A deep dive into the sweeping changes to EU data transfer rules
The long-awaited guidance from the European Data Protection Board (EDPB) and the modernised standard contractual clauses (SCCs) from the European Commission have finally arrived. These documents surface four months after the ECJ’s landmark Schrems II judgement.
While the Court upheld the validity of the SCCs adopted in 2010 for controller-to-processor data transfers, it also stipulated extensive obligations that organisations must take to rely on this transfer tool. Thus, ever since the judgment, there has been plenty of discussion as to how organisations can achieve compliance with these obligations, especially in relation to supplementary measures.
Back in July, the ECJ held that where organisations are relying on a transfer tool under Article 46 GDPR to conduct transfers of personal data from the EU to a third country, it must follow certain obligations to ensure an adequate level of protection of that data. In particular, those organisations must make an assessment of the local laws of the third country, from which it must then be determined whether supplementary measures are required to ensure an adequate level of protection (for a more detailed account of the case, see the first article in this series here).
On the day of the judgment, both the EDPB and the Commission issued press releases stating that they would be working towards clarifying some of the uncertainty resulting from Schrems II. The EDPB stated that it would work on putting together guidance organisations could follow to implement supplementary measures, whereas the Commission stated that it would be completing its updated SCCs for data transfers outside of the EU.
Both sets of work have now been published, albeit in draft form for now. On 11 November 2020, the EDPB issued both recommendations on measures that supplement transfer tools and recommendations on the European Essential Guarantees (EEGs) for assessing surveillance measures. The next day, the Commission released is updated SCCs for transferring personal data to non-EU countries.
These documents have been made available for public consultation (except for the recommendations on EEGs). Feedback for the EDPB recommendations can be submitted up until 21 December 2020 whereas the end date for the SCCs is 10 December 2020. Thus, none of the documents have been adopted yet and may not be adopted until early 2021.
Together, the documents released by the EU mark what might be the most significant changes to EU data transfer rules since the introduction of the Data Protection Directive in 1995. Organisations conducting such transfers will thus be paying close attention to their contents and the implications for their data processing operations. Some are going to be very busy indeed.
The Six Steps to Success
The recommendations released by the EDPB focuses on helping organisations implement the necessary measures to legitimise data transfers outside of the EU. In doing so, the recommendations outline detailed steps that organisations should take to ensure compliance and also provide an array of supplementary measures for data transfers.
The recommendations begin with the EDPB reiterating the importance of accountability when it comes to GDPR compliance. Both controllers and processors must ensure and demonstrate compliance with data transfer rules. Any such compliance work must also be continuously reviewed and updated where necessary. In the context of Schrems II, it is the responsibility of both data exporters and data importers to ensure that data transfers only take place if the adequate protection of personal data can be achieved.
Taking this into account, the EDPB guidance specifies six distinct steps that both exporters and importers should take together when transferring personal data. It should be noted though that, under the GDPR, the controller is ultimately responsible for ensuring compliance with the Regulation (Article 24). Thus, the controller should make sure that the recommended steps are taken.
The first step is to gain a full understanding of the data transfers taking place.1 This will require having complete and up-to-date records of processing activities (ROPAs) as mandated under Article 30, as well as a comprehensive register of vendors. It is only by understanding how the data are processed and transferred that the relevant compliance work can be undertaken. This step may also help organisations determine whether the data transfers are even necessary in the first place.
On this first step, the EDPB stresses that this work should be completed before any transfers of data take place,2 although for many organisations this work will have to be done after-the-fact. The Board also noted that remotely accessing personal data from a third country constitutes a transfer under the GDPR.3
Once the relevant ROPAs have been updated, the second step is to choose a transfer mechanism available under the GDPR to legitimise the data transfer.4 There are three options for this: relying on an adequacy decision made by the European Commission (Article 45), relying on a transfer tool under Article 46 or relying on a derogation under Article 49.
An adequacy decision made by the Commission requires no specific or prior authorisation for the transfer. This means that data exporters can transfer data from the EU to the third country benefiting from the adequacy decision without needing to complete any other work to legitimise the transfer. A list of countries with adequacy decisions can be found here.
