In our digitalized economy, cross-border data transfers and thelegal requirements for them remain highly relevant. Just recently, the data protection organization ‘noyb’ (None of Your Business), founded by Max Schrems, filed complaints against companies transferring data to China. The following text examines the legal background and possible consequences for companies.
The complaints
The prominent data protection organization noyb submitted complaints to several data protection authorities against six Chinese companies. According to noyb, these companies are allegedly unlawfully transferring personal data, such as customer or usage data, from the EU to China. These proceedings may make it necessary to review and adjust currently implemented legal measures for transferring personal data to China.
The legal framework
Under Chapter V of the GDPR, all data transfers to so-called ‘third countries’, i.e. countries outside the EU for which the European Commission has not adopted an adequacy decision, must be secured with special safeguards. These safeguards shall ensure that the recipient in the third country upholds an adequate level of data protection. This is because the level of data protection in third countries typically falls short of what is guaranteed under the GDPR within Europe.
In practice, the use of Standard Contractual Clauses (SCCs) is most common. These are standardized contracts published by the European Commission that impose specific obligations on the data importer for handling data they receive.
SCCs, Schrems II, and TIA
Until the summer of 2020, it was common practice to conclude SCCs without verifying whether the data importer could actually comply with them.
This approach changed drastically following the CJEU’s Schrems II judgment, which was brought about by noyb. The CJEU ruled that companies relying on SCCs must also ensure that the data importer in the third country can effectively meet the agreed-upon level of protection. This means that companies are explicitly required to assess whether national laws in the recipient country might conflict with the obligations under the SCCs.
In the summer of 2021, the European Commission issued revised sets of SCCs. Articles 14 and 15 of these SCCs require the performance and documentation of such assessments, known as ’Transfer Impact Assessment’ (TIA). If the TIA reveals privacy risks based on the legal framework in the recipient country, the parties must implement additional safeguards to mitigate them. Since then, the use of SCCs has become much more cumbersome.
First the U.S., now China
Initially, TIAs were particularly relevant for data transfers to recipients in the U.S., which are highly relevant for businesses. In the Schrems II judgment, the CJEU found that U.S. national laws conflicted with the GDPR. This situation has since improved. The 2022 Executive Order 14086 limited the rights of U.S. intelligence agencies to access data and introduced a redress mechanism for individuals. The European Commission deemed this sufficient and issued a new adequacy decision for the U.S. (Data Privacy Framework, DPF). However, the DPF only covers U.S. data recipients certified under it. For data transfers to non-DPF-certified U.S. entities, a largely standardized TIA nevertheless suffices based on this.
For other third countries, such as China, a detailed TIA remains necessary. A study commissioned by the European Data Protection Board (EDPB) in 2021 criticized China’s data protection level due to possible government access to data. Given the strict requirements for TIAs, the likely outcome of them will often be that Chinese law conflicts with the obligations under the SCCs. To enable data transfers despite of this, agreeing on additional measures to mitigate the negative impact of national law, is key.
Businesses must exercise great care and document the process, as the complaints filed by noyb with various national data protection authorities (Greece, Italy, Belgium, the Netherlands, Austria) could shift their focus significantly to data transfers to China.
Additional measures
Technical measures such as pseudonymization or encryption are often cited as potential additional safeguards, as they are recommended by the EDPB. In practice, however, they are often difficult to implement. Data recipients frequently need access to clear data for the agreed-upon processing purpose. Consequently, organizational and contractual measures are more realistic, although the EDPB emphasizes that they alone would usually not deemed sufficient.
Contractual obligations commonly include additional obligations for the data importer regarding data handling. For example, clauses may require the data importer to implement strict internal guidelines on data access and confidentiality in response to government access requests. This could include obligations to forward such requests to the data exporter, wherever possible, and ensure that no unlimited access or disclosure of encryption keys occurs.
Organizationally, it is common to agree on the implementation of a rights and roles concept and access rights.
Additionally, it is a possibility to contractually exclude access from specific third countries altogether. For instance, the parties could agree that transferred data may only be processed in specific geographic regions. According to a recent ECJ ruling (Case T-354/22), such contractual arrangements are likely to be considered viable.
Outlook
The proceedings initiated by noyb could potentially have significant impacts on the affected companies, although this depends on the outcome of the authorities' investigations. Theoretically, the data protection authorities could temporarily or permanently prohibit the impacted data transfers to China if GDPR violations are identified.
These complaints showcase the importance of thoroughly concluding and implementing SCCs. Companies should use this as an opportunity to assess whether their existing processes are sufficient and whether additional measures are necessary. Particularly, they should assess whether TIAs for data transfers to third countries have been carried out and additional measures have been agreed upon, where required.
The noyb proceedings should be monitored to keep track of the decisions by the involved data protection authorities and to be able to respond to them promptly.