International Data Transfers: Transferring data to third states under EU GDPR
Since the introduction of the EU GDPR, personal data protection standards in Europe are high. To ensure continued protection where personal data is transferred to countries outside the European Economic Area (EEA), the GDPR imposes strict conditions on international data transfers. Such transfers must be based on one of the instruments provided for by the GDPR, including Commission adequacy decisions and Standard Contractual Clauses (SCCs). Recently, data transfers have been subject to much uncertainty. In relation to EU-US data transfers, the CJEU has already twice invalidated Commission adequacy decisions in its infamous Schrems I (2015) and Schrems II (2020) rulings. The court further introduced additional requirements for parties wishing to employ SCCs to their data transfer. In response to the rulings, the EU Commission finally adopted a revised set of SCCs in July 2021, followed by a set of recommendations of the European Data Protection Board (EDPB).
We will first briefly explain the general framework of data transfers under the EU GDPR before highlighting the key points of the Schrems rulings. Afterwards, we will establish the main changes of the new SSCs.
What are international data transfers under the GDPR and how can they be conducted?
The GDPR itself does not define the concept of data transfers. Generally, a strict interpretation of ‘sending’ personal data is rejected and data transfers equally include the making available of such data for the public in a third state.
Article 44 GDPR imposes a double requirement on businesses: They must firstly comply with the general GDPR processing requirements (legal bases, transparency, etc) and further adhere to specific data transfer requirements. Failure to do so can trigger fines of up to 20 million euros or 4 per cent of the company’s worldwide turnover (Art. 83(5)GDPR).
Concerning the specific data transfer requirements, data transfers are to be based either on a Commission adequacy decision (Art 45GDPR), on appropriate safeguards consisting of, among others, SCCs (Art.46GDPR), or specific derogations apply (Art.49). If available, an adequacy decision arguably constitutes the simplest way for businesses to engage in data transfers. Here, the Commission has determined that a third country it its entirety ensures an adequate level of personal data protection and personal data can freely be transferred to this country (provided the GDPR processing provisions are respected).
In the absence of an adequacy decision, businesses can have recourse to appropriate safeguards instead. Article 46GDPR provides a range of different safeguards, some of which are of a rather specific scope. The most commonly used safeguards are SCCs. These contractual clauses, adopted by the EU Commission, can be inserted into contracts between data controllers and processors when conducting a data transfer to render such transfer valid. As a last resort, transfers can still be based on one of the limited derogations listed in Art. 49(1)GDPR such as the data subject’s explicit consent or necessity for the establishment, exercise or defence of legal claims.
A double defeat: Invalidity of the Safe Harbour Agreement and the EU-US Privacy Shield
In the past, the EU Commission twice declared the personal data protection system of the United States as ‘adequate’. However, both adequacy decisions have subsequently been declared invalid by the CJEU.
The first adequacy decision dating from 2000, the Safe Harbour Agreement, was subject to the court’s scrutiny in 2015. An Austrian privacy activist, Max Schrems, had challenged the validity of this agreement in the context of Facebook’s transfer of his personal data to servers based in the US. The Irish High Court referred the question of the agreement’s validity to the CJEU. Holding that the Commission must determine whether the level of personal data protection is ‘essentially equivalent’ to the protection of EU law, the Court found this not to be the case. Notably, US privacy laws did not limit the interference of state authorities with personal data based on national security and public interest requirements in time or material scope nor did the adequacy decision contain any effective protection against such interference (§§88-9). Interference with Articles 7 and 8 EU Charter (right to privacy & data protection) must contain clear and precise safeguards for individuals and be limited to what is strictly necessary(§91).
Following this ruling, the Commission revised its adequacy decision and adopted a new version, the EU-US Privacy Shield. Once again, Max Schrems challenged its validity, and the case was brought before the European Court. In Schrems II, the Court delivered two important points. Firstly, it invalidated the Privacy Shield. Secondly, it upheld the existing SCCs but subjected them to further conditions. Upon scrutiny of the US Foreign Intelligence Surveillance Act, it highlighted that the Privacy Shield allowed for US practices of ‘bulk collection of large volumes of data without clearly defining thereof or providing access to judicial review’(§181). Not being limited to interference that is proportional and ‘strictly necessary’(§184), the Privacy Shield was declared invalid.
