Simultaneous with the European Commission publishing its final standard contractual clauses for the international transfer of personal data (see our blog post here for further information) (the “New SCCs“), they have now published a final set of standalone Article 28 clauses for use between controllers and processors in the EU, also termed ‘standard contractual clauses’ (the “Final Article 28 Clauses“) (available here). Continue reading
Tag: European Commission
Seven months after the European Commission published its draft new Standard Contractual Clauses for data transfers between EU and non-EU countries (the “Draft SCCs“) for consultation (see our blog post here (the “Draft SCCs Blog“)), they have now published a finalised set of Standard Contractual Clauses (“Final SCCs“) with little fanfare (available here).
It should also be noted that alongside the Final SCCs, the European Commission have published a finalised set of non-mandatory Article 28 clauses for use between controllers and processors in the EU (see our blog post here on the draft version) in relation to which we will be publishing a follow-up shortly.
It will be mandatory, however, for organisations to implement and comply with the Final SCCs and in this blog post we consider the movement from the Draft SCCs to the Final SCCs (as well as the key points raised by them), the practical impact that this will have on organisations and the UK’s position.
- The Draft SCCs and the Final SCCs – In comparison to the Draft SCCs, the Final SCCs provide some cause for hope, in particular an extended grace period of 18 months, a 3 month window during which organisations may continue to put in place the current SCCs to address international transfers of personal data, and the softening of some provisions such as the approach to challenging public authority access. However, other aspects of the Final SCCs may cause increased friction, notably a more nebulous approach to the warranty regarding impact assessments.
- Practical Considerations from the Final SCCs – The Final SCCs serve to confirm that a repapering exercise is looming for most organisations and that a re-evaluation of current agreements, training, and contracting support will be required so as to have in place mechanisms to implement agreements with appropriate iterations of the Final SCCs on an ongoing basis. Beyond this, more granular considerations including the interplay of the Final SCCs with negotiated clauses will require some more careful, context-specific scrutiny.
- The UK’s Way Forward – The current SCCs will continue to apply for transfers of data from the UK to third countries while the ICO prepares a set of its own standard contractual clauses, independent of the Final SCCs. The extent to which these deviate will inform how much more complex putting in place and maintaining the necessary contractual provisions will be for organisations, particularly those with multifaceted data flows between the UK, EU and third countries.
Please refer to the Draft SCCs Blog for more detailed background, but by way of summary, the GDPR prohibits the transfer of personal data from the EEA to a third country or international organisation outside of the EEA unless an available condition under the GDPR is satisfied.
One of these conditions is the use of Standard Contractual Clauses (“SCCs“) which are effectively a contract ‘pre-approved’ by the European Commission to be entered into between the data exporter and the data importer and which impose certain data protection obligations on both parties. However, the current SCCs had some issues including the fact that they were not updated when the GDPR came into force (referencing the old EU Data Protection Directive rather than GDPR) and there were only two sets of SCCs (covering transfers from one controller to another controller (“C2C“) or from a controller to a processor (“C2P“) which meant that they did not cover situations such as processor to processor (“P2P“) or processor to controller (“P2C“) transfers).
The Draft SCCs looked to address these issues, as well as the impact of the Schrems II decision (see our blog post on the Schrems II case here). The Schrems II judgment made it clear that where SCCs are being used, a level of due diligence needs to take place before any transfer can be made. This is to ensure that personal data originating in the EEA always carries with it protections which are essentially equivalent to those in the EEA. In parallel, to help data exporters in that assessment, on 10 November 2020 the EDPB issued draft guidance on how to carry out the due diligence exercise in practice (see our blog post on the draft guidance here). We are imminently expecting the finalised EDPB guidance on these supplementary measures, potentially as early as next week if the authorities are able to agree them during this month’s plenary meeting on 15 June 2021.
Following a period of consultation and some delay to finalisation, the European Commission published the Final SCCs in final working documents on 4th June with publication in the Official Journal expected swiftly.
The Draft SCCs and the Final SCCs
The Final SCCs broadly adopt the same approach as the Draft SCCs, although there is some deviation both to soften provisions and provide more flexibility to organisations than originally envisioned by the Draft SCCs, although in some instances the approach has been toughened. We detail the material deviations and summarise the changes from the Draft SCCs below.
- Extended Grace Period and Limited Grandfathering Period
The Draft SCCs contemplated a one year grace period within which organisations had to ensure compliance and the Final SCCs have both extended this period and made it more nuanced by introducing a limited grandfathering period during which organisations may continue to implement the current SCCs. From the date of publication in the Official Journal (plus 20 days), organisations will now:
- have 3 months to continue to put in place the current SCCs; and
- have 15 months from the end of the 3 month period within which they must implement the Final SCCs and can continue to rely on the current SCCs (provided there is no change to the processing activities during this time and any necessary supplemental measures are in place).
