Transferring personal data from the European Economic Area (EEA) to third countries safely has been a hot and fast-evolving topic for years.
The General Data Protection Regulation (GDPR) establishes the free movement of personal data within the European Economic Area (EEA). However, the protection granted to personal data within the EEA must travel with the data no matter where the data goes.
Data exporters in the EEA and data importers in third countries must apply a transfer mechanism and use the safeguards set out in the GDPR in order to ensure an adequate level of personal data protection.
Transition to new standard contractual clauses required by 27 December 2022
Among these transfer mechanisms are standard contractual clauses (SCCs) – model data protection clauses pre-approved by the European Commission. Companies whose business activities involve the transferring of personal data to third countries, can include SCCs in contractual arrangements with data importers and use them accordingly as a mechanism for GDPR-compliant data transfers.
On 4 June 2021, the Commission issued new and modernised SCCs for data transfers to third countries (available here). Now, the deadline for replacing old SCCs with the new SCCs is approaching: by 27 December 2022, all companies using the old SCCs must replace them with new SCCs, irrespective of when the data transfer agreements were concluded.
A breach of this obligation may lead to enforcement by data protection authorities and may result in significant fines. Therefore, it is time for companies to update their existing data transfer agreements, and to ensure that the new SCCs do not go unnoticed when negotiating new agreements with business partners.
Additional impact assessments are still needed
Nevertheless, the SCCs alone may not be enough: on 16 July 2020, the Court of Justice of the European Union issued the so called Schrems II judgement (see our previous article). In Schrems II, the court emphasised that data exporters must carry out a case-by-case assessment of third-country laws that could violate privacy rights.
For this, the parties, before entering into SCCs, must conduct a “data transfer impact assessment” to verify whether the laws and practices of the third country of destination could hinder the data importer from complying with the SCCs.
In case of such a risk, supplementary measures may be necessary, such as technical security measures or contractual safeguards to prevent the high level of data protection under the GDPR from being compromised. If the additional safeguards are not enough to ensure a level of personal data protection equivalent to the GDPR, the transfers should be suspended.
To assist data exporters and importers in carrying out a nuanced analysis of this kind, the European Data Protection Board has adopted recommendations with step-by-step instructions which can be found here.
Transferring personal data to the United States
The line of analysis described above must be followed irrespective of the third country where the data is intended to be transferred. However, data transfers to the US have received the most attention because companies often have suppliers or service providers based in the US.
In Schrems II, the court clearly indicated that in most cases, the use of SCCs alone may not be sufficient to transfer personal data to the US. The court pointed out that US national security laws that utilise the mass, indiscriminate or warrantless collection of data expose EU citizens’ data to privacy intrusions (such as EO 12333, FISA § 702, PPD-28, and the USA PATRIOT Act).
Companies should evaluate if their data is particularly vulnerable to disclosure under US national security laws. While national security implicates all data, a company selling dual-use technology, for example, might be particularly at risk. Similarly, companies that transfer telephony data should assess the USA PATRIOT Act § 215, which automatically makes copies of transferred data available to governments upon a court order.
Checklist for data transfers outside of the EEA
If your company transfers personal data to the third countries (e.g. by using service providers outside of the EEA), you should:
- Verify that the transfers are subject to an appropriate data transfer mechanism under Chapter 5 of the GDPR.
- If you use SCCs as a transfer mechanism, verify that the SCCs being used are the newest sets. If not, replace the old SCCs with new ones by 27 December 2022.
- Conduct a data transfer impact assessment to verify whether the laws and practices of the third country of destination could hinder the data importer from complying with the SCCs. When conducting the assessment, particular attention should be paid to the following:
- Assessing industry and data type risks and agency regulation (i.e. dual-use producers’ data might be more prone to US inquiries);
- Assessing industry and data type risks and agency regulation (i.e. dual-use producers’ data might be more prone to US inquiries);
- Searching for exceptions to warrants and other instances of mass or indiscriminate data collection. For transfers to the US, pay particular attention to EO 12333, FISA 702, PPD-28, and the USA PATRIOT Act;
- Using various sources at each step of due diligence (including government, non-governmental organisations and academic sources);
- Notating assessments of all applicable laws (remember that national security laws are theoretically applicable to all data).
- Create a system of supplementary methods that apply different methods of data protection if risks are found. If such supplementary methods are not sufficient, suspend the transfer.
- If there is no reason to believe that the third-country legislation is problematic or that the problematic legislation will be applied, document the reasons for this conclusion without taking additional measures. Companies that believe that current US national security laws do not threaten their data should refer to the rationale used in the Schrems II response White Pages from the US Department of Commerce, the Department of Justice and the Office of the Director for National Intelligence.