In an earlier article [citation] I looked at the “Schrems II” decision of the ECJ and its impact on how organisations transfer data between the EU/EEA and third country jurisdictions where there is no adequacy determination in their favour.
The core data protection legislation in the EU is the General Data Protection Regulation (EU/2016/679). This applied in the United Kingdom directly until the UK left the European Union and the transition period expired on 31.12.20. Since that date, the “GDPR” has, in the UK, been referred to as the “UK-GDPR”.
Initially the text of the “UK-GDPR” has remained identical to the “GDPR” save that, as I mentioned earlier, certain provisions of EU law have ceased to have effect. Most importantly the Charter of Fundamental Rights has ceased to apply in the UK which is likely, I believe, to mean that UK courts are more likely to diverge from their EU counterparts on certain important aspects. As stated previously, any reference to the “rights and freedoms of the data subject” in the “GDPR” represents Charter Rights which can no longer be taken for granted in the UK.
What happened after Schrems II?
Well, quite a lot has happened. There have been several complaints (including one made by Mr Schrems himself) about the performance of the DPC in Ireland in respect of progressing complaints. These don’t move the law forward much save that subsequently it seems that the DPC is under more pressure to advance investigations that have been only making slow progress. This article is not, however, about the DPC.
Anecdotally it seems that some organisations may still be erroneously relying on Privacy Shield to transfer data from the EU/EEA to the USA which is entirely unlawful and somewhat troubling.
Following the Schrems II decision, a number of organisations which had previously been relying on Privacy Shield for data transfers between EU/EEA and the USA adopted standard contractual clauses (SCCs) as at least a stop-gap measure.
On 04.06.21 the European Commission published revised SCCs.
Those organisations which rely on SCCs will have to re-incorporate them into existing contracts or amend the contracts to include them unless they have previously agreed that any new SCCs published will be deemed to be included and agreed by all parties notwithstanding that there is a part of the SCCs which requires to be completed by the parties detailing their specific circumstances.
Quick analysis of the updated SCCs
The key clauses with respect to the Schrems II decision are Clauses 14 and 15 which deal respectively with the “Local laws and practices affecting compliance with the Clauses” and “Obligations of the data importer in case of access by public authorities”.
These clauses require some serious consideration by the parties to the SCCs, especially in the light of Schrems II (and, for that matter, in light of Schrems I) which will no doubt be the subject of considerable interest from those active in the field.
Just as a taster (because the whole document needs to be considered carefully before being implemented) clause 14(a) provides that:
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
The term “have no reason to believe that the laws and practices… prevent the data importer from fulfilling its obligations.” seems to be rather vague. Reading this clause in the light of the Schrems II decision it seems to me that there is a significant difference between finding “no reason to believe” and the anxious enquiry (my reading flowing from pp 141,142) that is called for in the judgment in Schrems II. For this reason alone I fear that these SCCs will be the subject of challenge from those concerned with data subject rights.
In any event, for a party to rely on this clause, it seems to me that more than a cursory investigation is required which raises the cost of the implementation of the SCCs from very low (pre Schrems II) to at least moderate as it now requires significant input from legal counsel in multiple jurisdictions.
Clause 15.2 covers “Review of legality and data minimisation”:
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
It seems to me that 15.2(b) requires the data importer to waive legal professional privilege on its assessment of a third country application for disclosure. If there is no application for disclosure but, rather, merely a statutory obligation to give third country security services (for example) access to the data then the clause does not apply at all (as it only applies to requests from a competent judicial authority). This is likely to give rise to further challenges from those concerned with data subject rights as it would fall foul of the decision in Schrems II. In effect, SCCs cannot be valid where third country laws permit authorities to access data in a manner which would breach data subjects’ rights under the GDPR and the Charter.
Position in the UK
Given that the UK has now left the European Union, the question of Charter Rights does not exist for a data subject based in the UK. One can envisage a circumstance where GDPR compliant SCCs are in place but the same rights are not enforceable by a UK based data subject owing to the non-applicability of the Charter post “BREXIT”. This is very hypothetical but is a matter that ought to be borne in mind when data is shared with an entity in the UK (from the EU/EEA) and thence beyond.
To that end the ICO in the UK has issued two new documents. The first is a wholly new set of SCCs centred on UK data protection law and completely different to the EC’s SCCs. This would really only be useful for a UK data controller which is sending data outside of the UK to a country which is not the beneficiary of a UK granted adequacy determination in its favour. The second is an addendum to be incorporated to the EC’s SCCs to cover the position under UK law.
The new UK SCC refers to “Appropriate Safeguards” in place of the concept of “essential equivalence” but places similar requirements on the third country party to those set out in the EC’s SCCs. See in particular clauses 8.3 and 8.4.
The addendum sets our certain replacements (e.g. EU law replaced by UK law) and excludes the effect of certain clauses but, notably, not clauses 14 and 15 mentioned above.
What remains to be seen (and which will require a challenge to be made) is whether the absence of Charter Rights for data subjects in the UK causes problems for the data controllers implementing these SCCs (either the EC SCCs with the addendum or the UK’s SCCs). The position is nevertheless, it seems, that data controllers in the UK will have to consider carefully how to incorporate these safeguards into their international data transfer agreements taking into account the location of the data subjects whose data they have custody of.
Binding Corporate Rules
As mentioned previously, Binding Corporate Rules were not considered by the Court in the Schrems II decision. Impliedly the same constraints should apply to those organisations which use BCRs to transfer user data outside of the EU/EEA to third countries which are not the beneficiaries of adequacy determinations in their favour. Whether organisations which are using BCRs are now furiously amending them is unclear. In my view they should be looking very carefully at the position.
The post-Schrems II SCCs are not a panacea. Implementing them (either as an EU/EEA based data controller or as a UK based controller) incurs a higher than previous burden on the data controller to ensure that the destination state has adequate protection and that aggrieved data subjects can avail of remedies equivalent to those which he or she would have been able to obtain had the data remained within the home jurisdiction.
Now that the burden on data controllers to verify the legal safeguards available in destination countries has been made clear, all destinations covered by SCCs, save where an adequacy decision is in place, remain open to challenge. A careful review of the use of SCCs would be prudent to any destination where there is no adequacy decision in place.
Further, while not included expressly in the CJEU judgment and, as a result, remains untested, the use of binding corporate rules remains open to a challenge. There is now a new burden on the sending data controller to ensure that the intention behind the BCRs is supported by the laws of the receiving jurisdictions in a manner similar to that set out clearly in the updated EC SCCs.
Ian Beeby, barrister