While the extended grace period is positive in the context of the EU-US Privacy Shield being immediately invalidated as a result of the Schrems II decision and thereby requiring instant contractual and organisational remediation, the result of the Final SCCs is that organisations will still be required to re-paper their existing contracts in the medium term (by likely December 2022) and put in place mechanisms to begin incorporating the Final SCCs into new agreements in the short term (likely starting from June 2021 but by no later than September 2021) (see ‘practical considerations’ section below).
- Modular Structure and Scope
The Final SCCs have retained the modular format allowing for adaptation to different factual scenarios covering both C2C and C2P transfers already provided for under the current SCCs. They now also cater for P2P and P2C situations which were not provided for and enable other parties to ‘dock’ into the Final SCCs (of particular importance where sub-processors are introduced to a pre-existing arrangement).
Additionally the set of processor clauses required by Article 28 GDPR remains incorporated into the Final SCCs, continuing not as a separate module and explicitly prevailing over any conflicting provisions.
While elements of the modules have been somewhat rearranged, materially they provide the same flexibility, but also issues, as discussed in the ‘structure’ and ‘scope’ sections of the Draft SCCs Blog.
The requirement for data importers who are controllers to notify a competent EU supervisory authority (discussed in the ‘extraterritoriality’ section of the Draft SCCs Blog) remains but rather than the threshold being a ‘significant adverse effect’, this has been lowered to ‘a risk to the rights and freedoms of natural persons’ (with an attendant notification obligation to data subjects where there is a ‘high risk’). This aligns with the thresholds in the GDPR, but arguably makes notification a more likely requirement for importers.
Additionally, the approach of the Final SCCs imposes on data importers requirements that will be familiar to those already subject to the GDPR, such as obligations of transparency, security, limits to the purpose of processing, complying with data subject rights amongst others. In binding importers to obligations similar in nature to the requirements of the GDPR, the Final SCCs can be seen as further step in extending the reach of GDPR.
Like the Draft SCCs, the Final SCCs to include provisions which address the challenges of the Schrems II case (discussed in the ‘Schrems’ section of the Draft SCCs Blog) with only minor changes made to the Final SCCs in this regard.
Perhaps most notably, however, the warranty that the parties are required to provide that they have no reason to believe that the ‘laws’ of the importer country prevent the importer from fulfilling its obligations under the Final SCCs, has been expanded to make reference to ‘laws and practices’. The Final SCCs contain a footnote which provides some examples of the elements which may be considered as part of this impact assessment, but this more nebulous phrasing further emphasises the difficultly organisations are likely to have in being able to confidently undertake and document such an assessment and warrant such a claim.
One position that has been softened from the Draft SCCs is that the requirement on importers to exhaust all available legal remedies when challenging a public authority access request has been amended to grant the importer a degree of discretion in circumstances when it believes that there are ‘reasonable grounds to consider that the request is unlawful…’ and so challenge it. This caveat (underlining added) gives importers some leeway in approaching such requests.
The more detailed liability provisions set out in the Draft SCCs remain in the Final SCCs, as does the uncapped liability position. Given the precedence taken by the Final SCCs over any other terms in an agreement to which the Final SCCs are attached, it would have been helpful if the European Commission had provided some clarity in relation to these points. Unfortunately, however, it is still unclear as to how both the detailed liability provisions and uncapped liability position set out in the Final SCCs are supposed to align with any pre-existing liability provisions set out in an agreement to which the Final SCCs are attached, especially if such pre-existing liability provisions include a cap on data protection liability, as they often do.
Absent further guidance, It would appear that attempts to limit or exclude liability would conflict with, and then be subordinate to, the approach taken by the Final SCCs.
Practical Considerations from the Final SCCs
Despite the positive and negative changes brought about by the Final SCCs, they do at least provide some clarity for organisations regarding what next steps they should take and what thinking should be done:
- In-Flight Projects
While there is a limited 3 month period within which organisations can continue to put the current SCCs in place, they will only be able to be rely on them for a further 15 months from the end of that 3 month window. As such, where the contractual arrangements for an in-flight project are likely to last beyond December 2022, it may make most sense for organisations to consider and implement the Final SCCs during this window.
For contracts with a duration likely to end before this window ends, or which will come up for renewal, then in the interests of expediency it would perhaps be preferable to implement the current SCCs at this stage and begin implementing and, where necessary, repapering the Final SCCs over the subsequent 15 months whereupon further guidance is likely to have been published and the market is more likely to have adopted a more settled approach.
- Repapering and Expertise
As noted in the ‘repapering (again)’ section of the Draft SCCs Blog, the Final SCCs confirm that a further, more complex repapering exercise is required.
As well as requiring organisations to analyse the perhaps thousands of contractual arrangements in place to determine the data flows and relationships between parties to replace them with the appropriate combination of Final SCC modules, organisations will also need to ensure that they have in place the appropriate expertise, support, and training to be able to begin putting in place the appropriate combinations by the end of the 3 month grandfathering period.
