Much has been said, but where do we stand?
By Commission Implementing Decision (EU) 2021/914 of 4 June 2021[1] new standard contractual clauses (SCCs) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council have been adopted.
The new SCCs come as a result of a long-awaited update of this mechanism for international transfer of personal data and aim to ensure alignment with the provisions of the GDPR[2]. Furthermore, the SCCs are expected to deal with issues surrounding the application of the old SCCs addressed by the Court of Justice of the EU (CJUE) in the so called “Scherms II ruling”[3]. In its judgement, the CJUE tackled, inter alia, the factors which should be taken into consideration to determine the adequacy of the level of protection where personal data is transferred to a third country pursuant to SCCs. The CJUE outlined, in essence, that irrespectively of the signing of the SCCs, the exporter of personal data is required to verify, on a case-by-case basis, whether the law of the country of import may have a negative impact on the effectiveness of the appropriate safeguards adopted in the light of GDPR[4].
In the light of the foregoing, the new SCCs shall ensure a reinforced level of protection based on safeguards to the fundamental rights and freedoms of the data subjects procured by envisaging certain responsibilities and obligations for the data exporters and data importers and by addressing potential negative effects of the laws and practices of the third country of destination.
Importantly, the parties to the SCCs shall be responsible to assess and document the specific circumstances of the transfer as well as the laws and practices of the third country of destination, to adopt supplementary measures, if necessary, and to provide warranties on this subject[5]. Article 13, SCCs mandates that the parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under the SCCs.
Having stated the above and keeping in mind the Recommendations 01/2020 of the EDPB on measures that supplement transfer tools[6], the data exporters and data importers shall find themselves in deep waters and running out of time to get onboard. Contracts concluded before 27 September 2021 based on Decision 2001/497/EC or Decision 2010/87/EU shall be deemed to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 until 27 December 2022, provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
Recommendations 01/2020 of the EDPB suggest that the data exporters should start with mapping their transfers (Know your transfers). But given the size, nature, sector of the business, categories of personal data, processing operations and other factors this first step per se could be quite time consuming and requiring extra resources. And then moving on to gather and assess unquantifiable amount of information on laws and practices of a jurisdiction which is foreign to the data exporter. It is true that the SCCs require the cooperation of the data importer, but life is not perfect and there could be a myriad of objective reasons why the data importer may not be able to provide the necessary information on time and / or with good quality. Moreover, the assessment should be focused to identify and conclude on potential impediments to the effective exercise of the rights and freedoms of the data subjects and the available legal remedies which impediments may stem from the laws and practices in the country of destination. Therefore, a general overview of the legal system of the country of destination without focused legal conclusions would not suffice no matter how detailed it could be. For that purpose, the data exporter and the data importer should be knowledgeable enough or resort to external help to determine whether any restrictions in the laws of the country of destination respect the essence of the fundamental rights and freedoms and are a necessary and proportionate measure in a democratic society to safeguard the objectives outlined in Article 23 (1) of the GDPR.
The good news is that the new SCCs enable the data exporter to use rather subjective criteria with regards to the overall assessment of the transfer. In this case the devil is indeed in the details, namely, in footnote 12 of the SCCs which enables the exporter to rely on “practical experience” with prior instances of requests for disclosure from public authorities, or the absence of such. The exporter could rely on such experience, including duly drawn up internal records or documentation, as long as it is not corroborated and not contradicted by publicly available or otherwise accessible, reliable information and it is supported by other relevant, objective elements. However, the SCCs do not instruct as to what such objective elements could be, and thus, leave room for interpretation.
Given the tight time window, some data exporters have already started to bombard their partners, suppliers and clients with lengthy questionnaires. But how long that process, with all backs-and-forths, would take is strictly individual. Other data exporters have not embarked on the journey lacking yet even a comprehensive mapping of their transfers.
Considering the foregoing, wouldn’t it be wiser and more forthcoming to design and introduce additional safeguards on most occasions, unless the data exporter and the data importer are confident enough that the assessment, they conduct, is of a due quality, scope and level of detail and appropriately documented? In contrast to the old SCCs, the new SCCs leave more space for contractual maneuvers and building on the level of protection already afforded by their clauses. Recommendations 01/2020 of the EDPB set specific examples but we are yet to witness the formation and establishment of good practices which would ensure effective protection of the personal data of the data subjects in the context of transfers to third countries, rather than having a nicely decorated paper shield.
[1] Entry into force 27 September 2021
[2] The previous set of rules were for the purposes of Article 26(2) of Directive 95/46/EC
[3] C-311/18 - Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems
[4] Para. 102 et seq. C-311/18
[5] See edpb_edps_jointopinion_202102_art46sccs_en_1.pdf (europa.eu) 2.2 General presentation of the Draft Decision and Draft SCCs and interplay with the EDPB Recommendations on supplementary measures.
[6] https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
