The European Commission published a draft decision and some guidance on standard contractual clauses for transferring personal data outside the European Economic Area (EEA). These have been a long time coming, but in light of the recent Schrems II ruling and Brext’s impending arrival they’re a welcome breath of clarity. So what does it all mean?
Schrems II’s impact on international data transfers
In July, the Court of Justice of the European Union (CEJU) invalidated the transfer of personal data from Europe to the United States under the Privacy Shield agreement. The Privacy Shield was an umbrella agreement enabling data transfers between Europe and the EU. With it data transfers from Europe to the US had to rely on other legal basis, such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). Whether or not the existing SCCs were actually fit for purpose had not yet been tested in court. The existing ones are artifacts from the EU’s previous privacy directive and didn’t address all the adequacy requirements demanded by the GDPR. The European Commission releasing of new SCCs seeks to address this shortfall.
The new SCCs seek to take into account all the possible international transfer scenarios:
- Controller-to-controller transfers
- Controller-to-processor transfers
- Processor-to-processor transfers
- Processor-to-controller transfers
When these SCC drafts are accepted then there will be an acceptable legal framework for taking an adequacy decision when transferring data outside of the EU will become more straight forward.
Brexit’s impact data transfers between the EU and the UK
The impact of Brexit depends on the direction of the data flows.
If you are a EU business processing personal data of UK data subjects you need to comply with the “UK GDPR” (the Data Protection Act of 2018) which also contains extraterritoriality clauses similar to the “EU GDPR”. What’s more the ICO has confirmed that data transfers from the UK to the EEA will be deemed as ‘adequate’ and will be permitted after Brexit, so there will be no need to have an additional transfer basis in place such as SCCs or a BCR.
If you are a UK business processing personal data of European data subjects due to the extraterritoriality clauses of the GDPR you will you will need to comply with the GDPR. The EU still has not take an adequacy decision on data transfers to the UK. It is by no means guaranteed that it will be in place by the end of the transition period at the end of December 2020. If there is no decision in place, EU controllers and UK processors will need to carry out a risk assessment to ensure that there is a legal basis and sufficient protections in place.
What you need to do to make sure your international transfers are legal
Simultaneous with the release of the new SCCs, the European Data Protection Board published guidance on what organization should do to ensure that there is adequate protection of personal data when the data is transferred outside of the EU. They are as follows:
- Map out your transfers
- Verify the transfer tool you rely on
- Assess the law or practices of the third country to identify risks
- Identify and adopt supplementary measures
- Take any formal procedural steps
- Re-evaluate regularly
So what do each of the mean in practices?
Step 1. If you’re already compliant with the GDPR you should already have mapped out your transfers. The data map you created for your records of processing activities should link to all the third party processors and third party controllers you are sharing data with, as well as exactly what personal data you’re sharing with them. You should extract a list of third parties and identify all of that are not located in the EU.
Step 2. Review the list to see what transfer mechanism from Chapter 5 you’re using. It might be an adequacy decision from Article 45 or one of the transfer tools from Article 46, such as the SCCs discussed above.
Step 3. Assess the transfer tool you’re relying on to make sure that it is effective. Does the country where the third party processor is based have a legal framework for the protection of personal data? Are there practices in that third country that might impact the effectiveness of the transfer tools you’re using? What is the nature of the personal data that you’re transferring to the third party. Remember that Schrems II had the Privacy Shield thrown out primarily due to the US government’s ability to intercept and retain personal data for combating crime or safeguarding national security. So understanding the third country the third party is operating in is crucial to determining what you do in step 4.
Step 4. If you’re at all uncertain about whether the data subject’s personal data will be adequately protected in the third country, then if you’re going to go forward, an export the personal data for processing there you need to identify and adopt technical and organizational measures that you can put it place to ensure that the protection is adequate. This might be encrypting or pseudonymising the data before sending it to the third party. It might require organizational measures, such as training the third party in how to respond to requests from their public authorities. If you can’t implement suitable measures you should consider finding an alternative supplier in a different jurisdiction.
Step 5. If you’ve felt the situation required you to implement additional measures, then you should submit them to your supervisory authority to get approval and to ensure that they agree the transfer is legal with the measures you’ve now put in place.
Step 6.Whatever you do don’t set it and forget it. You need to monitor the legal data protection environment in all third countries to which you’ve transferred personal data. Set times to review and update your data map. If you’ve added any new third parties in new third countries make sure you’ve assessed the risk using these six steps. Set regular interferes to review the transfer mechanism you have in place for the different third parties and by all means monitor and react if there are developments in any of the third countries to which you’re transferring personal data.
This can all seem a bit academic, so we’ll add additional blog posts with some examples and showing how easy it is to manage this process in GDPR365. Steps 1, 2 and 6 should be really fast. If your organization can’t quickly undertake these exercise then consider using a SaaS solution like GDPR365 to maintain your data register, log and justify the transfer tools and re-evaluate the entire process rapidly. The other exercises may take longer as they require research or looking at a specific situation in detail.
GDPR365 offers an all-in-one solution highly affordable. Starting at £45/month, a license will include all features from data mapping to data breach management but also DPIA (Data Protection Impact Assessment) and Data Subject Access Request (DSAR). Click now on the button below to book a demo and see our software can speed up your compliance.