The earlier organisations begin to engage with the approach taken by the Final SCCs and put in place mechanisms sufficient to prepare and implement combinations of modular Final SCCs, the easier the transition will be.
- Final SCCs and Negotiated Clauses
As well as the repapering exercise (which will not be a ‘rip and replace’ exercise of the current SCCs to the Final SCCs), at a more granular level organisations will also need to consider the interplay between the Final SCCs and negotiated operative clauses in the main body of agreements incorporating the Final SCCs. For example:
- Operative provisions which refer out to the Final SCCs will need to be appropriately tailored to ensure that there is no conflict in multifaceted relationships (e.g. where various parties may be acting as controllers, processors, and sub-processors in relation to different data as part of the same arrangement) to enable the operative provisions and relevant modules to align.
- The Final SCCs contain embedded Article 28 provisions and so, where negotiated and bespoke operative Article 28 provisions are in place, ensuring alignment between them so as not to produce a conflict resulting in the inapplicability of tailored positions will be necessary to preserve commercial certainty.
- Contradictions may also arise for which straightforward resolution may not be possible, such as the apparent conflict between uncapped liability under the Final SCCs and commonly capped negotiated positions, or where a tailored Article 28 provision cannot be aligned with those in the Final SCCs.
- The imposition of obligations on importers will also mean that they may seek more protection from operative contractual clauses, for example the importer’s transparency obligation will likely necessitate the inclusion of operative provisions to detail the responsibility between the parties of discharging such obligations (i.e. certainty of the provision of information).
- The European Commission’s decision to address P2P transfers in the Final SCCs will finally allow parties to simplify the operative clauses that controllers enter into with processors that engage subprocessors based outside of the EU. The absence of any P2P mechanism in the current SCCs has long required parties to shoehorn in the C2P clauses to address transfers between processors and subprocessors, often to unsatisfactory effect given that there is usually an absence of direct contractual nexus between controller and subprocessor. The new P2P module should serve to simplify and speed up the drafting and negotiation of these operative provisions going forward.
Where contracts are remediated, or standard template agreements will be updated, a careful approach will need to be taken to ensure regulatory compliance while also achieving an appropriate balance of commercial risk, depending on the particular factual matrix.
- The Data Importer’s Position
Where a data importer contracts with an exporter on the basis of the Final SCCs, the fact that the Final SCCs impose a range of substantive obligations on importers (see ‘extraterritoriality’ section above) will require importers to take considerable care to determine whether they do in fact have the technical, organisational, and contractual means to satisfy the various obligations placed upon them.
The potential risks of litigation and cost of simply signing and doing what has always been done have never been higher.
The UK’s Way Forward
The ICO has stated that it has been drafting its own standard contractual clauses during the course of 2021 (with a period of consultation also expected) (the “UK SCCs“), in a process distinct from the Final SCCs. It will be interesting to see the extent to which, if at all, the UK SCCs leverage the positions in the current SCCs, Draft SCCs, and Final SCCs, or whether a completely novel route is taken.
While some mood music suggests that the UK will pursue a more relaxed, business-minded approach to data (and so the UK SCCs can perhaps be expected to impose less stringent requirements on organisations), such an approach will need to be carefully balanced against the UK’s position on data vis-à-vis the EU, in particular to ensure the UK SCCs are seen as sufficiently protective if the UK is to benefit from an adequacy decision from the EU.
In addition, the ICO has also previously emphasised that international data transfers would need to account for the impact of the Schrems II decision and in their response to the UK’s National Data Strategy highlighted the importance of building on the rights, principals, and protections of data which are currently in place. Therefore a novel approach or substantial deviation from the EU’s approach (be that the current SCCs or Final SCCs) may be unlikely.
From a practical perspective, the Final SCCs will not be available for use for transfers from the UK to third countries and so, absent the UK SCCs, the current SCCs will continue to be required. Furthermore, for organisations with data flows between the EU, UK and third countries, the implementation of a further set of standard contractual clauses which may deviate from or potentially conflict with the Final SCCs would be a headache that they could do without, with further repapering and more complex contractual arrangements to introduce and align the Final SCCs with UK SCCs potentially required.
The UK’s approach will therefore be important to monitor over the coming months and until such time as UK SCCs are brought into force, the current SCCs continue to remain relevant.
The publication of the Final SCCs provides organisations with a long-awaited update to the current SCCs and, for better or worse, provides clarity in relation to the steps and considerations that organisations will need to take if they are to continue making international transfers of personal data, as well as time (by way of the grace period and limited grandfathering period) to take these steps.
Most organisations will have been through this process before and, while it may be slightly more complex in execution, the principles of previous repapering exercises, as well as more developed processes regarding records of processing, data audits, and data mapping in the years since the GDPR came into force, should provide organisations with many of the tools needed to adopt and implement the Final SCCs (although for importers that are not used to the GDPR, the increased GDPR rigour of the Final SCCs may make this more challenging).
