Since the publication of the new Standard Contractual Clauses (SCCs, often also called Model Clauses) by the European Commission, this has been a hot topic among our GDPR experts. And as an entrepreneur, you may be faced with “updates” from your suppliers, and questions from your customers.
In the following, we will take a look at what practical consequences this has for organizations that send personal data to a party outside the European Economic Area. Countries outside the EEA are also called third countries in this context.
In any case, the impact is significant for organizations that rely on suppliers whose parent company is located outside the EEA. Or for organizations that transfer personal data within a group, and where the subsidiaries or parent companies are located outside the EEA. Indeed, both cases will involve processors/sub-processors.
Rewind a little bit
Exit Privacy Shield
Since the Schrems II judgement, there has been great uncertainty regarding the transfer of data outside the EEA, particularly to the US. Indeed, with this ruling, the European Court of Justice (ECJ) decided that the EU Commission’s decision on the adequacy of the Privacy Shield was invalid. The EU-US Privacy Shield, like its predecessor, provided a free pass for European companies to transfer personal data of its European data subjects to American companies. The condition was that the latter were certified with the so-called Privacy Shield “certificate”.
And what about the SCCs?
At the same time, however, the ECJ also ruled on the usability of SCCs. SCCs were often used by organizations to secure their transfers to countries outside the EEA and were supposed to authorize the transfer as an “appropriate safeguard”.
Already in the aftermath of Schrems II, the EDPB issued a recommendation in June 2021 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Furthermore, an EDPB/EDPS Joint Opinion 2/2021 on the European Commission’s implementing decision on standard contractual clauses was published in May 2021.
In principle, but especially regarding transfers to the US, SCCs should no longer constitute such an “appropriate safeguard” per se. Instead, the data exporter would have to verify in each individual case:
- whether the law of the third country ensures, in accordance with European law, an adequate protection of the personal data transferred on the basis of the SCCs, and
- whether, if necessary, the data importer outside the EEA provides more safeguards than those provided by these SCCs.
When do I need to adopt the new SCCs?
Once your organization transfers personal data to a third party located outside the EEA, or if your organization has affiliates outside the EEA, you are required to use the new SCCs.
If you are currently working with the old SCCs, then they must be replaced with the new SCCs no later than December 27, 2022.
Obligation of Transfer Impact Assessment (TIA)
In the Schrems II judgment, the ECJ requires that an assessment of the concrete individual case must be carried out. This must then determine whether it is only possible to ensure (sufficient) data protection by means of additional measures.
This “assessment” should not only take into account the laws of the third country, but also consider other elements. These include the likelihood of the risk of a third-party gaining access to the data, the type of data processed and its purposes. This should subsequently allow to determine the severity of the potential risk. And depending on the risk, additional measures should then be taken.
The new SCCs have incorporated the requirement for such an assessment. Thus, under the new SCCs, parties must conduct a comprehensive TIA that consistently takes into account the above considerations.
And after conducting a TIA?
According to the EDPB, a TIA can only lead to two results:
- either an adequate level of protection exists and transfer of data is possible;
- or there is no adequate level of protection. Strictly speaking, in this case, the transfer of the personal data should be terminated, or parties should take effective additional measures as the EDPB describes it in its recommendation.
Practical problems conducting a TIA
Conducting a TIA means forcing the data exporter (often the Data Controller) to make an assessment of a foreign legal situation, including legislation,current legal practice and legal doctrine.
This means that the mere contractual guarantee through the SCCs would in fact have no value, as the data exporter would have to perform a full, comprehensive assessment on top of that. However, such a local examination cannot be performed by SMEs at all, but is only feasible at considerable cost for large companies.
We note that Supervisory Authorities (such as the German supervisor) are not able to assess foreign jurisdictions including their practices by themselves and thus must seek legal advice from third parties to do so. They are unable to perform this assessment even in their daily work.
In other words, the required TIA, which is almost exclusively tailored to the legislation and jurisdiction of the third country, is impossible to substantively test by the Supervisory Authorities.
It remains not easy to comply with the requirements from the GDPR and especially the additional (new) obligations for data transfers. So, on the one hand, the EDPB imposes a comprehensive examination of the legal situation and practice of the third country on the data exporter as part of the TIA. On the other hand, this is an investigation that a Supervisory Authority itself cannot even perform.
We therefore ask the question how the Supervisory Authorities will enforce this. Currently, this is a question that remains unanswered. However, with the increased focus on SCCs and privacy activism, we expect clarity on this matter in the coming year.
What is certain is that an entrepreneur should give thought to the international transfer of data, and should seriously consider and document all decisions in this regard. If you have any questions about this, you can always contact us at firstname.lastname@example.org.
Written by Duygu Öztürk, CIPP/E, Privacy Chair theJurists, and Kris Seyen, Partner theJurists.