International transfers of personal data in a nutshell

Many recent developments, one structured overview

June 2021 has been a very active month in the matter of international transfers of personal data.

In this blogpost we will give an overview of these developments with a short explanation as well as a more structured overview of the various requirements when dealing with transfers of personal data from the EEA to a third country.

Overview of recent developments

1. Adequacy decision for the UK

With the BREXIT transition period for the UK terminating on 30 June 2021, the GDPR will no longer be applicable in the UK and the latter will become a third country.

On 28 June, the EC adopted an adequacy decision for the UK, as such deciding that the legal framework in the UK continues to be based on rules offering an equivalent level of protection for personal data, just like when the UK was a Member State of the EU.

As a consequence, personal data can continue to flow freely between the EU and the UK after 1 July 2021, without having to implement SCCs or similar protection measures under article 46 of the GDPR.

The adequacy decision is valid for a period of 4 years to begin with and can be extended depending on how the legal situation in the UK further develops.

2. Adequacy decision for South Korea

On 16 June 2021, the EC adopted the draft adequacy decision for South Korea and launched the process for its adoption, concluding that South Korea ensures the essentially equivalent level of protection to that guaranteed under the GDPR.

Upon formal adoption of the adequacy decision, South Korea will be a safe third country for which no article 46-measures will have to be implemented. As a consequence, personal data will be able to flow freely between the EU and South Korea after the formal adoption date.

3. New standard contractual clauses

On 4 June 2021, the EC adopted the new standard contractual clauses for transfers of personal data to third countries (outside the EEA) under the GDPR. You will read more on the new SCCs further in this blog. The new SCCs replace the old SCCs that were adopted under Directive 95/46/EC.

4. Model data processing agreement

On 4 June 2021, the EC also adopted a model agreement for processing of personal data by a processor on behalf of a controller in the EEA. If you would like to know more about the scope hereof and the advantages of using this template, we propose you read our previous blogpost).

5. Final version of the EDPB recommendations for international data transfers

On 18 June 2021, the EDPB launched the final version of its recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. The recommendations are intended to help data exporters in lawfully transferring personal data to third countries outside the EEA by ensuring an equivalent level of protection to the personal data transferred.

Compared to the draft recommendations from November 2020, the EDPB added emphasis for some  specific aspects to be dealt with in the transfer impact assessment (TIA). More specifically, the TIA should:

• not only assess the law in the third country but also the practices of public authorities in that country. This  should help to determine whether the legislation and/or practices of the third country impinge on the effectiveness of the chosen transfer tool under Article 46 of GDPR. Here, it could well be that the law is very stringent but enforcement is reasonable or entirely lacking.
• consider the practical experience of the data importer, among other elements and with certain caveats.

In addition, the EDPB stated that the recommendations may be used in relation to the new SCCs to check the local laws and practices affecting compliance with the SCCs and the possible need to implement supplementary measures.

6. Coordinated enforcement action by German supervisory authorities

German data protection authorities started taking joint action to enforce "Schrems II” by examining data transfers to third countries all over Germany. They do this by sending questionnaires of 5 to 10 pages in order to obtain a good understanding of how organisations comply with the international data transfer requirements. We expect supervisory authorities in other Member States to take similar enforcement actions sooner or later.

General requirements for international data transfers

Three steps and accountability

First step: legal basis

As with any international data transfer, the first step should always be to make sure that

• the controller is relying on a proper legal basis for the transfer to a third country (e.g. contract performance, consent, etc.) and
• all other principles of necessity and proportionality are met. 

Second step: transfer mechanism

Transfers of personal data to non-adequate third countries outside the EEA need an appropriate and valid data transfer mechanism under Article 46 (1) and (2) (c) GDPR. The new SCCs are such a valid transfer mechanism but not the only one. Binding corporate rules could, for example, also be a valid transfer mechanism within multinational organisations. In some cases they may even be more interesting, because their approval by supervisory authorities entails an assurance about the protection level in the third country.

Since the GDPR, the question regularly arose whether the SCCs are even needed if the data importer is already directly subject to the GDPR under article 3(2) thereof. The SCCs seem to suggest in their considerations that this is not the case. The EDPB is expect to bring further clarification in this respect. But even if no SCCs are needed for this scenario, there would still be a transfer of personal data requiring to consider the third step described hereafter.