The most important step for organisations will be to understand the new modular approach to the Final SCCs, the most material departure from the current SCCs, as organisations will need to start the process of implementing the Final SCCs in 3 months’ time. Organisations that have template agreements and processes in place which include data protection provisions incorporating the current SCCs will also need to update these template agreements and processes and provide appropriate training to those tasked with maintaining these arrangements. In the longer term, repapering will be flavour of the month once more.
The European Union Commission released its long awaited proposed regulation of artificial intelligence on 21 April 2021 (see press release here), which sets out a risk-based approach to regulation designed to increase trust in the technology and ensure the safety of people and businesses above all. The regulation has extra-territorial scope meaning that AI providers located outside of the EU whose technology is used either directly or indirectly in the EU will be affected by the proposal. This wide ranging applicability and the ambitious nature of the proposal have afforded it intense scrutiny, as it is the first regulation of its kind. Although it provides for fines of up to EUR 30 million or 6% of the total worldwide annual turnover, the proposal would impose controls on what are the most risky forms of AI – potentially leaving unaffected many AI applications which are in use today.
Broad scope of application
AI is broadly defined in the proposal and the assessment of whether a piece of software is covered will be based on key functional characteristics of the software – in particular, its ability to generate outputs in response to a set of given human defined objectives. AI can also have varying levels of autonomy and can be either free standing or a component of a product.
To prevent the circumvention of the regulation and to ensure effective protection of natural persons located in the EU, the regulation applies to:
- any provider of AI systems irrespective of whether they are based inside or outside the EU, if their systems are used directly in the EU or if the output of their system would impact a natural person in the EU; and
- to individuals, public or private entities using these AI systems in the EU (the ‘users’), except where the AI system is used in the course of a personal non-professional activity.
For example, where an EU operator subcontracts the use of an AI system to a provider outside of the EU, and the output of such use would have an impact on people in the EU, then the provider would be obliged to comply with the regulation if using a “high-risk” AI system.
This wide scope of application is not unusual for the Commission, as a similar approach was adopted for the protection of personal data under the GDPR and in the draft EU Digital Services Act and the draft ePrivacy Regulation.
Risk based approach
The proposal sets out four categories of AI systems based on the risk they present to human safety.
- Those systems which unequivoqually harm individuals are banned, such as AI applications which manipulate human behaviour through subliminal techniques, circumvent the user’s free will or systems which allow ‘social scoring’. Operating an AI system in violation of such a prohibition may lead to the maximum penalty of up to EUR 30 million or 6% of the total worldwide annual turnover.
- The most extensive set of provisions deal with “high-risk” AI systems and start applying during their development, before they are made accessible on the EU market. Such regulatory requirements include obligations for ex-ante testing, risk management and human oversight to preserve fundamental rights by minimising the risk of erroneous or biased AI-assisted decisions in critical areas such as education and training, employment, important services, law enforcement and the judiciary. AI systems relating to critical infrastructure (e.g. autonomous vehicles or the supply of utilities) also fall within this risk category. The classification of an AI system as “high-risk” depends not only on the purpose of the system but also on the potential affected persons, the dependency of these persons on the output and the irreversibility of harms they could suffer. In particular, the regulation requires that the data sets which are used to train the AI algorithm be of high quality to ensure their accuracy and their non-discriminatory nature.
- Those AI systems which present limited risks to fundamental rights will be subject to transparency obligations. For instance when users are interacting with chatbots, the user should be made aware that the chatbot is powered by an AI algorithm.
- The majority of AI applications in use today present minimal risks to citizens’ rights or safety (e.g. AI enabled video games and spam filters), which means no restrictions are imposed on their use by the proposal.
If the proposal is passed (see the What’s next? section below), this would generate a significant compliance burden on companies developing and marketing “high risk” AI systems, including providing risk assessments to regulatory authorities that demonstrate their safety (effectively giving those authorities the right to determine what is acceptable and what is unacceptable). In light of this, industry stakeholders will welcome the proposed 24 month grace period after the regulation is finalised before the legislation will apply.
The regulation could also have a significant impact outside the EU given European regulations such as the GDPR have influenced regulations abroad. We have seen regulators so far shy away from being the first to act when it comes to AI because of concerns about constraining innovation and investment. Therefore this action by the Commission could be a catalyst for other regulators to act.
The proposal provides for the creation of an ‘EU AI Board’ to set standards and help national regulators with enforcement. This approach differs from that of the GDPR (which created a single regulator) as national competent authorities would be in charge of monitoring and enforcing the provisions.
