The devil in the detail
So you started to implement the new standard contractual clauses (SCC) for international data transfers into your new agreements and you have embarked on the long and arduous road of updating your existing contracts. It's a hassle to be sure, but at least you are secure in the knowledge that you are doing everything that can be expected from your company to comply with GDPR in relation to data transfers to third countries that do not benefit from a Commission adequacy decision (a long list that mercifully no longer includes the UK), right?
Indeed, when handing down its Schrems 2 judgment, the European Court of Justice made it clear (para 134 of the Judgment) that the bar of compliance had been elevated above and beyond SCCs for any company contemplating the export of EU based personal data to "non-adequate" third countries:
"It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses."
Essentially, the Court thus imposed a due diligence obligation on the exporting party to verify whether "supplementary measures" were required to provide assurance on the protection of privacy on top of the appropriate safeguards or derogations listed in Articles 46-49 GDPR. Since then, a lot of ink has flowed on the question how exactly data exporting companies could comply with this additional standard of care. Help?
EDPB to the rescue?
On June 21, the European Data Protection Board followed up the European Commission's
introduction of revamped standard contractual clauses for personal data transfers with its final recommendations on supplementary measures for transfers.
The recommendations feature a six-step "risk based" process organizations must take to map data transfers and the mechanisms used for them. The process involves an assessment of data protection equivalence associated with third-country law and practice in order to facilitate transfers abroad. If there are gaps in protection and equivalence, the recommendations offer appropriate supplementary measures that can be applied to maintain equivalent protection.
Rather mercifully, with this risk based approach, the EDPB moved away from its original formula which only allowed for a strictly objective analysis of the destination country's legal system on data protection.
Instead, the guidance seems to allow certain data transfers to proceed, even where the text of the laws of the importing country do not satisfy EU requirements, based on the careful weighing of certain privacy risk analysis elements, which next to objective aspects (such as the nature and sensitivity of the data concerned) may even include "subjective" elements such as prior experience of data recipients with destination country authorities. But, conversely, taking risk into account could also limit transfers that otherwise might appear lawful on paper, “if there are indications of practices in force in the country that are incompatible with EU law".
The publication of the EDPB’s final recommendations together with the release of the final revised SCCs by the European Commission mark the beginning of new era for international data transfers involving EU data.
While companies undoubtedly will welcome the more pragmatic approach of the EDPB in the final recommendations, the fact remains that the new requirements are particularly onerous and complying with them presents formidable challenges for most companies, exporters and importers alike.