Third step: supplementary measures?

Relying on the SCCs is not sufficient since we have the Schrems-II judgment, the EDPB guidance of 18 June 2021 and the (draft) new SCCs.

Organisations wanting to rely on the SCCs have an effective legal obligation to do a mapping exercise and an impact assessment of their data transfers to answer the question:

• does the legislation, case law and jurisprudence in the third country adopt equivalent protection as in the EEA; or
• should supplementary measures (contractual, legal and/or organisational) be adopted? Particular attention should be given to sensitive data (Clause 8.6 of the new SCCs).

Overall accountability

All efforts with regard to fulfilling the requirements for international data transfers should beproperlydocumented as part of the overall accountability obligation under the GDPR.

As part hereof, data exporters should always begin with a due diligence on the data importers they will rely on: will this party be able, through the implementation of adequate TOMs, to satisfy the obligations laid down in the SCCs (Clause 8)?

Novelties compared to the old SCCs

1. Multi-party approach

The new SCCs allow for more flexibility because

• multiple parties can sign up and
• parties can adhere at a later stage (the so-called docking clause).

2. All possible transfer relationships

The new SCCs offer 4 constellations:

• controller-to-controller
• controller-to-processor
• processor-to-controller and
• processor-to-processor.

3. Modular approach

The new SCCs offer a modular approach, making it possible

• to integrate them (unchanged) into a larger contract and
• to add other clauses, in order to better tailor the parties’ obligations to their roles and responsibilities in relation to the data processing in question.

The old SCCs were more rigidly drafted as stand-alone agreements for specific transfer constellations only.

4. Guidance for Schrems-II obligations

The new SCCs incorporate elements from the Schrems-II judgment, which required additional safeguards to ensure surveillance activities from a third country do not impair data subjects rights. The SCCs (in particular the Annex relating to TOMs to ensure security of the data) provide TOMs related criteria to be taken into account by the data exporter:

• pseudonymisation and encryption of personal data;
• ensuring CIA and resilience of processing systems and services;
• access and availability of personal data;
•  protection of personal data during transmission and storage;
• user identification and authorisation;
• physical security;
• logging of events;
• data minimisation;
•  limited retention time of personal data.

Data exporters must document their transfer impact assessment (considering also the circumstances of the transfers and the laws and practices of the non-EEA third country) and provide such assessment upon request to the competent supervisory authority.

5. Data processing agreement

The new SCCs integrate the controller-to-processor and processor-to-sub-processor obligations resulting from article 28 GDPR, as such making a separate data processing agreement redundant in the context of international data transfers.

In assessing the appropriate level of security, the parties should take due account of:

• The state of the art;
• The costs of implementation;
• The nature, scope, context and purpose(s) of processing;
• The risks involved in the processing for the data subject.

The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

The data importer must perform regular checks to ensure a continued adequate security level.

6. Enhanced data subject rights

Data subjects can enforce a number of provisions laid down in the new SCCs against both the data importer and exporter.

7. Onward transfers

In case of onward transfers by the data importer the latter must comply with all safeguards of the SCCs (in particular also the purpose limitation).

8. Government requests

Under the new SCCs, data importers will have to

• notify the data exporter in the EAA of all disclosure requests it receives from public authorities in the third country, not just law enforcement authorities;
• check under local law and principles of international law if the request appears lawful;
• challenge the request if it appears unlawful.

9. Breach notifications

The data importer (both the controller and the processor in the third country) should notify the EEA-based exporter and the competent supervisory authority of any personal data breach (accidental or unauthorised access to the data). The affected data subjects must also be notified if there is a likelihood of a high risk for them.

10. Entry into force of the new SSC’s

The new SCCs were published on 4 June 2021 and enter into force on 27 June 2021.

Until 27 September 2021, organisations can still enter into the old SCCs. The old SCCs can be relied upon until 27 December 2022.

Main takeaways

Do you have a specific question or would you like support in this matter? We are happy to help. In that case, please contact a Timelex attorney.