacy assessments: A key element of the EDPB recommendations is the assessment required to ensure that the laws of the importing country contain the so-called European Essential Guarantees (“EEGs”). Essentially this appears to boil down to a mini ‘adequacy assessment’ to be carried out at an organisational level and, for some key countries such as the US, it appears that the working assumption must be that personal data is not subject to an equivalent level of protection. Indeed, a cynical view could well be that very few countries would satisfy the EEGs.
- Supplementary measures only a supplement? Although the recommendations set out various options for technical, contractual and organisational supplementary measures which could be used to protect personal data, the essence of the EDPB guidance appears to be that, in situations where the importer country does not meet the EEGs, the only available acceptable ‘supplementary’ measure would be to encrypt the data to such an extent that it cannot be read even by the data importer – not a practical solution in most circumstances. However, without this, the guidance appears to make it clear that contractual and/or organisational measures alone will not supplement the transfer to a sufficiently protected level.
- Two important use cases: Finally, it is worth mentioning two specific use cases flagged by the guidance where the EDPB confirms that it is incapable of envisioning any appropriate supplementary measures to protect the data when being imported to a country which does not satisfy the EEGs – presumably meaning that any such data transfer cannot and should not take place: (i) transfers to cloud services providers which require access to data in the clear; and (ii) group access (even on a remote basis) to personal data for shared business purposes. Given that these two use cases are likely to be key for many organisations, it is unclear at the moment how it is possible to be able to navigate a compliant route through the EDPB’s guidance.
The (devil is in the) detail
The EDPB guidance is broken down into six steps for organisations to take.
Step 1 – Know Your Transfers
The first step in the process requires data exporters to undertake a comprehensive analysis of all transfers of personal data to third countries taking place (including remote access and cloud storage). The EDPB expects data exporters to be able to develop this information through a combination of their records of processing activities, and any information that they provide in privacy notices regarding data transfers, but further due diligence may well be required. The EDPB also makes clear that this exercise must identify onwards transfers by processors to sub-processors in another third country (or the same third country as the processors).
Once all relevant data transfers have been identified, data exporters must ensure that each transfer complies with the data minimisation principle, and that they are “adequate, relevant and limited to what is necessary in relation to the purposes which it is transferred to and processed in the third country”.
This identification and evaluation exercise must take place before any data transfer is made, and before any data transfer is restarted after a suspension.
Step 2 – Verify your transfer mechanism
Once data exporters have a handle on where their personal data is going, they must then identify the Chapter V GDPR transfer mechanism that they are relying on for each transfer.
If a data exporter is relying on an adequacy decision in respect of a transfer to a third country, assuming the adequacy decision is still valid, then no further action will be required. However, data exporters must monitor adequacy decisions to ensure they remain valid.
For non-repetitive data transfers, it may be possible to rely on one of the derogations in Article 49 GDPR (hereafter “Article 49”). Such transfers should be of an exceptional nature, and meet the requirements in Article 49, but no further steps are required in relation to these guidelines when relying on such a transfer mechanism.
For any other data transfers relying on one of the Article 46 GDPR (hereafter “Article 46”) mechanisms, data exporters need to continue through this process. Whilst the Article 46 mechanisms do contain some inbuilt safeguards to ensure personal data maintains an equivalent level of protection to that which it has in the EEA, these will need to be supplemented in some cases.
Step 3 – Assess the Effectiveness of your Article 46 transfer mechanism
The EDPB guidance makes clear that an Article 46 transfer mechanism will not always be enough to ensure personal data maintains the same level of protection as it carries within the EEA. Data exporters must therefore work with data importers to identify any laws or practices in the relevant third country which could prevent the data importer from complying with their obligations under the Article 46 transfer mechanism. It is clear that the EDPB expects cooperation from data importers in this regard, and they will have an active role in providing “relevant sources and information relating to the third country in which it is established and the laws applicable to the transfer”.
The guidance notes that there will be a number of relevant factors when considering how local laws might affect a transfer, including the purposes for the transfers, the entities involved, the relevant types of personal data, and the format of the personal data. Data exporters need to consider data subjects’ ability to continue to assert their rights, the effectiveness of the safeguards in Article 46, and any requirements to disclose personal data.
In practice, much of the assessment of equivalence will turn on the extent to which public authorities can access or intercept personal data. The ability to require disclosure or access to personal data does not necessarily undermine an Article 46 transfer mechanism provided that the requirements are limited to what is necessary and proportionate in a democratic society, with European standards being the level against which this is assessed. To this end, the EDPB has published a second guidance document, the “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures” (available here). It sets out the European Essential Guarantees (“EEGs”) which are the minimum requirements that must be respected to ensure that interferences with privacy and personal data “do not go beyond what is necessary and proportionate in a democratic society”. There are four constituent guarantees, although the EDPB emphasised that these should be assessed on an overall basis given that they are closely interlinked:
- processing should be based on clear, precise and accessible rules;
- necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- an independent oversight mechanism should exist; and
- effective remedies need to be available to the individual.
