International Data Transfers based on Standard Contractual Clauses (SCCs) – How to conduct a Transfer Impact Assessment?
In July 2021, the EU Commission has adopted a revised set of Standard Contractual Clauses (SCCs) that can be used to transfer personal data outside the European Economic Area. In the last post, we have already explained the concept of international data transfers under the EU GDPR and how the new SCCs can be used as valid basis for such transfers.
Now, we will have a closer look at one specific obligation contained in the new SCCs, the Transfer Impact Assessment (TIA).
Introducing the Transfer Impact Assessment
It is important to note at the outset that simply signing the new SCCs is insufficient to render a transfer valid. Instead, the clauses demand the parties to assess whether the country of destination’s level of data protection is essentially equivalent to EU standards by conducting a Transfer Impact Assessment (TIA). As previously discussed, this requirement stems from the Schrems II ruling where the CJEU subjected the validity of the previous SCCs to an examination on behalf of the parties of the third country’s level of data protection (§105).
Thus, clause 14 now demands an assessment as to whether there is reason to believe that ‘the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the new SCCs’. Here, parties must consider: i) the specific circumstances of the transfer, ii) the law and practices of the third country and iii) any relevant contractual, technical, or organisational safeguards put in place to supplement the safeguards under these clauses.
In the aftermath of Schrems II, disagreement has persisted regarding the factors that parties are allowed to invoke when assessing a third country’s level of data protection. In particular, it has been discussed whether such assessment must strictly be limited to objective factors (theoretical approach) or more subjective factors (risk-based approach) are permitted to be considered.
A theoretical vs a risk-based approach
A strict theoretical approach limits the assessment to objective factors, hence merely establishing whether the laws and regulations in place in the third country meet EU data protection requirements. Conversely, a risk-based approach allows for consideration of subjective factors such as the parties’ personal experiences concerning data access requests during previous, similar transfer operations.
Arguably, a risk-based approach can both, broaden and restrict, the scope of permitted transfers. Data transfers could be allowed even if the third country’s legislation is insufficient to restrict access by public authorities in violation of EU law where the parties can prove that such access requests are unlikely in practice. However, such approach can equally hinder data transfers despite sufficient legislation in place where experience indicates a practice to the contrary.
The new SCCs must be interpreted in light of the European Data Protection Board Recommendations on measures that supplement transfer tools. To understand their stake on a theoretical or a risk-based approach, it is worth diving a little deeper into the history of adoption of the two instruments.
History of adoption
In November 2020, the EU Commission published its new draft SCCs for comment. Adopting a risk-based approach, these were welcomed by many businesses. Clause 2 allowed the parties, amongst others, to consider ‘the content and duration of the contract’, ‘the scale and regularity of transfers’ and ‘any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred’. Hence, third country legislation permitting access by public authorities did not constitute an automatic obstacle for the transfer but could be compensated by the parties’ practical experience with the absence of access requests in practice.
However, this approach has subsequently been criticised by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) in their joint opinion on the Draft SCCs in January 2021. They claimed in particular that ‘in the Schrems II ruling, the CJEU did not refer to any subjective factor such as the likelihood of access for instance. The mere fact that the data are comprised within the scope of a third country legislation that allows access to data by public authorities without specific essential guarantees would amount, per se, to considering that such access will possibly take place, without the need to rely on any practical experience in this regard or absence of requests for disclosure from public authorities received by the data importer.’ Thus, the EDPB and the EDPS proposed to eliminate any subjective factors from the analysis and restrict the analysis to objective factors.
Arguably, both approaches entail advantages and disadvantages. Oftentimes, it is easier to assess the applicable legislation than to analyse past data transfers with a view to reliably establish the likelihood of public authority access requests. Additionally, the simple absence of access requests in the past does not warrant that such access requests will not be conducted during the lifetime of the data transfer contract. However, limiting the analysis to merely objective factors potentially unnecessarily restricts data transfers even where the personal data would not be at risk in practice. Additionally, it does not allow for identifying the inverse situation where the third country offers effective protection on paper but a data transfer would still be in violation of EU standards due to diverging practices experienced in the past.
