For almost five years, privacy professionals have been breaking their heads over what to do with international transfers of personal data originating in the European Union. The two Schrems decisions of the Court of Justice of the European Union (CJEU) have brought some clarity – we now know that no international transfer may undermine the level of data protection offered under the EU General Data Protection Regulation (GDPR) and that thus essentially equivalent protection is required – but we still do not know what actually constitutes an international transfer. So far, neither the European Commission, nor the European Data Protection Board (EDPB) have been willing to provide one. The new Standard Contractual Clauses, the main contractual mechanism to transfer personal data from the European Economic Area (EEA, which is the EU plus Norway, Iceland and Liechtenstein) to a non-EEA country (so-called third countries), however do include some indications on how to look at data transfers henceforth.
Scope of application of the new SCCs
Before looking at a possible new definition of international transfers, let’s first take a look at the scope of application of the model clauses as adopted by the European Commission on 4 June 2021. The SCCs can be used as a legal basis to transfer personal data out of the EEA, on the basis of the appropriate safeguards mentioned in article 46 GDPR. However, when using SCCs, organisations will not need to go through any formalities, like they would for example when using Binding Corporate Rules or ad-hoc data protection clauses, which both require approval from the supervisory authorities. SCCs can be part of a contract negotiated between the parties involved in a data processing operation, and are completely their responsibility.
The new SCCs bring about one major change: as long as the processing operation is covered by the GDPR, for example because the recipient (the data importer) is offering goods or services to people in the EU or is monitoring their behaviour, the model clauses cannot be used. This is explicitly ruled out in Recital 7. Organisations that have been used to include SCCs in their contracts for decades may need to get used to this change, but when looking carefully at the text of the GDPR, it makes sense.
When the GDPR was first introduced, a lot was said about the so-called extraterritorial scope of the Regulation. In order words: the legislation would also apply outside the territory of the European Union. That is also the case here. All transfer mechanisms in Chapter V GDPR, whether adequacy, SCCs, BCRs, or the derogations like consent and vital interest, are only intended to ensure that the level of data protection offered by the GDPR is not undermined. This is clearly stated in article 44 GDPR, and the subsequent provisions explain how the various transfer mechanisms ensure to maintain the required level of data protection. However, if there is no risk that the level of data protection of the GDPR is undermined, because the GDPR applies in full to the processing operation, there would be no added value to the use of transfer mechanisms. And that is exactly the conclusion the European Commission is now drawing: only if the GDPR does not apply to a data processing operation, the new SCCs can be invoked as part of a contract.
Organisations should be aware of two consequences:
- Current agreements which include SCCs will maintain their validity until 27 December 2022. By that date, the contracts will need to be updated with the new SCCs, if they need – and are allowed – to use them. If not, the SCCs will automatically become void by the date mentioned.
- Organisations currently acting as a data importer, but whose processing operation is subject to the GDPR, will need to assess their onward transfers. Given that their own processing is subject to the GDPR, they will likely become a data exporter when using any processors as part of their processing operation, for example a cloud service or web hosting provider. If that is the case, the organisation will need to sign controller-to-processor or processor-to-processor SCCs with their partners, and provide a copy of the signed contract to the European data controller.
On a side-note: organisations will always need to ensure they can meet the requirements of the GDPR, either directly or through the signing of the SCCs. If a data processing operation conducted by a non-EEA organisation is directly subject to the GDPR, they will still need to assess any possible government access to the personal data and agree on adequate safeguards to prevent this from happening. Being covered by the GDPR does not mean an “easy way out” from the Schrems requirements, on the contrary .The outcome of the risk assessment could still be that data cannot be transmitted to a processor or subprocessor in a third country, because the level of data protection cannot be guaranteed.
What does this mean for the definition of transfers?
The European Commission states clearly that the scope of application for the new SCCs is “without prejudice” to the definition of international transfers. However, by choosing the approach explained above for the use of the model clauses, it is hard to not draw any conclusions on what this means for a possible future definition of international transfers. Before, it was assumed a data transfer would take place the moment data left the territory of the EEA, either physically, or because the data would be accessed from a third country. That seems to be no longer true under the GDPR, since also outside the territory of the EEA, a processing operation can be fully subject to the GDPR. Could it therefore be that we will in the future only speak of a data transfer if the data is no longer directly subject to the GDPR, in other words, if we see a change of legal regime apply to the processing operation? Recital 7 of the new data transfer SCCs indicate this is the thinking of the European Commission. Whether the supervisory authorities – and the courts, for that matter – agree, should become clear later, starting with the updated recommendations on post Schrems-II data transfers from the EDPB, expected by the end of the month.