European Union: International Data Transfers Under The GDPR: From Schrems To The New Standard Contractual Clauses And The EDPB Recommendations

1. Introduction

In the absence of an "adequacy decision" by the Commission that a particular third country ensures an adequate level of protection under the General Data Protection Regulation (GDPR), standard data protection clauses adopted by the Commission in accordance with the Regulation are widely as legal grounds for data transfers from the EU to third countries.

On 4^th June 2021, by its Implementing Decision (EU) 2021/914 (CID (EU) 2021/914) the European Commission published new modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

These new SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46, which were in effect "grandfathered" into the GDPR and continued to be relied upon for international transfers after the GDPR came into effect on 25^th May 2018.

The new SCCs will enter into force on 27/6/2021 and organizations may begin incorporating them into new contracts after this date. However, according to the Implementing Decision organizations may continue signing the old SCCs in new agreements until 27/9/2021, and by 27/12/2022 they must introduce the new SCCs into agreements that relied on the old SCCs, "provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards" (Article4(4)).

No doubt the new SCCs are a long-anticipated update in this area, particularly welcome by the international business community and especially organizations and privacy practitioners in the EU. But to understand the reasons behind the adoption of the new SCCs and their importance it is necessary to consider the historical background and how the legality of international data transfers under the old SCCs was viewed by the CJEU after the GDPR came into effect. It should, however, be noted that of no less importance to CID (EU) 2021/914 is the European Data Protection Board's updated Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0, adopted on 18 June 2021, also discussed below.

2. The Schrems Rulings

Case C-362/14 (Schrems I) challenged the Irish DPC's refusal to investigate a complaint by an Austrian privacy advocate, Max Schrems, asking the DPC to suspend data transfers from Facebook Ireland to Facebook Inc due to Mr. Schrems' concern that his personal data could be accessed by U.S. intelligence authorities and that his EU data protection rights would be violated. The CJEU invalidated the "Safe Harbor" arrangement, which permitted the transfer of personal data from the EU to the US since 2000, because the arrangement failed to provide the requisite legal protection under Directive 95/46/EC. As a result, in February 2016 the European Commission and the US government reached a political agreement for the implementation of a new legal framework for data transfers from the EU to the US, called the "EU-U.S. Privacy Shield", which was shortly after followed by an adequacy decision.  

However, on 16^th July 2020 a further ruling of the CJEU in C-311/18 (Schrems II), invalidated the Commissions' adequacy determination for the EU–U.S. Privacy Shield and questioned the validity of processing activities involving the transfer of personal data outside the EEA, emphasizing the need for an updated, user-friendly tool for organisations to rely on to ensure compliance of such data transfers with the requirements of the GDPR.

Schrems II concerned a reformulated complaint to the Irish Data Protection Commissioner by Mr. Schrems in 2015 that the transfer of his personal data from Facebook Ireland to its parent company in the US, made on the basis of the SCCs, did not protect his fundamental rights under EU law, given the ability of US public authorities to carry out surveillance on EU individuals' personal data without adequate controls or judicial remedies. The Irish DPC brought proceedings before the Irish High Court, requesting it to refer questions around the validity of the SCCs to the CJEU.

The CJEU did not invalidate the SCCs but ruled that to assess the adequacy of the protection provided by SCCs both a consideration of the provisions of the SCCs, and the laws of the country in which the data importer is located, on a "case-by-case" basis is necessary. Where the law in the recipient country does not ensure adequate protection companies must provide additional safeguards or suspend transfers.

The CJEU clarified that the standard data protection clauses adopted by the Commission are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union. Due to their contractual nature, standard data protection clauses cannot bind the public authorities of third countries, since they are not party to the contract. Consequently, data exporters may need to supplement the guarantees contained in those standard data protection clauses with supplementary measures to ensure compliance with the level of protection required under EU law in a particular third country.

3. The New SCCs

On 12^th November 2020, the Commission published a draft Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries which included a draft Annex on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR. The draft clauses adopted a modular approach to cater for various transfer scenarios.