The Court then went on to analyse the SCCs in place. While generally upholding their validity, the Court highlighted that they could only be employed for data transfers to a third country that afforded a level of protection ‘essentially equivalent to that guaranteed within the European Union’ (§105). To assess this essential equivalence, businesses must consider the contractual clauses agreed on themselves as well as the applicable legislation of the third state. Here, one must examine appropriate safeguards, enforceable rights and effective legal remedies afforded to data subjects and the access by the public authorities of that third country to the personal data transferred. Where a Data Protection Authority considers the third State’s level of data protection as not fulfilling these standards, it can suspend or prohibit the transfer (§113).
With this ruling, the Court clearly showed its stake on US surveillance laws. The adoption of a new Commission adequacy decision seems out of reach until US laws step up their protection regarding the access of personal data by public authorities. In the meantime, the importance of SCCs for data transfers has greatly increased.
Implementing Schrems II: The new SCCs
In response to the Court’s ruling, the EU Commission has adopted a revised set of SCCs to facilitate compliance with the court’s requirements. Dating from the pre-GDPR era, privacy activists have long claimed their non-conformance with the GDPR. The new clauses have been effective since 27 September 2021. Businesses must revise their existing data transfer contracts and insert the new clauses until 27 December 2022.
Upon comparison of the new set of clauses with their predecessor, it is firstly striking that their new modular approach renders them easier to navigate through. The clauses are composed of four modules, each of which contains the necessary clauses that need to be inserted into a data transfer contract of two specific entities. The modules are divided as follows: Module 1: controller to controller, Module 2: controller to processor, Module 3: processor to controller, Module 4: processor to controller. Hence, the clauses’ material scope has been extended as the previous clauses did not cover processor to processor and processor to controller transfers. This is a welcomed addition and corresponds well to the reality of global data transfers nowadays. Additionally, a ‘docking clause’ has been added. This clause allows an additional data exporter or importer to accede to the new SCCs after the conclusion of the contract (Clause 7), equally facilitating business operations.
Next to the material scope, clauses underwent an extension of their material scope. While the old clauses demanded the data exporter to be established in the European Union, the new SCCs are aligned with the GDPR’s extraterritorial scope and equally benefit data exporters established outside the EU who are subjected to the EU GDPR.
Next to these changes in scope, the new clauses, as expected, mirror the Schrems II rulings. Indeed, the clauses explicitly demand data exporters to assess the level of protection of personal data in the third country. Both parties must sign a warranty that, at the time of signature, they have no reason to believe that the legislation applicable to the data importers, including any requirements on public authority access, prevent the data importer to comply with the clauses (Recital 19). Data importers must promptly notify exporters and data subjects of public authority access requests. Where this is prohibited under the third country’s law, the importer must use its best efforts to obtain a waiver of the prohibition and in any case only provide the minimum amount of information possible (Recital 22).
To assess the level of personal data protection, the SCCs introduced a new concept, the Transfer Impact Assessment (TIA). This TIA is crucial for the validity of a data transfer based on the new SSC. Here, parties must consider the specific circumstances of the transfer, such as the content and duration of the contract and the nature of the personal data to be transferred. Moreover, the laws and practices in the third country must be scrutinised (Recital 20). Businesses are then obliged to put in place any relevant contractual, technical or organisational safeguards to supplement those under the SCCs to ensure an effectively equivalent protection. Constituting a new obligatory concept, the TIA has been subject to much uncertainty. Recommendations adopted by the EDPB intended to partially shed light on which operations are necessary to conduct a successful TIA. We will explore the concept of TIAs in the next blog post and highlight the key obligations imposed on businesses wishing to rely on the new SCCs.
Overall, the Schrems saga and the new SCs can be seen as yet another sign of the EU’s determinism to greatly step-up data protection in the EU. Imposing strict obligations on international data transfers is in line with the extraterritorial reach of the GDPR. After all, data subjects’ rights would be at risk where their protection was limited to the EEA borders. In this vein, it is crucial for businesses to carefully revise their transfer practices to avoid high GDPR fines.