The fines imposed by the proposed regulation mainly relate to an absence of cooperation or incomplete notification of the competent authorities, but could be significant:
- developing and placing a blacklisted AI system on the market or putting it into service could trigger a fine of up to EUR 30 million or 6% of the total worldwide annual turnover of the preceding financial year (whichever is higher);
- failing to fulfill the obligations of cooperation with the national competent authorities, including their investigations could amount to up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year in fines (whichever is higher); or
- supplying incorrect, incomplete or false information to notified authorities could cost up to EUR 10 million or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
It will likely take a number of years for the proposal to be passed into law. It must first be debated and adopted by the European Parliament and the Member States before it becomes directly applicable in all Member States. The current provisions may be changed during this process and further clarification may be brought to concepts such as obligations imposed on users. In addition, the Commission has retained the ability to add onto the list of AI prohibited or highly regulated in order to adapt the regulation to any future developments of the technology.
Privacy activists have questioned the loopholes in the regulation which seek to ban real-time remote biometric identification in public spaces, except where law enforcement uses such facial recognition for:
- the search for potential victims of crime, including missing children;
- certain threats to the life or physical safety of natural persons or of a terrorist attack; or
- the detection, localisation, identification or prosecution of perpetrators or suspects of the criminal offences.
Business will be closely monitoring the development of the proposal as it goes through the legislative process and how it impacts current and future activities, especially in areas like advertising. If passed, the proposal would have wide ranging consequences on businesses using AI systems as it will impact how the AI algorithm is created as well as regulatory monitoring during the life of the technology.
The proposal is part of a set of initiatives to set up Europe for the digital age. Fueling innovation in AI has been part of the EU’s agenda to create jobs and attract investments. First, in 2018 the Commission published a strategy paper putting AI at the center of its agenda, followed by guidelines for building trust in human centric AI published in 2019 – after extensive stakeholder consultation (see our previous blogpost here). It has also encouraged collaboration and coordination between Member States in order to create AI hubs in Europe by releasing a Coordinated Plan on AI in 2018 – which has been updated with the release of the proposal (see the New Coordinated Plan on AI 2021).
The Commission also published a White Paper on AI in 2020 which set the scene for the proposal by setting out the European vision for a future built around AI excellence and trust (see our previous blogpost here). The White Paper was also accompanied by a ‘Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics‘ which highlighted the gaps in the current safety legislation and lead the Commission to release a new Machinery Regulation alongside the proposal.
Hot on the heels of the EDPB’s guidance on ‘supplementary measures’ with respect to international data transfers as a result of the Schrems II judgment (for further details see our blog post here), the European Commission has now published its long-awaited draft new Standard Contractual Clauses (the “New SCCs”) for consultation.
Chapter V of the GDPR prohibits the transfer of personal data out of the EEA to a third country or international organisation unless one of a number of available conditions under the GDPR is satisfied.
One of the conditions most often relied upon to legitimise the international transfer of personal data is use of the so-called Standard Contractual Clauses (“SCCs”). These are effectively a contract entered into between the data exporter and the data importer and impose certain data protection obligations on both parties. There are currently two different sets of SCCs which have been approved by the European Commission to cover transfers from: (i) a controller to another controller; and (ii) a controller to a processor.
However, the existing SCCs did not get updated when the GDPR came into force and so still refer to the old EU Data Protection Directive rather than the GDPR. There has also been criticism of the SCCs for a number of reasons, including because they don’t cover processor to processor transfers, leaving organisations the difficult task of trying to fit a square peg into a round hole when it comes to transfers from an EEA processor to a non-EEA sub-processor. The recent Schrems II case (see our blog post on the case here) also raised the question of whether or not contractual ‘supplemental measures’ are required when using the SCCs in order to further protect personal data being sent to countries which don’t otherwise provide adequate protection.
The New SCCs have therefore been eagerly awaited.
In this blog post we ‘summarise’ some of the key changes (both good and bad) and what they could mean for organisations and international data flows. With apologies for the length of this post, there is (fortunately or unfortunately) quite a lot to comment on! We have tried to limit our comments below to some of the more ‘big ticket’ issues. However, as always the devil is in the detail and there is an awful lot of detail with devils in it.
The New SCCs contemplate a one year grace period for implementation, from the date of the European Commission’s implementing decision. Whilst this may seem positive in contrast to, for example, the ECJ’s decision in the Schrems II case to invalidate the EU-US Privacy Shield with immediate effect, it is important to note that the one year grace period applies because the New SCCs will repeal the existing clauses, meaning that organisations will have no choice but to re-paper their contracts to put the New SCCs in place. See further our ‘repapering’ section below.
The New SCCs adopt a modular format, allowing organisations to include or exclude particular modules depending on the factual scenario in question. Whilst at first blush, this appears to be a sensible and perhaps surprisingly flexible approach, it does appear to result in a particular sting in the tail as it means that it is not easily possible to ‘rip and replace’ and swap out the SCCs with the New SCCs. See further our ‘repapering’ section below.