Given this discussion, the solution adopted by the final SCCs was eagerly awaited. Here, one can identify a risk-based approach but with a strengthening of objective factors.
The new SCCs: an objective risk-based approach?
The new clause 14 does no longer refer to the subjective elements mentioned in the original draft but restricts its analysis to more objective factors such as ‘the length of the processing chain, the numbers of actors involved, and the transmission channels used’ as well as the ‘laws and practices of the third country of destination’. However, it allows, by way of footnote number 12, to equally consider the ‘relevant and documented practical experience with prior instances of requests for disclosure from public authorities. Hence, practical experience can be considered but must however be accompanied by objective elements. It is demanded that the practical experience covers a sufficiently representative timeframe, is documented by means of internal records or other documentation certified at senior management level and it must be supported by other relevant, objective elements. Parties must further ‘take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests and/or the application of the law in practice.’ This seems to be a fair compromise between on the one hand the desire to prevent parties from having too much leeway in including their subjective experience in the assessment and on the other hand the interest to avoid an entirely theoretical assessment far from the actual practices in the third country.
How to conduct a TIA
So which steps must exactly be undertaken by a data exporter to conduct a successful TIA? Here, the European Data Protection Board Recommendations on measures that supplement transfer tools provide guidance.
Firstly, it is crucial to identify the relevant laws and practices in light of all circumstances of the transfer. When deciding whether a certain law or practice affects the data transfer concerned, regard should be had to the purposes of the data transfer, the entities involved, the sector, the categories of personal data transferred, possibilities of onward transfers etc.
Generally, the data importer must provide the exporter with the necessary sources of information relating to the laws and practices of the third country. Sources and information must be ‘relevant, objective, reliable, verifiable and publicly available or otherwise accessible’. Documented practical experience can be consulted subject to the objective requirements mentioned in footnote 12 of the new SSCs as discussed above.
As possible sources, the EDPB proposes, among others, to consult the relevant case law of the CJEU and the ECtHR, Commission adequacy decisions, resolutions and reports from intergovernmental organisations, reports from competent regulatory networks, national case-law or administrative decisions, reports based on practical experience, warrant canaries of other entities processing data in the same field and reports from NGOs and academic institutions and transparency reports where they expressly mention that no access requests were received.
Once identified, it must be determined whether these laws and practices, in particular those allowing disclosure of personal data to public authorities, restrict the fundamental rights of data subjects without respecting their essence or being necessary and proportionate measures in a democratic society. Here, the EDPB European Essential Guarantees (EEG) recommendations can be applied as referential standard. The EEGs contain standards stemming from EU law and the CJEU and ECtHR jurisprudence on third country surveillance measures. They demand a legal framework providing for such access that is publicly available and sufficiently clear. Interference with the fundamental right of data protection must be necessary and proportionate with regard to the legitimate objective(s) pursued. An independent oversight mechanism should be provided, and effective remedies must be made available to data subjects.
Importantly, it is crucial to not only verify the existence or lack of relevant legislation and its compliance with EU standards but also whether there might exist practices of public authority access contrary to this legislation.
The TIA must be conducted with due diligence and documented thoroughly. It must be made available to data protection authorities or judicial authorities upon request and data exporters can be held accountable for any decision taken on that basis.
Upon conclusion of the TIA, the data exporter can conclude that the third country offers an essentially equivalent protection allowing the data importer to comply with its obligations under the SCCs. The transfer can be conducted. Importantly, the assessment must be regularly re-evaluated and, in any case, where significant changes emerge.
Conversely, the data exporter can conclude that the third country’s legislation and/or practices hinder the data importer from complying with its obligations due to their failing to meet EU standards. In this case, the SCCs can only be relied upon where effective supplementary measures are adopted. Otherwise, the transfer must be suspended.
The possible supplementary measures which can be adopted to still allow the transfer of personal data to a third country whose laws’ and practices fail to guarantee a sufficient standard of data protection will be subject of the next post.