Data Protection Report - Norton Rose Fulbright

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision.  A feedback period on the draft documents will run until 10 December.  Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of the year.

The new SCCs aim to modernise the clauses in line with the GDPR and to cover a multitude of different types of transfers to cater for “the complexity of modern processing chains”.  The clauses also aim to “provide for specific safeguards, in particular in light of the case law of the Court of Justice”, i.e. the Schrems II case.

On 11 November, the European Data Protection Board (EDPB) published its much anticipated guidance on the Schrems II judgment.

The guidance comprises two documents:

  1. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the Supplemental Measures Recommendations); and
  2. Recommendations 02/2020 on the European Essential Guarantees for surveillance Measures (the EEG Recommendations).

The Supplemental Measures Recommendations contain a six step road map that organisations should follow when considering the legality of their data transfers outside of the European Economic Area.  In particular, they provide guidance on what measures may “supplement” the use of  data transfer tools, such as the SCCs if, after a “case-by-case assessment”, the data exporter does not believe that the transfer tool on its own ensures an appropriate level of protection for personal data.  These measures include:

  • technical measures such as encryption, pseudonymisation and split processing
  • contractual measures such as requiring the importer to use specific technical safeguarding measures, providing transparency reports, enhanced audit rights or commitments to notify the exporter continually that it has not received a government access request until and unless it has (i.e. a “warrant canary”); and
  • organisational measures such as internal policies for governance of transfers with clearly defined responsibilities.

The Supplemental Measures Recommendations document is open for public consultation until 30 November 2020, but is applicable immediately.

The EEG Recommendations complement the Supplemental Measure Recommendations.  These recommendations provide guidance on whether interference by public authorities to access personal data for criminal law enforcement, regulatory supervision and national security purposes impinges on the effectiveness of data transfer tools.

The Chair of the EDPB said: “The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face.”

These documents will have a significant impact on transfers from the EEA and UK. We will be providing a further post in due course.