Scope (data transfers)
As mentioned above, the SCCs only cover controller to controller (“C2C”) transfers or controller to processor (“C2P”) transfers. This created significant hurdles when an EEA controller was transferring data to an EEA processor who then wanted to onwards transfer to a non-EEA sub-processor, as there were no processor to processor (“P2P”) clauses available. In addition, since implementation of the GDPR, it has been unclear how the SCCs were supposed to apply in the context of a non-EEA controller subject to the GDPR as a result of the extra-territoriality provisions in Article 3. The SCCs only contemplated controllers/exporters located in the EEA.
The New SCCs contemplate all transfer scenarios, being C2C, C2P, P2P and even processor to controller (“P2C”). They also contemplate transfers where the data exporter is located outside of the EEA. This extended scope is likely to be good news for organisations who have long struggled to make the existing scope fit for purpose in the context of complex supply chains.
Scope (processor clauses)
As well as updating the SCCs for international data transfer purposes, the European Commission has also used the opportunity to incorporate into the New SCCs a set of processor clauses required by Article 28 GDPR. The GDPR mandates the inclusion of certain provisions in contracts between controllers and processors so, once again, at first blush it seems absolutely sensible to include such provisions in an international data transfer contract between a controller exporter and a processor importer.
However, the Article 28 provisions in the New SCCs are not a ‘module’ in and of themselves, meaning they cannot easily be extracted. In addition, the New SCCs make it clear that, in the event of a conflict between the provisions of the New SCCs and the provisions of any other agreement between the parties, the terms of the New SCCs will prevail. For organisations who have spent significant time and resource over the last 2-3 years negotiating data protection provisions into their commercial contracts, it is unlikely to be welcome news to understand that at least some of those negotiated positions may be superseded by the version of Article 28 that the European Commission has decided to incorporate into its New SCCs. See also our ‘liability’ section below.
Extending the extra-territorial reach of the GDPR?
The New SCCs (in the C2C module) contain an interesting requirement for non-EEA data importers who are controllers to notify the competent EU supervisory authority of any personal data breach likely to result in ‘significant adverse effects’. This would apply even to a non-EEA controller not otherwise subject to the GDPR, therefore extending the extra-territorial reach of the GDPR even beyond Article 3(2). In addition, the threshold is ‘significant adverse effects’ rather than the thresholds referred to in the GDPR. Thresholds aside however, this is likely to be a challenging obligation for controller importers who would otherwise have no interaction or relationship with any EU supervisory authority.
It was almost inevitable that the New SCCs would include provisions to try and deal with some of the challenges brought about by the Schrems II case. Indeed, many commentators have suggested that the reason it has taken the European Commission such a long time to publish the New SCCs is because it wanted to be able to publish a version which responded to the Schrems case. It is therefore not surprising that the New SCCs include ‘supplementary measures’ to address concerns about the transfer of personal data to countries which don’t provide adequate protection.
The Schrems-related provisions in the New SCCs include: (i) a warranty from the parties that they have no reason to believe that the laws in the importer country prevent the importer from fulfilling its obligations under the New SCCs; (ii) a requirement to assess the laws of the importer country; (iii) a requirement to document the assessment referred to in (ii); and (iv) a requirement to make the documented assessment available to a competent supervisory authority on request. In addition, there are obligations on the data importer to challenge requests for access received from an authority and only provide the minimum amount of personal data possible once such challenges have been exhausted.
These types of obligations are a fairly logical consequence of the Schrems judgment but they are nonetheless onerous on the parties to the transfer. For small/medium data importer organisations in particular, the requirement to exhaust legal challenges in response to access requests is likely to be expensive and challenging. Similarly, the requirement on data exporters to assess the relevant laws in the importing country appears to place an obligation on private sector companies that the European Commission itself hasn’t been able to discharge other than with respect to a handful of countries that have obtained an adequacy decision. The final sting in the tail here would also appear to come in the form of the recently published EDPB Schrems guidance which suggests that contractual supplementary measures are nonetheless unlikely to enable a data exporter to transfer data to a third country that does not have essentially equivalent laws (i.e. the inclusion of these clauses in the New SCCs could make no difference whatsoever to the ability of a data exporter to transfer the data in a compliant manner).
As mentioned several times above, there appears to be no escaping the fact that the New SCCs are going to require every single organisation in Europe that transfers data outside of the EEA to undertake a mass repapering effort. Coming so soon after data protection repapering exercises undertaken to deal with: (i) the invalidation of the Safe Harbor; (ii) the implementation of the GDPR; (iii) the invalidation of the EU-US Privacy Shield; and (iv) the upcoming expiry of the Brexit transition period, this is likely to be particularly unwelcome news. The prospect of asking for additional budget to undertake such an exercise is also unlikely to be particularly appetising for many privacy professionals within organisations.
However, the modular structure of the New SCCs means that a simple ‘rip and replace’ for existing SCCs in unlikely to be possible. In addition, the introduction of P2P and P2C clauses will require the papering of new relationships as these clauses didn’t exist previously.
