News
A Path Forward – Draft Guidance Published For Dealing With International Data Transfers Post-Schrems II
In the wake of the decision of the Court of Justice of the European Union (CJEU) in Schrems II, controllers and processors have been working closely with legal advisors to find a compliant way to transfer personal data outside of the European Economic Area (EEA).
The CJEU found in Schrems II that the validity of Standard Contractual Clauses (SCCs), the popular model contract many companies rely upon to transfer personal data outside of the EEA, may require "supplementary measures" in certain instances where the laws of the transfer destination country do not afford a "level of protection essentially equivalent" to that guaranteed within the EU by the GDPR.
Last month saw a number of welcome developments and the publication of guidance by:
- the European Data Protection Board (EDPB) on supplementary transfer tools to ensure compliance with the EU level of protection of personal data (Supplementary Measures Guidance). The Supplementary Measures Guidance has been published in draft form and is open for public consultation.
- the EDPB on essential guarantees for surveillance measures (Essential Guarantees Guidance). The Essential Guarantees Guidance has been adopted outright.
- the European Commission (Commission) on new draft SCCs (Draft SCCs). The Draft SCCs have been published in draft form and are open for public consultation.
In this note, we look at the implications of these developments for international data transfers.
1. Supplementary Measures Guidance
The Supplementary Measures Guidance opens with a reminder that “transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EEA”. The Supplementary Measures Guidance sets out the steps that entities transferring personal data outside of the EEA (data exporters) should adopt in order to comply with the GDPR principle of accountability. Data exporters must:
- know the personal data being transferred and conduct data mapping
- verify the transfer tools (e.g. SCCs, Binding Corporate Rules etc.) being used to facilitate the transfer
- assess the law or practice of the transfer destination country to ensure that the effectiveness of the appropriate safeguards of the relevant transfer tool are not impinged
- adopt supplementary measures as necessary. The Supplementary Measures Guidance includes an annex which provides a non-exhaustive list of sample supplementary measures
- take any formal procedural steps to adopt supplementary measures (this includes obtaining the authorisation of the competent supervisory authority if the parties intend on modifying the SCCs), and
- re-evaluate at appropriate intervals the protections in place for international transfers.
2. Essential Guarantees Guidance
The Essential Guarantees Guidance clarifies in which circumstances surveillance measures permitting access to personal data by national security agencies or law enforcement authorities can be considered a justifiable interference. The EDPB considers that the applicable legal requirements to make limitations to data protection rights justifiable can be summarised in four "Essential Guarantees" which are:
- processing should be based on clear, precise and accessible rules
- necessity and proportionality with regard to the legitimate objectives pursued needs to be demonstrated
- an independent oversight mechanism should exist, and
- effective remedies need to be available to the individual.
The Essential Guarantees are key criteria for any assessment of a transfer destination country's surveillance laws.
3. Draft SCCs
The Draft SCCs have a "modular" format designed to cover four types of data transfer scenarios:
- controller to controller (previous facilitated by the SCCs set out in the annex to Commission decision 2004/915/EC)
- controller to processor (previous facilitated by the SCCs set out in the annex to Commission decision 2010/87/EU)
- processor to sub-processor, and
- processor to controller.
Commentators have welcomed that, for the first time, the Draft SCCs deal with data transfers made by a processor in its role as a data exporter. This development will obviate the need to include agency language in data transfer agreements where a processor is acting as a data exporter. Under the current SCCs, it is necessary to appoint the processor as an agent of the controller for the limited purpose of entering into the SCCs for and on behalf of the controller as data exporter.
Draft SCCs – a way forward for international transfers
Parties using the Draft SCCs will still have to take "due account" of certain factors before transferring the personal data outside of the EEA. These factors include:
- specific circumstances of the transfer, including the content and duration of the contract; the scale and regularity of transfers and the length of the processing chain
- laws of the transfer recipient country in light of the circumstances of the transfer, including those requiring disclosure of data to or authorising access by public authorities, as well as the applicable limitations and safeguards, and
- any safeguards in addition to those under the Draft SCCs, including the technical and organisational measures applied during transmission and to the processing of the personal data in the country of destination.
The controller / processor recipient of the personal data, or "data importer", must make "best efforts" toprovide the data exporter with relevant information and cooperate with the data exporter for continued compliance with the Draft SCCs.
Next Steps
The public consultation for the Supplementary Measures Guidance was originally scheduled to close on 30 November 2020 but has since been extended to 21 December 2020 and the Draft SCCs closes on 10 December 2020. Pending finalisation of these consultation procedures and the (revised) materials issuing, we recommend that data exporters commence data mapping in line with step 1 of the Supplementary Measures Guidance. On finalisation of the materials by the EDPB and Commission, further steps can be assessed and implemented as necessary.
For further insight and guidance on Irish law issues please contact us.
Article provided by: Leo Moore (William Fry, Ireland)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010