New SCCs solving the Schrems II hurdle? Hardly.
Last week, the EDPB and EDPS made public joint opinions on two sets of standard contractual clauses (SCCs). One opinion on the SCCs for contracts between controllers and processors in the EU/EEA and one on the international SCCs for the transfer of personal data to third countries. The latter is the most interesting. The new SCCs will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46. The new international SCCs will of course take the requirements in the GDPR into account, and the consequences of Schrems II judgement as well. As Schrems II invalidated the Privacy Shield, but not the SCCs, this modernization of the SCCs is very important.
By Eva Jarbekk
Transfers to third countries
But will it really make transfers easier to third countries? In order to answer that question, do note that it be absolutely clear that the exporter is given a responsibility to ensure a proper level of protection in the receiving country.
This means that your company, as an exporter, must assess if the recipient country has essentially equivalent privacy legislation as in EU/EEA. Just using the SCCs will not ensure compliance in itself.
Then - let's have a look at how the EDPB and the EDPS believe this may be done. In practise, some of the relevant criteria for the assessment is now clarified in the SCCs. The EDPB and EDPS have extensive comments on how this is done and they recommend that many provisions should be changed in the draft international SCCs.
The most important comment may be this:
"..the EDPB and the EDPS also recall that in the Schrems II ruling, the CJEU did not refer to any subjective factor such as the likelihood of access, for instance. The mere fact that the data are comprised within the scope of a third country legislation that allows access to data by public authorities without specific essential guarantees (as recalled in the EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures 31 ) would amount, per se, to considering that such access will possibly take place, without the need to rely on any practical experience in this regard or absence of requests for disclosure from public authorities received by the data importer. The current drafting of Clause 2(b)(i) can therefore be misunderstood as it might be read as permitting data to be exported if the data importer has not yet received any order to disclose personal data, even if it is subject to local laws permitting such orders. It could also be understood to allow continuing the transfer where the data importer is simply not permitted to inform the data exporter in this respect due to a gag order. Furthermore, assessing these kinds of subjective factors (likelihood of access) in practice would prove to be very difficult and hardly verifiable." , para 87 and 88, page 19.
This means that the data exporter cannot use a "risk-based" approach on whether the data in question may be accessed by a third state – it is the legal possibility of such access that is relevant. Interesting – and it becomes more interesting:
They even suggest that the assessment of the legislation in the receiving country should be attached to the SCC itself:
"In order to avoid that the parties merely agree to document the above-mentioned assessment without doing so in practice, the EDPB and the EDPS recommend to add an annex to the Draft SCCs to require the parties to document, prior to the signature of the contract, this assessment led under Clause 2 (i.e., the assessment of the third country’s legislation and practices in the light of the circumstances of the transfer). This would help to achieve that the Draft SCCs will be correctly used, as an explicit annex would point the data importers and data exporters to the necessity of this assessment. ", para 89, page 20.
This would absolutely be a gain for privacy and most likely also open a market for such assessments.
Further, the EDPB and EDPS recommend controllers to consider what supplementary measures they will take for the transfer. They also recommend the European Commission to include an explicit reference to the final version of these recommendations on supplementary measures. They write:
"Under Clause 2(f), the Draft SCCs provide for the consultation of the competent supervisory authority (“SA”). As underlined in the EDPB Recommendations on supplementary measures, “when you intend to put in place supplementary measures in addition to SCCs, there is no need for you to request an authorisation from the competent SA to add these kind of clauses or additional safeguards as long as the identified supplementary measures do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined.
Indeed, it is the responsibility of the data exporter, with the assistance of the data importer, to identify those measures. This is in line with the principle of accountability of Article 5(2) GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data. This was emphasized by the CJEU in its Schrems II ruling 33 , and recalled in the EDPB Recommendations on supplementary measures." para 90 and 91, page 20.
This makes it absolutely obvious that the EDPB and EDPS foresee that data exporters and importers must carry out a detailed assessment of all transfers, particularly on the legal and technical safeguards put in place. In the press release of the comments,
Wojciech Wiewiórowski, the EDPS, said in the press release:
“Given our practical experience, we have made these comments to improve these SCCs with a view to fully ensure that personal data of EU citizens is afforded an essentially equivalent level of protection when transfers to third countries take place. We believe these suggestions and amendments are crucial in order to achieve these aims in practice.”
Regarding onward transfers, their comments suggests that one should include a duty to for an importing controller to notify an exporting controller of an onward transfer. And it should be clarified how a receiving processor may become a signatory to the SCCs, a very sensible comment from the EDPB and EDPS.
Conclusion - New SCCs – a Schrems II silver bullet? Hardly.
There is much, much more to be said on the new international SCCs and we will revert to them. But for now – do note that they are no silver bullet to the challenges after Schrems II. Rather the opposite – the comments from the EDPB and the EDPS really underline that they have the will and determination to make sure the principles following Schrems II are upheld.