If the EEGs cannot be met, then the personal data is not subject to an equivalent level of protection to the EEA.
Where legislation in the relevant third country is lacking, data exporters must evaluate the transfer mechanism against other relevant and objective factors, rather than subjective ones such as the likelihood of public authorities’ access to the personal data. These objective factors may include considering precedents, legislation and practice that might indicate that a public authority will seek access to the personal data (with or without the data importer’s knowledge) or elements which demonstrate that a public authority may be able to access personal data through the data importer or direct interception. Annex 3 sets out further possible sources of information to make this assessment, including case law, adequacy decisions and intergovernmental resolutions and reports.
It is important that data exporters document their assessment at this step thoroughly, as the EDPB has made clear that data exporters will be held accountable for the decision they make about the effectiveness of the transfer mechanism. If the data exporter concludes that the transfer mechanism is not effective, because it does not ensure an equivalent level of protection to the EEA, then it must either put in place effective supplementary measures (as outlined in step 4), or not transfer the personal data in question.
Step 4 – put in place supplementary measures
Where the Article 46 transfer mechanism alone does not provide effective protections, data exporters will need to consider whether there are supplementary measures which they can put in place in conjunction with the data importer to cure these deficiencies.
Supplementary measures must be identified on a case by case basis, meaning transfers to the same third country but to different data importers for different purposes may have different supplementary measures.
These measures will be technical, contractual or organisational in nature. However, where the aim of the supplementary measures is to manage access by public authorities, contractual and organisational measures alone are unlikely to be sufficient, and technical protections will be necessary to limit access by public authorities to the personal data.
The EDPB has set out non-exhaustive examples of possible measures in Annex 2 of the guidance.
- Technical measures
The range of technical measures that might be implemented will be familiar to data exporters.
Unsurprisingly, encryption is a key focus in the potential technical measures that might assist to ensure the security of data transfers. This includes robust encryption prior to transmission, and ensuring that the encryption itself is strong enough to survive brute force attacks (including during transmission). Limiting access to encryption keys may also be a useful tool for protecting personal data.
Pseudonymisation will be of assistance where the data importer does not require a disaggregated data set. However, the EDPB has cautioned that this may not be sufficient in cases where personal data relates to the use of information services, given that public authorities may already hold other relevant data.
Technical measures are not a complete solution. They will not assist in respect of third countries where public authorities have access to personal data beyond what is necessary and proportionate, and the data importer needs access to personal data to be in the clear.
- Contractual measures
Contractual measures will generally need to be supplemented by technical or organisational measures, because they cannot bind third party authorities. Additional provisions can complement those which are already in place under the applicable Article 46 transfer mechanism, and may include provisions:
- requiring the use of specific technical measures;
- requiring the data importer to provide the data exporter with information about the extent to which public authorities can access personal data;
- warranting that the data importer has not created or is not required to leave backdoors in its systems, or has not otherwise facilitated access for third parties;
- allowing audit or inspection to confirm whether personal data has been disclosed to public authorities;
- requiring the data importer to inform the data exporter if the law changes in a way which impacts the maintenance of an essentially equivalent level of data protection;
- if permitted by local law, requiring the data importer to provide regular notifications that there have been no orders to disclose personal data (the so called “Warrant Canary” method);
- requiring the data importer to assess the legality of any disclosure order and limiting its ability to disclose the personal data (such as an obligation to challenge orders where appropriate);
- requiring the data importer to inform public authorities of conflicts with Article 46 transfer mechanisms;
- limiting access to personal data without consent from the data subjects;
- obliging the data importer to notify data subjects of access requests or orders from public authorities; or
- obliging both the data importer and data exporter to assist data subjects in exercising their rights.
- Organisational measures
Organisational measures may be internal measures that the data exporter puts in place in its own business, or those which are imposed on data importers. Organisational measures can contribute to awareness within businesses about the risks to personal data from access by public authorities, and ensure that those handling personal data can respond confidently to them (including when to refuse requests).
The EDPB suggests the following:
- internal policies governing data transfers, with clear reporting, allocation of responsibilities and procedures for dealing with access requests;
- record keeping requirements for data access requests from public authorities;
- transparency reporting and summaries regarding public authority requests (where permitted by local law);
- strict data access and confidentiality policies, including data minimisation requirements;
- procedures to ensure the data protection officer, legal or audit functions are involved where appropriate;
- strict data security and data privacy policies;
- regular review of internal policies and supplementary measures; and
- commitments from the data importer not to engage in any onward transfer where an equivalent level of protection to the EEA cannot be guaranteed.