As well as the administrative burden of a repapering exercise though, it appears that this latest project is also likely to require more careful legal analysis than those that went before it. The interplay between commercially negotiated C2P positions and the provisions in the New SCCs will need to be carefully considered to understand the extent to which existing positions conflict with the New SCCs. There will also likely end up being a divergence between the processor terms negotiated between controllers and processors based in the EU, and those negotiated between controllers in the EU and processors outside of the EEA. In summary, it won’t be simple.
It perhaps follows on from the point above regarding potential conflict between negotiated commercial positions and the New SCCs that the issue of liability is likely to become a particular sticking point. The New SCCs contain more detailed liability provisions than are currently set out in the SCCs, and many organisations will already be aware of the complex negotiations undertaken commercially with respect to processor liability in particular. For example, the interaction between commercial agreed liability caps and the ‘uncapped’ liability position in the New SCCs is unclear – would an agreed liability cap be viewed as being in ‘conflict’ with the position in the New SCCs?
The New SCCs are not all bad news. It is clear that the European Commission has tried to address many of the criticisms of the existing clauses with its new drafting and flexible modular structure. However, regardless of whether or not the drafting has been improved, the fact that their implementation will require yet another resource-heavy and expensive repapering exercise is possibly a disadvantage that many will consider outweighs any possible benefit. In combination with the recent EDPB guidance on Schrems, it seems to make for a rather bleak outlook for organisations trying to balance data protection compliance with the commercial reality of global data flows.
On 1 April 2020, almost two years after the General Data Protection Regulation (GDPR) entered into force, the European Commission published a roadmap for evaluating its application.
The roadmap specifically asks for feedback on the Commission’s strategy in dealing with the issue of international transfer of personal data to third countries, focussing on existing adequacy decisions, and the cooperation and consistency mechanism between national data protection authorities.
Why has the roadmap been published?
Article 97 of the GDPR requires the Commission to submit a report on the evaluation and review of the Regulation to the European Parliament and the Council by 25 May 2020.
The GDPR specifies that the Commission must examine the application and functioning of the mechanism for (i) transfers of personal data to third countries or international organisations under Chapter V and (ii) ensuring consistency and cooperation under Chapter VII.
Further, under Article 97 the Commission is required to take into account the positions and findings of the European Parliament and the Council, and if necessary to submit appropriate proposals to amend the GDPR in light of any technological developments.
What does the roadmap say?
The Commission has announced its intention to publish a report identifying issues in the application of the GDPR as requested by Article 97. The report will build on input from the Council, the European Parliament and the European Data Protection Board, as well as two earlier reports published by the Commission in 2017 and 2019, which both considered the protection of personal data since the GDPR had entered into force.
Publication of the roadmap launches a consultation process to gather input from citizens and stakeholders. As part of that process, the Commission will be sending detailed questionnaires to data protection authorities and the European Data Protection Board, as well as to the GDPR Multi-Stakeholder Group, a group made up of business and civil society representatives. The Commission will also conduct bilateral dialogues with the authorities of the relevant third countries.
Individuals, businesses or interested parties can register with the Commission here to provide feedback by 29 April 2020. Feedback will be published to the Commission’s website alongside a synopsis report explaining how any input will be taken on board or why some suggestions cannot be actioned.
What happens next?
The Commission has already received feedback from the Council on the application of the GDPR in a report setting out its position on 19 December 2019. In its report the Council raised a number of concerns, including the challenges of determining or applying appropriate safeguards in the absence of an adequacy decision and the strain of the additional work for supervisory authorities resulting from the GDPR cooperation and consistency mechanisms.
The Council’s report also flagged issues raised by individual Member States, such as the importance of considering the application of the GDPR in the field of new technologies and big tech companies, and the development of efficient working arrangements for supervisory authorities in cross-border cases.
The deadline for providing feedback on the roadmap from citizens and stakeholders is 29 April 2020. Following consultation with the relevant parties and receipt of any online feedback, the Commission will publish its report by 25 May 2020. There is no obligation on the Commission to take any steps following publication of the report. However, Article 97(5) states that the Commission shall ‘if necessary’ submit appropriate proposals to amend the GDPR.
5 March 2020 saw the European Commission (EC) announce an unprecedented agreement with short-stay accommodation titans Airbnb, Booking.com, Expedia and TripAdvisor to share and publish data (on the number of nights booked and the number of guests staying) with the EC via Eurostat (the EU’s statistical office) (press release here). Eurostat will then aggregate the data by municipality and publish that data on a Member State and individual region level.
This collaborative venture represents an initial step by the EC in tackling the absence of regular and reliable data in this area, and recognises the need to balance: (a) the opportunities for micro-entrepreneurs using these growing platforms; and (b) adverse societal effect on local communities of landlords using their properties for short term lets, e.g. increasing property prices.