Upon request of the Commission, in April 2021 the European Data protection Board and the European Data Protection Supervisor issued a joint opinion on the draft European Commission's Implementing Decision on standard contractual clauses for the transfer of personal data to third countries under the GDPR. In their joint opinion the EDPB and the EDPS welcomed the specific provisions intending to address some of the main issues identified in the Schrems II ruling, and in particular the provisions of the Draft SCCs on:

• Third country's laws affecting compliance with the Draft SCCs;
• Access requests received by the data importer and issued by third country's public authorities; and
• Optional ad-hoc redress mechanism to the benefit of data subjects.

As a result, the new SCCs take into account the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, feedback from stakeholders during a broad public consultation and the opinion of Member States' representatives.

Their purpose is to help European businesses ensure compliance with GDPR requirements while allowing data to move freely across borders by providing them with an easy-to-implement template that meets data protection requirements.

Whilst the old SCCs consisted of three different sets, which in effect covered only controller to controller and controller to processor transfers, the new SCCs consist of two sets.

The first set of the new SCCs, adopted under CID (EU) 2021/914, is actually a single set of clauses within a contract which replaced all three sets under the old SCCs by following a modular approach that allows transfers from:

1. Controller in the EU/EEA to processor outside the EU/EEA,
2. Controller in the EU/EEA to controller outside the EU/EEA
3. Processor in the EU/EEA to sub-Processor outside the EU/EEA
4. Processor in the EU/EEA to controller outside the EU/EEA

This provides more flexibility for complex processing chains involved in modern data processing relationships.

In addition to the modular approach, the first set of the new SCCs is composed of fixed clauses, which cannot be modified by the parties and blank clauses and annexes, which are completed by the parties with certain information, such as the categories of data transferred, the data subjects, etc, allowing the parties to tailor such clauses according to their business arrangements.

A "Docking clause" also provided in the new SCCs, offers the possibility for third parties to accede to and use these clauses at any time, either as a data exporter or importer, simply by completing the Appendix and signing Annex I.A.

Furthermore, in response to Schrems II the new SCCs offer a practical toolbox to comply with the requirements of the judgment, by including a number of provisions to deal with local laws and practices affecting compliance with the clauses and certain obligations of the data importer in case of access requests by public authorities in the destination country.

In particular, under the new SCCs the parties are required to provide warranties that they have no reason to believe that the local laws of the destination country, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. The parties are also required to carry out a written assessment, taking into account the specific circumstances of the transfer, the laws and practices of the third country of destination and any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of personal data in the country of destination.

Furthermore, the data importer will have certain obligations where it receives a legally binding access request from a public authority, including judicial authorities, under the laws of the country of destination, such as to notify the data exporter where it is permissible to do or use its best efforts to obtain a waiver of any prohibition to notify the data exporter under the laws of the country of destination where it is not permissible. Where this is possible, the data importer will also have the obligation to challenge such access request as far as possible under the laws of the country of destination.

In addition to the above, the new SCCs also provide specific examples of 'supplementary measures' to ensure the security of the processing, such as encryption and pseudonymisation, that companies may take if necessary, where the purpose of processing can be fulfilled in that manner.

The Second Set is actually a standard data processing agreement, which covers the appointment of processors under the GDPR, regardless of whether a transfer of personal data outside the EU/EEA is intended.

It is also interesting to note that by including DPA requirements under the GDPR in the new SCCs where the data importer is a processor or a sub-processor, it is no longer necessary to execute separate DPAs. 

4. The EDPB Recommendations

In its judgement in Schrems II, the CJEU avoided providing a definition or guidance as to how an organisation should assess the law of a third country and what "supplementary measures" are or what they include. The European Commission in its implementation decision did not contribute much of an answer to these questions either, so on 10^th of November 2020, the European Data Protection Board, on its own initiative, issued Recommendations on measures that supplement transfer tools to ensure compliance with the requirements of the GDPR.

