Transfer of personal data outside the EEA - New standard contractual clauses in force and update by EDPB

As of yesterday 27 June 2021, companies can use the European Commission’s long-awaited new standard contractual clauses (“SCCs”) as an appropriate safeguard for transferring personal data to countries outside the European Economic Area (EEA). In addition, on 18 June 2021, the European Data Protection Board (“EDPB”) updated its recommendations on the additional measures that data controllers should take.

1. Recap

Personal data can only be transferred to countries outside the EEA if so-called ‘appropriate safeguards’ are in place and data subjects have enforceable rights and effective legal remedies. Appropriate safeguards may include the use of standard data protection clauses approved by the European Commission. In practice, these SCCs are the most evident transfer mechanism when no adequacy decision exists for the third country concerned. This is the case, for example, for data transfers to the US since the EU–US Privacy Shield was invalidated by the Schrems II judgment (read more on this through this link).

Subsequently, in November 2020, the European Commission published a draft of new SCCs, and the European Data Protection Board adopted recommendations on the additional measures that can be taken when it appears that the legal framework of the third country does not provide equivalent protection (read more on this through this link).

2. New standard contractual clauses

On 7 June 2021, the final version of the new SCCs was published in the Official Journal of the European Union. The new SCCs contain general provisions adapted to the language of the GDPR and also four “modules” that cover different transfer scenarios:

  • Module 1 covers the scenario for transfers from data controllers to data controllers;
  • Module 2 covers the scenario for transfers from data controllers to data processors;
  • Module 3 covers the scenario for transfers from data processors to data processors;
  • Module 4 covers the scenario for transfers from data processors to data controllers.

These modules represent a significant improvement in comparison with the old SCCs, which only covered the first two situations. For transparency of processing, these modules also include the right of data subjects to receive a copy of the SCCs.

Furthermore, the new SCCs contain three annexes:

  • Annex 1 and the so-called docking clause allow multiple parties to join the agreement, which is particularly useful for intra-group data transfers;
  • Annex 2 allows parties to include a list of the technical and organisational measures they have taken to ensure an adequate level of protection within the meaning of the Schrems II judgment. Moreover, the Annex contains some examples as an inspiration (e.g., pseudonymisation, physical security of locations, identification and authorisation of users etc.);
  • Annex 3 allows including a list of sub-processors (to be completed in modules 2 and 3).

Finally the new SCCs include a number of so-called Schrems II provisions on obligations for data importers in third countries when a public authority wishes to access European personal data. 

In terms of timing, the old SCCs only expire on 27 September 2021, so you still have three months from today to choose between the old and new SCCs if you enter into new agreements. For existing agreements, you still have until 27 December 2022 to replace the old SCCs with the new SCCs, but nothing prevents you from making this update today.

3. Update recommendations of the European Data Protection Board

Even when companies use the new SCCs, as a result of the Schrems II judgment, they still need to verify whether these appropriate safeguards are effective in view of the privacy legislation in the third country concerned (and take additional measures if the appropriate safeguards prove to be ineffective). The European Data Protection Board updated its Recommendations No. 01/2020 in this regard on 18 June 2021, providing additional clarification, in particular, to guide the assessment of the third-country legislation (data transfer impact analysis):

  • In your assessment, you should pay specific attention to any relevant laws laying down the requirements to disclose personal data to public authorities or granting such public authorities powers of access to personal data (e.g., criminal law enforcement, national security etc.);
  • The requirements or powers arising from such legislation are considered to impair the effectiveness of the appropriate safeguards and thus to be “problematic” if (i) they do not respect the essence of the fundamental rights and freedoms of the EU Charter of Fundamental Rights, or (ii) they exceed what is necessary and proportionate in a democratic society to safeguard important public interest objectives of the EU or of a Member State, such as national security, defence, public security, prosecution of criminal offences etc;
  • Your assessment should be based first and foremost on publicly available legislation, but in addition you should also take into account practices in the third country:
    • If the relevant legislation is lacking or formally provides sufficient protection but is not applied in practice, then the data transfer should be suspended or supplementary measures should be implemented;
    • If the relevant legislation is problematic, but you have no reason to believe that the relevant legislation will be applied in practice, then you may decide to proceed with the data transfer without taking supplementary measures. The assessment that the legislation is not applied in practice should then be documented in a detailed report in which you have to explain, among other things, the internal procedure to produce the assessment (e.g., involvement of lawyers or other consultants). This report should be endorsed by the company’s legal representative;
  • The assessment of the legal framework should focus on the legislation and practices relevant to the protection of your specific data transfer and is therefore not intended to analyse the entire privacy legislation of the third country in general terms;
  • Your analysis should take into consideration all possible actors participating in the data transfer (data controllers, processors and sub-processors processing data in the third country);
  • It is the responsibility of the data importer (i.e., the entity in the receiving country) to provide all relevant sources and information to the data exporter. These sources and information should be “relevant, objective, reliable, verifiable and publicly available”;
  • It is possible to consider the data importer’s practical experience with relevant prior instances of requests for access received from public authorities. However, the absence of prior instances of  requests cannot by itself be a decisive factor that allows the transfer to proceed without supplementary measures;
  • You should properly document your assessment, as the national supervisory authority (in Belgium, the Data Protection Authority or DPA) may request you to show your documentation and hold your company accountable for the decisions made on the basis of the assessment;
  • Finally, the EDPB emphasises that the exceptions under Article 49 GDPR (including transfers that are necessary for the conclusion or performance of a contract, or transfers that occur on the basis of the explicit consent of the data subject) can only be applied on an occasional basis and can therefore not be used to escape the obligation to carry out an assessment of the legislation in the third country.

Action point

As of today, make sure that you use the new version of the SCCs when you enter into a data processing agreement or when you make changes to your existing agreements. Note that, by 27 December 2022, all old SCCs in existing agreements will have to be replaced.

In addition, make sure that you conduct a well-documented analysis of the legislation in the relevant third country and, if necessary, take additional measures before proceeding with the data transfer via the SCCs (or other appropriate safeguards). For this data transfer impact analysis, you should take into account the updated recommendations of the EDPB.

The Claeys & Engels Data Protection team is ready to help you with any questions you may have about your transfer policy.