A big month for data exports

What's the issue?

A number of issues have thrown data exports into the spotlight in the last couple of years:

First, Brexit which resulted in the UK becoming a third country for the purpose of data exports from the EEA.
Second, the CJEU judgment in Schrems II which not only struck down the EU-US Privacy Shield but cast doubt on the future of data transfers to third countries.
Third, the increasing inflexibility of one of the authorised transfer mechanisms, the Standard Contractual Clauses (SCCs) to deal with the complexity of data journeys, and the demands of the Schrems II judgment.

What's the development?

Not just one but three developments:

UK adequacy

EU-UK adequacy decisions were adopted on 27 June.

In March, we covered the draft EU-UK adequacy decisions. EC adequacy decisions enable the free-flow of personal data from the EEA to the country benefitting from the decision. A UK adequacy decision is, by some considerable margin, the optimal solution to the Brexit data problem.

One major change from the draft decisions is that the final versions do not cover data transferred for the purpose of UK immigration control. The carve out is a result of the recent Court of Appeal judgment which held that the immigration exemption in the Data Protection Act 2018 was unlawful. The Commission has said it will reassess the need for the exclusion once the UK makes changes to the offending exemption.

The EC stresses that the decisions are dependent on the UK continuing to maintain an adequate level of protection and that they can be suspended at any point if it does not. The decisions expire on 27 June 2025 unless renewed.

New SCCs

As we discussed last month, the EC published new SCCs which reflect the GDPR and take a more flexible, modular approach. These came into force in the EU on 27 June 2021.

Those using the old SCCs must transfer over to the new ones within 18 months. They cannot, however, be used where a non-EU importer is importing personal data caught by s3(2) GDPR (ie where the personal data is of data subjects in the Union and the processing activities are related to the offering of goods or services to data subjects in the EU, or to the monitoring of their behaviour where that behaviour takes place in the EU).

The old SCCs will continue to be used in the UK until the ICO finalises new ones.

EDPB final recommendations on supplementary measures

In the Schrems II decision, the CJEU said it was up to controllers to assess on a case by case basis, whether or not the data being exported would receive an equivalent level of protection to that in the EU, and to use supplementary measures to protect the data if it did not. Where any additional measures would still fail to ensure adequate protection, the transfer could not take place.

No detail was provided as to what those supplementary measures might be and under what circumstances they would need to be used until the EDPB published its draft recommendations for supplementary measures in November 2020 which we discussed here.

These have now been finalised and there have been a few significant changes, in particular to the section on Step 3 (assessing whether the Article 46 transfer tool is effective considering all circumstances of the transfer).

There is now a focus on examining the practices of the relevant third country as well as on the letter of the law, assessing the specifics of the transfer (ie how likely the data is to be accessed or to be the subject of an access request), and taking the experience of the importer in terms of law enforcement access into account although that will not in itself be decisive.

The transfer impact assessment (TIA) is now explicitly specific to the legislation and practices relevant to the specific data being transferred.

Step 3 involves assessing whether there is anything in the law and/or practices in the third country which may reduce the effectiveness of the transfer tool being used. This examination will be particularly relevant where:

legislation in the third country which appears to meet EU standards is manifestly not applied/complied with in practice
there are practices incompatible with the commitments in the transfer tool where relevant legislation in third countries is lacking
the transferred data and/or the importer fall or might fall within the scope of problematic legislation (ie legislation which would impinge on the transfer tool's ability to guarantee an essentially equivalent level of protection to that in the EU).

In the first two situations, the controller will have to suspend the transfer or implement adequate supplementary measures to proceed.

In the third situation, in light of uncertainties around the potential application of problematic legislation, the controller may decide to suspend the transfer, implement supplementary measures, or proceed with the transfer without implementing supplementary measures if the controller considers and is able to demonstrate and document that there is no reason to believe the relevant and problematic legislation will be interpreted and/or applied in practice so as to cover the transferred data and importer.

The TIA should initially be based on publicly available legislation. It must contain elements concerning access to data by public authorities of the third country of the importer such as:

elements on whether the public authorities may seek to access the data with or without the importer's knowledge in light of legislation, practice and reported precedents
elements on whether public authorities of the third country of the importer may be able to access the data through the importer or through the telecommunications providers or communications channels in light of legislation, legal powers, technical, financial and human resources at their disposal and of reported precedents.

While publicly available legislation is the starting point, the controller must also look at practices in force in the third country. This includes where:

relevant legislation in the third country appears to offer an essentially equivalent regime but does not actually do so
there doesn't appear to be any relevant legislation but there are indications that practices in force in the country might be incompatible with the EU regime and would lessen the effect of the Article 46 transfer tool
legislation may be problematic and there are uncertainties over whether the data and/or importer might fall within scope (situation three above)
the data subject rights are not enforceable in practice.

The annexes have not changed significantly beyond clarifying some of the examples and giving a more detailed list of possible sources of information to assess a third country (Annex 3).

What does this mean for you?

There can be no doubt that the new EC SCCs and the EDPB guidance on supplementary measures, together with the UK adequacy decisions, have cleared up some of the uncertainties and anomalies around the data transfer regime.

Questions do remain and we'll be looking at these in-depth in our next edition of Global Data Hub in August which will also cover sector-specific issues in life sciences and real estate.