While this agreement has been universally welcomed, it is noted that there are other categories of information that could also be useful from a policy-making perspective, such as the number of listings, hosts, beds and types of accommodation.
A number of cities including Paris, Barcelona, Berlin and Amsterdam have previously sought to place restrictions on the use of short-stay accommodation platforms, but this has not always been successful. For example, on 19 December 2019, the Court of Justice of the European Union (the EU’s most senior court) ruled that Airbnb did not have to meet particular regulatory requirements as it was correctly classified as an intermediation service rather than an estate agent (a stark contrast to their ruling on Uber with respect to the transportation services space). This new data sharing agreement does not tackle the limited regulatory restrictions that can be placed on online platforms. However, the EC hopes that this data collaboration will allow for more informed and balance policymaking.
With a 2019 survey showing that 21% of EU citizens use a website or app to arrange accommodation, there have been numerous calls for a digital regulator to better police this space. It is thought that the much anticipated Digital Services Act will make some progress on this front, but the slow development of this legislation may struggle to match the evolving issues face by online platforms. That said, this remains an interesting example of big tech companies collaborating with supranational bodies on regulation, as well as regulators seeking to become better informed on the nature and effect of new technology platforms to ensure informed decision making in this space.
This information on short-stay accommodation is anticipated to be publicly available as soon as Q3 2020.
- UK will maintain its adequacy status in Japan even after it withdraws from the European Union.
- Japan recognises that the UK has relevant legislation in place to maintain its adequacy assessment.
The Personal Information Protection Commission (“PPC”) in Japan has announced that, with respect to the transfer of personal data between Japan and the UK, the UK will maintain its adequacy status even after it withdraws from the European Union (“EU”).
The UK withdrew from the EU on 31 January 2020 and has entered into a transition period until 31 December 2020, during which time it will remain subject to EU rules including the General Data Protection Regulation (“GDPR”).
Currently, European Economic Area member states, which includes those member states within the EU but does not include the UK, are included in Japan’s white list of countries which Japan recognises as having an adequate level of personal data protection. This recognition enables personal data to be transferred out of Japan and into white-listed countries without the requirement for any further safeguards to be in place.
The PPC’s Announcement
The PPC’s announcement on 28 January 2020 confirms that the UK will continue to maintain its adequacy status in Japan now that it has withdrawn from the EU because it has the relevant legislation in place to maintain its adequacy assessment. The PPC also confirms that this will apply to the UK even after the transition period.
This is a welcome indication that countries outside of the EU recognise the ability of the UK’s data protection laws to enforce international data protection requirements and that cross-border data transfer with the UK can continue after the transition period.
This announcement follows the recent adoption by the European Commission of its adequacy decision in favour of Japan on 23 January 2020.
As we noted in our 2020 data protection predictions blog, we expect the discussions around the UK’s adequacy decision to be one of the key developments in the year to come for data protection. Despite the GDPR being enacted into UK law, it remains to be seen whether the EU will recognise the UK as providing adequate levels of data protection following the transition period. In this regard, the European Data Protection Supervisor (“EDPS”), Wojciech Wiewiórowski, noted that the UK is “13th in the row” for an adequacy decision. Even though the EDPS does not participate directly in adequacy decisions, his comments may indicate a general reluctance to let the UK skip the queue in terms of an adequacy decision.
- The long-running challenge to the so-called EU Standard Contractual Clauses and the EU-US Privacy Shield, both used to lawfully transfer personal data outside of Europe, is now going to be heard by the European Court of Justice (“ECJ“) after an attempt to block the referral was rejected by the Irish Supreme Court.
- The ECJ will now assess and opine on whether these methods of international data transfer satisfy the requirements of the GDPR, with the potential for either or both mechanisms to be struck down like the US Safe Harbor was in 2015.
- If the court finds either method to be invalid, it would have a major impact on the cross border transfer of personal data, leaving companies with significant GDPR compliance issues and extremely limited options to be able to lawfully transfer data across national boundaries.
On 13 September 2018, the UK Government published a series of technical notes setting out the implications in various sectors and areas of a ‘no deal’ scenario (i.e. a scenario in which the UK leaves the EU without an agreement), including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
Transferring data from the UK to the EU
Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders.
The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place – meaning that this could potentially change in the future.
On 12 July 2016, the European Commission adopted an “adequacy decision” allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the “Privacy Shield“).
Two privacy advocacy groups have however since filed actions in the European General Court to annul the adequacy decision. On 28 October 2016 the Irish privacy advocacy group, Digital Rights Ireland, filed an “action for annulment” on the basis that the Privacy Shield does not sufficiently protect the privacy rights of EU citizens. If successful, the action would invalidate the European Commission’s adequacy decision that approved and adopted the Privacy Shield. The group filed the challenge in the General Court based in Luxembourg, the second highest EU Court after the CJEU. A further challenge was also filed in the General Court by a French civil society group at the end of October 2016. It could take the General Court twelve months or more before a decision is handed down.