Article 46 contains various transfer tools that organisations can use to legitimise transfers where an adequacy decision has not been made. Among these tools are SCCs adopted by the Commission as well as binding corporate rules which require approval from a supervisory authority (SA).
Under Article 49, there a number of derogations that can be used to legitimise data transfers, for example conducting transfers on the basis of the explicit consent of the data subject. However, these derogations are exceptional in nature and are only ever suitable for one-off or non-repetitive transfers. Thus, they are not a like-for-like alternative to an adequacy decision or an Article 46 transfer tool and in any case should be treated as a last resort.
If an organisation chooses to use an Article 46 transfer tool for the transfer, such as the SCCs, then the third step is to complete a transfer impact assessment (TIA).5 The purpose of this assessment is to examine whether the transfer tool being used will be ‘effective’ for the transfer. According to the EDPB, the transfer tool is ‘effective’ if both the tool and the local laws of the third country provide a level of protection of personal data that is essentially equivalent to the protection provided under EU law (namely the GDPR and the EU Charter).6
What this TIA should cover is detailed at paragraph 33 of the EDPB guidance. It should specify, among other things, the purposes of the data transfer, the categories of data transferred and the format of the data.
What must also be included is an assessment of the local laws of the third country that the data are being transferred. For this part of the TIA, the main focus should be on the laws around the access to data by public authorities for law enforcement or national security purposes. As was highlighted by the ECJ in Schrems II, these local laws must be analysed in terms of how they impact the Article 46 transfer tool being used.
The process for doing so can be split into three elements. Firstly, the laws that apply to the data importer and the transfer in question should be identified. Secondly, it should be determined whether those applicable laws comply with the EEGs. For this, the laws permitting public authorities to access data for certain purposes must be: (i) laid down in clear, precise and accessible rules, (ii) necessary and proportionate to the envisaged objective, (iii) include a mechanism for independent oversight (such as judicial review), and (iv) provide effective remedies for individuals in the event that their rights are infringed. These EEGs mirror the criteria used by the ECJ in Schrems II to determine whether US surveillance laws complied with EU law.
If the applicable local laws comply with the EEGs, then the EDPB recommendations state that this merely means that those laws are unlikely to impinge on the Article 46 transfer tool being used. Thus, the third part of the process for assessing the third country’s local laws is to determine if those laws undermine the protections under the Article 46 transfer tool. In other words, do the local laws prevent the data importer from fulfilling its obligations under the transfer tool?
If the answer to this is no, then relying solely on the transfer tool is permissible (although this must be regularly reviewed). However, if the answer is yes, the fourth step recommended by the EDPB to comply with the data transfer rules under the GDPR is to adopt supplementary measures.7 Where the TIA reveals that the transfer tool is not effective, then the both the data importer and the data exporter must work together to adopt supplementary measures that will make up for those deficiencies.
To this effect, the EDPB guidance provides a non-exhaustive list of supplementary measures that could be used to make the transfer tool effective.8 These include technical, contractual and organisational measures. Organisations must carefully decide on a case-by-case basis which measures to implement based on their TIA.
The EDPB insists that if no appropriate supplementary measures that ensure the effectiveness of the transfer tool can be identified, then the transfer cannot take place.9 Any transfers that are already taking place should also be stopped.
The fifth step is the practical implementation of the transfer tool and the appropriate supplementary measures.10 The procedural steps for this will differ depending on the transfer tool and the supplementary measures being implemented. For the SCCs, implementing supplementary measures that change (as opposed to ‘add to’) the SCCs will require authorisation from the relevant SA (Article 46(3)(a)).
The sixth and final step is a recurring one; it is to regularly review the transfer to ensure that the effectiveness of the transfer tool is maintained.11 This will mean monitoring legal developments in the third country, and thus consistent communication between the importer and the exporter will be crucial.
The Modernised SCCs
While also following the compliance steps recommended by the EDPB, organisations transferring personal data must also pay close attention to the contents of the new SCCs if using this as the transfer tool. These clauses contain strict obligations that the parties will need to comply with and having an understanding of these is essential for completing the TIA.