These lists are not exhaustive but provide a helpful starting point for tools that data exporters might use to put additional safeguards around their transfers.
Once appropriate supplementary measures are in place, provided an essentially equivalent level of protection has been reached for the relevant personal data, the transfer may proceed. Transfers should not start, or should be suspended until, this threshold has been reached.
The EDPB guidance does anticipate a situation where a data transfer might proceed despite the data importer being unable to meet its commitments under the Article 46 transfer mechanism, but those instances must be reported to the supervisory authority, who will suspend or prohibit the transfer where equivalent protection cannot be ensured. It remains to be seen how this would result in anything other than the transfer being prevented, and could result in a fine, so we do not anticipate many data exporters utilising this backstop.
Step 5 – Procedural steps relating to supplementary measures
Depending on the supplementary measures put in place, data exporters may need to take additional procedural steps.
- Standard Contractual Clauses
If data exporters need to add clauses to the SCCs to manage the supplementary measures that they have put in place, there is no need for permission from a supervisory authority to make such amendments, provided there is no direct or indirect conflict between the new provisions and the SCCs, and they do not limit or lower the protection afforded by the SCCs. Data exporters will need to be able to demonstrate this unambiguity if tested.
The EDPB is still reviewing the impact of the Schrems II judgment on BCRs. Given that they are contractual in nature, BCRs cannot prevent access to personal data by public authorities. Data exporters will still need to assess whether their current BCRs can maintain equivalent protection to the EEA, and if not, consider whether supplementary measures could be put in place to mitigate this.
- Ad hoc contractual clauses
As with BCRs, ad hoc clauses remain under review, and data exporters should consider whether supplementary measures are required in the interim.
Step 6 – Reassess Regularly
The EDPB guidance requires data exporters to monitor their data transfers to third countries on an ongoing basis. If there are any developments in third countries which could impact the assessment carried out under this process, the data exporter would need to carry out a re-evaluation. Transfers to third countries should be suspended or ended where the data importer has breached or cannot honour the commitments it has taken under the relevant Article 46 transfer tool, or where the supplementary measures the data exporter has put in place are no longer effective.
It is clear that the EDPB has put a lot of thought into outlining a comprehensive process which tries to provide a secure route to maintaining transfers of personal data to third countries.
However, for its comprehensiveness, the guidance is not practical and will be extremely challenging for organisations looking to be compliant without grinding international trade and data transfers to a halt.
The due diligence requirements for local laws are particularly onerous and are unlikely to be achievable by private companies alone. We expect this guidance will result in increased involvement from in-house legal teams, external counsel, or external consultants in assessing data transfers. That this obligation falls to businesses themselves, rather than central authorities, risks divergence. Some businesses may diligently follow the guidance, and invest in the process, and find themselves unable to continue certain data transfers, whereas some businesses may take a more risk-based approach and continue to transfer personal data on the basis of a combination of due diligence, risk assessments and technical, contractual and organisational supplementary measures. Given the sheer volume of transfers taking place, it will also be interesting to see how supervisory authorities actually manage compliance with the guidelines.
It also remains to be seen how much involvement there will be from data importers. In a similar way that many non-EEA controllers and processors uplifted their processes to meet a GDPR-standard as a cost of continuing to do business, we may see that data importers are forced to take an advisory role to maintain the confidence of data exporters and ensure that data transfers continue. In particular, it will be interesting to see how the global IT cloud providers respond given the challenges highlighted by the EDPB’s use cases (as described above).
It is clear that there is now a large task facing all organisations, as well as supervisory authorities, to get to grips with the guidelines and ensure that data transfer mechanisms are supplemented where appropriate and compliant. We will watch this space to see if any trends develop, or further guidance is issued by local supervisory authorities to help conduct this exercise in practice.
As we all continue to try to grapple with the implications of a no-deal Brexit, the last week or two has seen the publication of a few things of interest from a data protection perspective:
The EDPB’s view of data transfers in a no-deal Brexit scenario
On 12 February 2019, the European Data Protection Board (the “EDPB“) published a general information note on data transfers under the GDPR in the event of a no-deal Brexit (available here). In summary, the information note provides that organisations must comply with the GDPR when transferring personal data from the EU to the UK, which will become a “third country” for GDPR purposes (from 00.00 am CET on 30 March 2019). No new or additional safeguards are contemplated by the EDPB which effectively means that organisations must choose between:
- Standard contractual clauses (which the EDPB acknowledges are “ready to use”);
- Binding corporate rules;
- Codes of conduct or certification mechanisms (although none are yet approved/available under the GDPR); or
- Derogations such as individual explicit consent (although the EDPB emphasises that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive).
For further information regarding the potential impact of a no-deal Brexit on data transfers, including an analysis of worked examples, please see our previous blog post available here.