Introduction
Following the CJEU Schrems II court ruling, WLC focuses on a series of aspects relating to the ruling and its implications. In this article, we examine the legal basis requirement and why the European Commission’s Standard Contractual Clauses, otherwise known as the Model Clause or SCCs, are still alive – and what you need to be aware of when applying them.
Obviously, before transferring personal data out of the European Economic Area (EEA), a data exporter must ensure that there is a legal basis for said transfer. The first legal basis that an exporter may be able to rely on is an adequacy finding from the European Commission in accordance with GDPR Article 45 (1). The full list of ‘adequate’ countries can be found here.
Following the invalidation of the EU-US Privacy Shield and the European Commission’s failure to assess the adequacy of the framework, data exporters are now forced to look for new ways to base their transfer of personal data to the US if they previously relied on Privacy Shield.
Article 46 presents most of the data transfer possibilities for the exporters where an adequacy finding does not exist. While we are waiting for certification mechanisms and code of conducts to be approved for use, we are essentially left with the SCCs; and if the data transfer is to an intra-group organization, you may also seek out the Binding Corporate Rules (BCRs) and the procedure prescribed in Article 47.
Standard Contractual Clauses
The SCCs date back to a former European data protection law, the Directive 95/46, and have – even with references to 95/46 – survived the entry into force of GDPR. There are 3 types of SCCs; one model contract for transfers from an EEA-controller to another non-EEA controller, and two contracts for transfers from an EEA controller and on to a non-EEA processor.
The fundamental idea of the SCCs is to introduce an agreed level of protection between the contractual partners, as the data exporter and the data importer, to address circumstances where the country of the importer does not offer an adequate level of protection (a ‘third country’). The commonly held opinion was that concluding SCCs would always provide a clear legal basis for the transfer of personal data to the third country, irrespective of the legislation in that country.
This idea of SCCs as a silver bullet was already dealt a blow with Schrems I, C-362/14, with the formulation of the “Essential Guarantees”, and effectively perished on 16 July 2020 with Schrems II.
The issue is highlighted, albeit to an extreme, by the referring Irish High Court in Schrems II in asking whether SCCs are valid at all given that the contract is binding on the exporter and importer only, but not the importer’s government authorities, and thus does not take local law into consideration.
The SCCs are valid, as we know. However, as the CJEU points out, they are “solely intended to provide contractual guarantees that apply uniformly in all third countries […] and consequently, independently of the level of protection guaranteed in each third country”.
Thus, SCCs can be used as the basis for your data transfer with the possibility of having additional safeguards to supplement the protection, and thus, ensure a high level of protection. In order to decide which additional safeguards to introduce, an assessment of the particular transfer, the nature of the personal data, the magnitude of the data transferred, the security measures (e.g. 128, 192 or 256-bit cipher AES) in place, the laws of the importing country, which would include the existence of effective remedies, should be carried out.
This means that more work has to be put in when contemplating using a new public cloud provider or outsourcing your data management, and it may even have a significant impact on such services with a few supervisory authorities calling for US transfers to subside. That said, we have to move forward and of real interest – of course – will be establishing what these additional safeguards may look like, how they can be implemented, and what an appropriate third country assessment should look like from the perspective of the supervisory authorities. We will explore this in a forthcoming article.
Binding Corporate Rules
And what about BCRs? As we mentioned in our previous article, the issues examined for SCCs will be the same for BCRs, as the BCRs are also only binding between organisations. There will also be a need to assess how a high level of protection is ensured for all transfers out of EEA. There is no way out of the assessments, unless you are able to use an adequacy finding … or find a suitable derogation.
Derogations
The derogations do not require an adequacy finding, nor do they require that appropriate safeguards are in place. In most cases, they may simply be used because they are deemed necessary. But, the plurality of the derogations listed in Article 49 are of a nature that means that most organisations will find them less usable. Most relate to very specific circumstances, e.g. that a transfer of personal data is necessary for important reasons of public interest, or to protection the vital interests of the data subject.
If you are in logistics, travel or a payment provider, you can find comfort in the derogation that says that transfers that are necessary for the conclusion or performance of a contract concluded in the interest of the data subject are valid.
Consent is also mentioned as a derogation. However, you should only use consent as a means of transferring personal data if consent is freely and expressly given, specific and informed, and if the individual is able to effectively withdraw consent without any negative repercussions. As consent can also be withdrawn at any point, and must be managed accordingly, using consent as a legal basis for the transfer of data can prove challenging.
Conclusion
SCCs, or rather the application and management of the SCCs, have been dealt a blow with Schrems II. They however still remain for now and are generally seen the most effective (or only) means of transferring data. Given your assessment of the intended transfer, the data in question and the laws of the third country, you may need to have some additional safeguards in place to ensure an adequate level of protection of the individuals.