The updated SCCs drafted by the Commission take a modular approach. This means that they combine general provisions with specific provisions applying to particular types of data transfers. Module 1 provisions apply to controller-to-controller transfers, Module 2 provisions apply to controller-to-processor transfers, Module 3 provisions apply to processor-to-sub-processor transfers, and Module 4 provisions apply to processor-to-controller transfers. This makes a change from the previous regime which consisted of separate sets of SCCs for different types of transfers. These updated SCCs now include provisions for all types of transfers in one document.
The substantive provisions of the SCCs are split into three sections and are joined by four Annexes. Section I contains the general provisions, such as those on the scope and purpose of the SCCs. Also included in this section is an optional docking clause which allows entities to accede to the SCCs at a later date after being signed. This may be relevant when, for example, an entity becomes an affiliate of the importer or exporter and needs to abide by EU data transfer rules.
Section II contains the specific obligations of the parties. Some of these obligations vary according to the type of transfer in question, while others are the same across all types of transfers.
Section III contains the final provisions, which include rules around non-compliance with the SCCs. The Annexes are meant for additional information relevant to the contract which the parties will need to complete according to the specificities of the transfer. For example, Annex III should provide a list of sub-processors involved in the transfer.
Some of the most notable provisions contained in the new SCCs are those around access to data by public authorities. These are found in Clauses 2 and 3 of Section II and apply to all types of transfers.
Clause 2 relates to local laws affecting compliance with the SCCs. To begin with, it stipulates that the parties must warrant that they there is nothing within the laws of the third country which prevents them from fulfilling their obligations under the SCCs.12 In order to give this warranty, the parties must a complete a TIA and implement any necessary supplementary measures as indicated by that TIA.13 The data importer must user their ‘best efforts’ to provide the necessary information and cooperate with the exporter in completing the TIA.14
After singing the SCCs, if the data importer, due to local laws, has reason to believe that it cannot meet its obligations under the SCCs, then it must promptly notify the exporter.15 From there, the exporter must identify and implement appropriate supplementary measures to ensure the effectiveness of the SCCs.16 If the exporter decides to continue with the transfers (with the appropriate supplementary measures in place), then it must notify and explain to the competent SA its decision to continue with the transfers.17
Alternatively, if the effectiveness of the SCCs cannot be ensured with supplementary measures, then the transfer must be suspended and the exporter will be entitled to terminate the contract.18 The competent SA must also be informed of such.19
Clause 3 details the obligations of the data importer in case of public authority access requests. These obligations essentially fall into four categories: notification obligations, review obligations, challenge obligations and transparency obligations.
In relation to notification obligations, if the importer receives a request for data from a public authority or becomes aware of public authorities accessing the data transferred, then it must notify the exporter and, if possible, the data subjects.20 Furthermore, where the importer is prevented from giving this notification to the exporter (under the local laws), the importer must use its ‘best efforts’ to obtain a waiver and document those efforts.21
The review obligations require the importer to review the legality of any data requests it receives or becomes subject to.22 If, after this legal assessment, the importer identifies legal grounds to challenge the request, then it must exhaust all available remedies (challenge obligations).23 The remedies sought must involve interim measures to suspend the effect of the request until the matter is decided by a court.24 These legal assessments and challenges must be documented and made available to the exporter (if legally permissible) as well as to SAs on request.25
These obligations imposed on the data importer require constant documentation to create a record of the actions taken in response to a public authority request. Such information must be kept for the duration of the contract and the importer must provide to the exporter the maximum information permissible under the request (transparency obligations).26
The Recommended Supplementary Measures
The EDPB guidance lists a number of technical, contractual and organisational measures designed to help organisations supplement the Article 46 tools and ensure their effectiveness for data transfers. The EDPB emphasises that the measures implemented should correspond with the deficiencies identified by the TIA.
The technical measures consist of technology-based measures applied directly to the personal data and are designed to provide extra layers of protection to that data. Essentially, the measures recommended by the EDPB include state-of-the-art encryption (both at-rest and in-transit), pseudonymisation and split or multi-party processing.