On 18^th June 2021, these Recommendations where updated, by expanding further on what is essentially a six-step process which involves:

1. mapping the transfers,
2. verifying the transfer tool (e.g. the new SCCs),
3. assessing the law and the practice of the third country,
4. identifying and adopting the supplementary measures,
5. taking any necessary formal procedural steps, and
6. re-evaluating at appropriate intervals the level of protection afforded to the data transferred and monitoring developments.

In particular, according to the updated recommendations, when assessing the law and the practice of the third country, if legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice or there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking, the organization will have to suspend the transfer or implement adequate supplementary measures if it wishes to proceed with it.

If the transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool's contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality), in light of uncertainties surrounding the potential application of problematic legislation to the transfer, the organisation may decide to: suspend the transfer; implement supplementary measures to proceed with it; or alternatively, decide to proceed with the transfer without implementing supplementary measures if it considers and is able to demonstrate and document that it has no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover the transferred data and importer.

For evaluating the elements to be taken into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance, the EDPB European Essential Guarantees recommendations should be taken into account and the organisation should conduct this assessment with due diligence and document it thoroughly. The competent supervisory and/or judicial authorities may request it and hold the organisation accountable for any decision it takes on that basis.

Furthermore, on the matter of identifying and adopting supplementary measures the updated recommendations contain (in annex 2) a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective. As is the case for the appropriate safeguards contained in the Article 46 transfer tools, the recommendations recognise that some supplementary measures (or a combination thereof) may be effective in some countries, but not necessarily in others. Where no supplementary measure is suitable, the organisation must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data.

5. Conclusion: How Imminent Is a "Schrems III" Ruling?

Like the old SCCs under Directive 95/46/EC, the new SCCs are considered to provide appropriate safeguards under the GDPR for the transfer by a controller or processor of personal data processed subject to the GDPR (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to the GDPR (data importer) (CID (EU) 2021/914, Articles 1 and 4).

Furthermore, Clause 2 (a) of the new SCCs provides that these Clauses set out appropriate safeguards, "including enforceable data subject rights and effective legal remedies", so it may be argued that no supplemental measures are needed beyond the new SCCs requirements for the purposes of compliance with the GDPR.

However, while the new SCCs include certain contractual safeguards for the transfer of personal data outside the EU/EEA, they do not resolve all concerns raised by the CJEU in its Schrems II judgement. Although the new SCCs shed some light to certain issues of concern, it is clear that any organizations transferring personal data outside the EU/EEA who wish to rely on them will still need to carry out the relevant risk assessment, implement technical and organizational safeguards to supplement the contractual provisions contained in the SCCs and agree on additional supplemental contractual obligations, where necessary.

With this in mind, the updated EDPB's "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data," become of particular interest and importance to any organisation wishing to rely on the new SCCs to transfer personal data outside the EU/EEA.

There is no doubt that the rapid technological advancements of the modern era and the catalytic effects of Covid-19 on the way we do business and exchange information internationally have taken their toll on one of the last remnants of the late grandfather of the GDPR, Directive 95/46/EC. The brief survival of the old SCCs for no more than 3 years after the introduction of the GDPR proves that no update to a tool for cross-border data transfers, as reliant on technological developments as the SCCs are, can resolve any issues that may arise in the long term. To think otherwise would not essentially differ much from assuming that technology will not be making significant progress in the near future, a rather far-fetched and unrealistic assumption to make under the present circumstances.

Although one may argue that a new CJEU ruling invalidating the new SCCs should only be a matter of time, it should be noted that in contrast to their predecessors under Directive 95/46/EC, the adoption of the new SCCs under the GDPR is just the first step in a potentially complex legal and technical process of legalising data transfers outside the EU/EEA and does not release an organisation seeking to rely on them from all its obligations, as these have been identified by the CJEU in its Schrems II judgement.

It is evident that the spirit of the Schrems judgements will continue to live on in the new SCCs and will remain part of the new EU data protection legal framework in the foreseeable future. On the other hand, the EDPB will play a crucial role in keeping this framework relevant and up to date by providing the necessary guidance to organisations for the effective implementation and application of the new SCCs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.