Since the CJEU’s July 2020 decision in ‘Schrems II’, businesses have been seeking guidance on international data transfers. The decision invalidated the EU-US Privacy Shield and effectively called into question the legitimacy of relying on the other available legal mechanisms permitting personal data transfers to the US, the Commission’s approved standard contractual clauses (SCCs) and binding corporate rules (BCRs). On 11 November, the position was further complicated when the European Data Protection Board (EDPB) published new guidance on international data transfers and essential guarantees for surveillance measures and, the following day, the European Commission (EC) published a new set of draft standard contractual clauses designed to replace the current SCCs. The documents should be of major interest to any business carrying out cross-border data transfers as they are likely to have a significant impact.

EDPB Recommendations

‘Schrems II’ invalidated the Privacy Shield and raised uncertainty about the lawful use of SCCs. The decision confirmed that data exporters should, prior to transferring personal data to a third country (i.e. not a country that is within the EEA or has been deemed adequate by the EC), assess whether that third country provides a level of protection that is essentially equivalent to that of the European Economic Area (EEA). The EDPB’s guidance states that this assessment should be based on the following six-step framework:

1. Map all personal data transfers (including onward transfers);
2. Evaluate the mechanism used to compliantly transfer personal data;
3. Assess the privacy law of the recipient country;
4. Identify and adopt supplementary measures, where required, to ensure an essentially equivalent level of protection to that of the EEA;
5. Take any formal procedural steps for the adoption of any necessary supplementary measures identified; and
6. Regularly monitor and re-evaluate the level of protection provided by the recipient country.

To assist with step 3 above, the EDPB’s guidance on essential guarantees for surveillance measures will help data exporters in determining whether a country’s surveillance laws interfere with the protections provided in the EEA.

Unfortunately, the EDPB guidance offers little in terms of practical comfort with regard to the ability of data controllers to rely on the SCCs or BCRs for personal data transfers to the US or other jurisdictions that are not considered to provide adequate data protection safeguards. The EDPB’s draft recommendations are open to consultation which closes on 30 November 2020.

New draft SCCs

The EC has sought to modernise the current SCCs to better reflect the scenarios in which they are commonly used or needed. With SCCs being one of the most popular mechanisms businesses rely on to transfer personal data to third countries, it is likely that the new clauses will impact a significant number of businesses.

There are several key points to note in relation to the new SCCs:

1. They work in respect of four different cross-border data transfer scenarios, from: (i) controller to controller; (ii) controller to processor; (iii) processor to processor; and (iv) processor to controller.
2. They now permit non-EEA entities to execute the clauses as data exporters. This may be helpful for UK businesses post-Brexit that continue to use EEA-based service providers.
3. They acknowledge complex, multi-party processing operations by anticipating the evolving nature of relationships and allowing multiple controllers and processors to sign. They also allow for parties to later accede by executing an Annex through a ‘docking clause’.
4. They are to take precedence over other contractual terms. Parties will need to consider this in respect of data subjects being able to enforce their rights as third-party beneficiaries as well as carefully considering how liability may be impacted.
5. They are more onerous in respect of:
   1. the warranties and declarations that parties must provide with regard to undertaking sufficient due diligence in respect of the privacy laws of the country of transfer;
   2. keeping the position under ongoing review;
   3. notification obligations; and
   4. addressing non-compliance as importers will be under obligations to inform exporters if they are unable to comply with the SCCs. Following any such notification, the exporter must suspend the agreement and may be entitled to terminate if the suspension continues beyond a month.

The consultation on the new SCCs is open for feedback until 10 December 2020 which means that it is likely that they won’t be adopted until early 2021.

Once the new SCCs are in force all transfers that currently rely on the current clauses will need to be reconsidered and the relevant transfer arrangements amended. There will be a one year grace period before the old clauses expire, during which data exporters and data importers can continue to rely upon the use of the old clauses provided that: (i) the contract was entered into prior to the new SCCs being adopted; and (ii) there has been no renegotiation or amendment to the contract.

With Brexit looming, meaning that transfers from the EU to the UK will require a legitimate transfer mechanism (assuming that the UK does not benefit from an adequacy decision), it is also unclear whether the UK will adopt the new SCCs for transfers outside of the UK.

Practical advice

At this stage there are several steps that businesses should be taking to ensure that their cross-border data transfers remain legitimate:

1. Consider responding to the consultation and keep on top of developments following the closure of the consultation periods.
2. Review current contracts to identify those that transfer data under the existing SCCs and so which would be impacted by the new SCCs.
3. Consider those contracts which are likely to be renegotiated or amended over the next year or two as, if applicable and already in force, the new SCCs will need to be incorporated.
4. Bear the possibility of new SCCs in mind in respect of any new contracts, it is highly unlikely that any “as updated or replaced from time to time” language in respect of the SCCs will effectively work due to the additional considerations and documentation required.
5. Anticipate and consider the relevant resource that may be required to replace the existing clauses, if the new clauses are adopted. For some organisations this really could be a huge undertaking, particularly with regards to the assessment of privacy law in the territory of transfer.

We will be closely following the discussion around the consultations with interest and advise that businesses begin their preparations as early as possible, as set out above.