With these measures, the EDPB notes two particular scenarios in which, in its view, no technical measures could be implemented to ensure the effectiveness of the Article 46 transfer tool. The first is transfers to processors which require access to data in the clear.27 The second is remote access to data for business purposes (where the data exporter makes data available to entities in a third country to be used for shared business purposes).28
In addition, contractual and organisational measures will not, on their own, be sufficient for ensuring effectiveness.29 This is because these measures cannot bind or directly impact public authorities accessing the data.30 Conversely, implementing only technical measures may suffice, however this will ultimately depend on the TIA and, in any case, the EDPB states that contractual and organisational measures should be included to complement the technical measures.31
The contractual measures recommended by the EDPB consist of various obligations placed on the importer of which can be added to the Article 46 transfer tool. However, some of these contractual measures are already included in the current draft of the SCCs. For example, one of the suggestions by the EDPB is that the data importer must review data requests received from public authorities and challenge these requests where there are legal grounds to do so.32 This reflects the obligation detailed in Clause 3 of the SCCs.
There are other contractual measures suggested by the EDPB not included in the SCCs though. One of these is the ‘Warrant Canary’ measure; the data importer regularly publishes (for example every 24 hours) a cryptographically signed message informing the exporter that it has not received a request from a public authority.33 Thus, the absence of an update would indicate that the importer may have received a request. When implementing contractual measures not already included in the SCCs, organisations must ensure that these supplement the clauses rather than fundamentally change their effect or prejudice the rights of data subjects.34
Many of the organisational measures recommended by the EDPB should be familiar to organisations that have already carried out the compliance work required under the GDPR. These measures effectively consist of policies and procedures pertaining to data transfers and requests from public authorities. An example of this is the regular publication of a transparency report summarising requests made by public authorities.35 Evernote, the developer of a note-taking app, publishes such transparency reports on its website.
The Problems Ahead
Complying with EU data transfer rules in light of Schrems II will clearly be a significant burden for plenty of organisations. A number of issues can be identified at this point.
To begin with, completing the TIA will be a heavy task for some. Apart from the coordination that will be required between the exporter and the importer, assessing the local laws of the third country may prove to be the most difficult aspect. It is almost as if organisations are being required to conduct their own mini adequacy decisions, which could be a very complicated and costly exercise. This difficulty increases the more third country data transfers occur in an organisations’ processing activities.
Yet, in a webinar held by the IAPP on 17 November 2020, the head of the EDPB secretariat expressed the opinion that the aim of the TIA is not to have a full-fledged assessment like the European Commission would for an adequacy decision. Instead, the aim should be to focus on specific criteria pertaining to the transfer in question and only assess the laws that are applicable to the data importer.
However, this leads to another issue with the current guidance and SCCs, which is the differing criteria for the TIA in the two documents. In the EDPB guidance, it is stated that objective factors should be taken into account in relation to legislation on access to data by public authorities (particularly if the legislation in the third country is lacking).36 These objective factors may include any reported precedents, practice, legal powers or resources demonstrating that an authority can access data either through the data importer directly or by intercepting communication channels.37 Subjective factors, such as the likeliness of authorities requesting access to data, should not be considered.38
However, the SCCs appear to impose a different standard. That document states that the factors which can be taken into account for the TIA includes the “practical experience” of the importer with prior data requests from authorities as well as the absence of such requests for the type of data transferred.39 These criteria in the SCCs are certainly more subjective and specific than those provided in the EDPB guidance. Using the former, if a data importer has received very few or even no data requests from public authorities, then it may be reasonable to conclude that there is a low risk of such requests being made in the future. This potentially makes it easier for organisations to justify the data transfer.
Furthermore, this approach would appear to be more closely aligned with the GDPR itself, as laid out in Article 24:
“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”40
This apparent contradiction between the strict approach recommended by the EDPB and the risk-based approach in the SCCs and the GDPR may be an issue addressed by the EDPB when it gives its opinion on the SCCs before their adoption. On the other hand, this dissimilarity could show that the European Commission and the EDPB do not actually have a shared interpretation of Schrems II, of which may become more evident later on.
