2020 was a turbulent year for the entire world for obvious reasons, but also specifically when it comes to GDPR the year did not go unnoticed. Anyone who has followed our blog in the past year has undoubtedly noticed that many companies throughout Europe have been fined, sometimes very high. Google, Amazon, Marriott, Ticketmaster, H&M, British Airways, Vodafone, … The list of names of companies that ran into difficulties is quite impressive. Moreover, there was a lot of fuss about the impact of the Planet 49 judgment and last summer also the Schrems II judgment.
At almost literally the very last minute, 2020 brought two more important novelties that we did not want to keep from you at the start of the new year: Brexit is a fact and against all odds a Brexit deal was found, which also includes data exports to the UK and in addition, but in the same sphere of data export, the European Commission published its long-awaited draft version of the new Standard Contract Clauses for data export outside the EEA. We summarize both briefly below.
The impact of the Brexit deal on data export
It seemed like The never-ending story, but at the very last minute, the EU and the UK have finally reached an agreement on (the broad outlines of) their cooperation after Brexit. This agreement also includes one short passage on data protection and data export between the UK and the EU.
After all, from 1 January 2021, the UK will be a ‘third country’ under GDPR. We explained earlier that without a Brexit deal that would mean that the UK would suddenly have to be equated with Russia or China in terms of data exports, since the UK cannot automatically be included in the list of “safe” countries, which are considered to offer an equivalent, adequate data protection level as the EU itself. That would mean that anyone sending data to the UK would have to start working on the implementation of the necessary alternative safeguards for data export. In most cases this would mean that agreements would have to be provided on the basis of the Standard Contract Clauses of the European Commission, possibly supplemented with the necessary additional guarantees in the light of the Schrems II judgment. In addition, existing Binding Corporate Rules would have to be replaced if approved by the UK ICO (which is no longer a European data protection authority) and many UK companies would have to appoint a representative in the EU.
Fortunately, the Brexit agreement remedied this at the last minute in the form of a commitment on the part of the EU to quickly grant the UK an adequacy decision and, in the meantime, to grant the UK temporary adequacy for a period of up to six months. As a consequence the UK can, at least for the time being and pending formal recognition, be considered a safe third country. The agreement works in both directions, so also for data that flows from the UK to the EU. Data exchange with the UK can – for the time being at least – continue undisturbed and without further legal or administrative intervention.
There is one small reserve for now: although the Brexit agreement has been provisionally in force since January 1, 2021, it still needs to be formally approved by the European Council and the European Parliament before it can be ratified and fully implemented. The deal also has to be approved by the British Parliament. If the agreement is still not approved, the previously foreseen problems regarding data exchange after Brexit threaten to emerge soon …
New Standard Contract Clauses
Just as long awaited as the Brexit deal were the new versions of the Standard Contract clauses for data export outside the EU. After all, the old versions were not aligned with the terminology from the GDPR and were very clumsy to use. Moreover, the Schrems II ruling made it clear last summer that the existing SCC’s are insufficient as a legal basis for data export outside the EEA (the EU, expanded with Norway and Liechtenstein). The European Commission has therefore been working on an update of the existing contract clauses for a long time.
In the meantime, on November 12, 2020, the European Commission has made its proposal for modified and supplemented SCC’s public for consultation. The envisaged consultation period has ended shortly before Christmas. The European Commission is now processing the received feedback in its final versions and is also awaiting, among other things, the final advice from the EDPB on appropriate additional safeguards for data export (following the Schrems II judgment). The intention of the Commission is to immediately encapsulate those safeguards in the SCC’s contractually, in order to ensure smooth and secure data exports outside the EEA based on the new SCC’s without any additional hassle.
The Commission provides for a transition period of 12 months for companies from the date the final version will be made public to implement the new SCC’s. Anyone who exports data on the basis of the old SCC’s or on the basis of the Privacy Shield that has since been annulled should therefore keep an eye on the Commission website.
The new (for now draft) SCC’s have a modular structure. There is one central version of the SCC that can be adapted based on additional text modules to cover four hypotheses:
- Exchange between two (or more) controllers
- Transfer from a controller to one (or more) processors
- Transfer from a processor to one (or more) more) (sub) processors
- Transfer from a processor to one (or more) controllers
The draft SCC’s focus much more than before on transparency, no doubt prompted by the Schrems II judgment. For example, when transferring from controller to controller, the data importer must provide a lot of information to the data subjects (directly or through the data exporter), such as the identity of the data importer and details of the intended processing.
The draft SCC’s also contain the obligation to sign a corresponding SCC with the receiving third party in the event of further data transfer by the data importer to such third party or to provide another sufficient legal basis.
The SCC’s also provide by default a guarantee by the data importer that no local law will affect his obligations as a data recipient. To this end, the parties must prepare an impact assessment in advance precisely to verify the possible impact of local legislation. In addition, the data importer must immediately notify the data exporter – and, if possible, data subjects – of access requests by local authorities and, for example, also to take appropriate legal action against illegal access requests.
The SCC’s also receive an extensive appendix this time. Concrete additions are expected by the European Commission with minimal technical and organizational measures to protect data during export. These additions will be based on the final advice of the EDPB on exactly those measures that will be published soon and that will be followed up on the Schrems II judgment.
The modernization of the Standard Contract Clauses is a step forward in terms of smooth data export outside the EEA, but the fear remains that this will not be sufficient in the long term. Most lawyers are anxiously looking forward to another Schrems judgment, which would this time around be directed against the SCC’s instead of the Privacy Shield like last year. After all, the underlying problem remains the same: no contractual or structural agreement can provide certainty about data security outside the EU. Foreign security services have widespread access, legal or otherwise, to European data and recipients outside the EEA can never guarantee that this could be prevented, even with new and stricter SCC’s …
Nevertheless, you should most certainly give priority to the implementation of the new SCC’s as soon as possible once they are final. We have already explained in a number of webinars (of which the recording is available on our YouTube channel) and on our website (with a handy questionnaire that you can send to partners outside the EEA to estimate whether the data you exchange with them is processed safely and correctly).
Questions about international data transfers or about GDPR in general?