Somewhat linked to this issue is another harsh reality of the EDPB guidance; for some of the technical measures, organisations must take into account the capabilities of the public authorities. With encryption-at-rest for example, the EDPB states that, for this supplementary measure to be effective, organisations must ensure that the encryption is “robust against cryptanalysis performed by the public authorities”.41 This effectively requires quite a detailed knowledge of the resources available to such public authorities which, especially in relation to the covert intelligence agencies, may be extremely difficult to come by barring another Snowden-type leak.
Another separate problem with the forthcoming regime is the looming challenge of enforcing the SCCs across the transfer chain. In particular, for processor-to-processor transfers, the sub-processor is subject to a number of obligations requiring a direct relationship between itself and the controller. For example, the sub-processor must make available to the controller “all information necessary to demonstrate compliance with the obligations set out in [the SCCs]” as well as contribute to audits.42 These obligations may regarded as incredibly impractical if not impossible.
There may also be other practical issues with the implementation of the SCCs and supplementary measures. For a start, updating existing contracts with vendors in third countries with no adequacy decision may be tricky and time-consuming, especially where those vendors procure the services of other entities that involve the transfer of data to other third countries. It would be ideal if exporters could obtain commitments from the importers that they will accede to the new SCCs once they are adopted, but this may not necessarily be straightforward.
Once the new SCCs are adopted by the Commission, there will be a 1-year transition period for exporters to move from the old SCCs to the new SCCs. Thus, in that time, organisations will need to make sure all their contracts and documentation are amended to reflect changes to data transfers. This will include master services agreements, data processing agreements, privacy notices and privacy policies, to name a few. It should also be noted that the SCCs will prevail over any other agreement between the parties that conflicts with the provisions of the SCCs.43
Thus, organisations will be carrying two remediation exercises during the transition period. The first will be the completion of the TIA and the implementation of the necessary supplementary measures. The second will be the signing of the news SCCs after they are adopted by the Commission. Organisations ought to start this work sooner rather than later, and not just because of the volume of work involved; Amazon is facing legal proceedings in Germany for allegedly continuing to transfer data to the US using the now-invalidated Privacy Shield.
By contrast, Microsoft has been more embracing of the post-Schrems II world; the company will challenge every data request from public authorities and provide compensation to data subjects if their data are disclosed to public authorities in violation of the GDPR. It may therefore be the case that some organisations will use Schrems II as an opportunity to build a competitive advantage. Especially for SaaS providers, non-compliance, or even a lack of effort, could result in business drying up. But let’s see what really happens.
 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with EU level of protection of personal data (10 November 2020), paras. 8-13.
 Ibid, para. 12.
 Ibid, para. 13.
 Ibid, paras. 14-27.
 Ibid, paras. 28-44.
 Ibid, para. 45.
 Ibid, paras. 45-54.
 Ibid, Annex 2: Examples of Supplementary Measures.
 Ibid, para. 52.
 Ibid, para. 55.
 Ibid, para. 62.
 European Commission, Standard contractual clauses for transferring personal data to non-EU countries (12 November 2020), Clause 2(a).
 Ibid, Section II, Clause 2(b).
 Ibid, Section II, Clause 2(c).
 Ibid, Section II, Clause 2(e)
 Ibid, Section II, Clause 2(f)
 Ibid, Section II, Clause 3.1(a).
 Ibid, Section II, Clause 3.1(b).
 Ibid, Section II, Clause 3.2(a).
 Ibid, Section II, Clause 3.2(b).
 Ibid, Section II, Clause 3.2(c).
 EDPB recommendations (n 1), para. 88.
 Ibid, para. 90.
 Ibid, para. 48.
 See Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited  ECLI:EU:C:2020, para.125.
 EDPB recommendations (n 1), para. 48
 Ibid, para. 112.
 Ibid, para. 110.
 SCCs (n 12), Section I, Clause 1(c).
 EDPB recommendations (n 1), para. 129.
 Ibid, para. 42.
 SCCs (n 12), Section II, Clause 2(b)(i).
 See also Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Article 32(1).
 EDPB recommendations (n 1), para. 79.
 SCCs (n 12), Section II, Clause 1.9(c) (Module Three: Transfer processor to processor).
 Ibid, Section I, Clause 4.