Transfers of personal data outside the EEA - challenges in 2022

Transfers are of great importance to the Union

The international transfer of personal data is of considerable importance to our convenience, business efficiency, innovation, and profits. One of the most significant data transfers from the European Union is that across the Atlantic, to the United States. According to Eurostat estimates, the economic relationship between the EU and the United States is worth $7.1 trillion. The share of data-driven business will grow in this regard due to gradual technological development and the increasing digitization of more areas of our lives. Eurostat also estimates that if the flow of data outside the European Union in data-driven sectors was stopped - the gross product of the European Union would fall by as much as 2.5%. So, transfers of personal data outside the European Economic Area (EEA) are a necessary part of our everyday life.

Standard contractual clauses - a quick glance on their history

The protection of personal data in the European Union, and thus the controversy over data transfers outside the EEA, did not begin with the entry into force of GDPR. The European Union has already been protecting the personal data of its citizens since 1995 - prior to GDPR, protection was under Directive 95/46/EC (the Directive). It was this Directive that provided for securing data transfers outside the EEA through standard contractual clauses developed by the European Commission.

During the life of the Directive, 3 such sets of clauses were enacted - in 2001, 2002 and 2010. The set of clauses enacted in 2002 expired with the enactment of a new set in 2010.

In addition, while the Directive was in force, the European Commission issued adequacy decisions for third countries regarding the processing of personal data - a mechanism analogous to that under the GDPR. Adequacy decisions issued under the Directive retained their force under the GDPR.

Data transfer to the US

One of the adequacy decisions was the one approving the international agreement between the US and the Union on data transfers - the so-called Safe Harbor (2000). This decision was successfully challenged by Maximilian Schrems in proceedings against Facebook - in 2015 the Court of Justice of the European Union (CJEU) declared this international agreement invalid. The EU and the US quickly drafted and signed a new agreement - Privacy Shield - which was concluded as early as 2016. It was, like Safe Harbor, based on the principle of self-certification of private entities in the US.

Decision 2016/1250 of July 12, 2016, which approved Privacy Shield as an adequate mechanism for securing data transfers between the US and the Union, was declared invalid in the Schrems II ruling. The main objections to the US legal order that led to the overturning of the decision were:

• significant amount of personal data, including metadata, is accessed by US services (e.g., the NSA, CIA and FBI) - including as part of the PRISM and UPSTREAM programs, where personal data on non-US citizens can be extracted from telecom operators' selectors and from cables running on the Atlantic seabed;
• lack of an effective legal remedy against the excessive acquisition of personal data by the services, to which non-US citizens would be entitled.

At this point, there is still no valid legal basis for the free transfer of data to the US, but talks between the European Union and the US are proceeding rapidly and, it seems, effectively. In March 2022 the European Commission issued a communication indicating that the main tenets of a new agreement to replace Privacy Shield had already been established:

• The agreement is to be based on a similar mechanism to Safe Harbor and Privacy Shield, namely the self-certification of US entities;
• US intelligence authorities are to be bound by safeguards limiting access to the data and ensuring its necessity and adequacy for the purpose of protecting national security; US intelligence services are to adopt a procedure to ensure adequate respect for privacy and other civil liberties;
• A new two-tiered system is to be introduced for handling complaints by Europeans about access to their data by US services;
• Monitoring and verification mechanisms will be put in place. 

Ensuring an adequate level of personal data protection in a third country

According to the GDPR (e.g., Article 44), transfers of personal data must be carried out in such a way that the degree of data protection provided by the GDPR is not compromised. This is what the transfer protection mechanisms provided for in Article 46 of the GDPR - including agreements on standard contractual clauses and binding corporate rules - are designed to do.

However, in order for such mechanisms to be an effective way to secure the transfer of personal data to a third country, it is necessary to examine whether they can actually be enforced in the recipient country. After all, as the CJEU noted in the Schrems II judgment - contractual provisions (whether in clauses or binding corporate rules) bind only the parties signing such obligations, but not the authorities in the recipient country. It should also be borne in mind that a data importer, being confronted with a conflict between violating contractual obligations under clauses or binding corporate rules and violating the law in its country of establishment, will in all likelihood choose to violate the contract. 

Transfer Impact Assessment (TIA) study for data protection

Both the Court of Justice of the European Union in the Schrems II judgment and the European Data Protection Board, in their post-Schrems II Recommendations 01/2020 on measures to supplement transfer tools in order to comply with the EU's level of personal data protection (version 2.0 adopted June 18, 2021, detailed the elements of a mandatory recipient country assessment that must be conducted before any transfer of personal data to a third country:

• First, it is necessary to accurately map data transfers in the controller's organization. In many cases, this is one of the most difficult parts of the examination. It is important to remember that the check must include not only the contracts that we have actively negotiated with suppliers and that contain a mutually agreed clause mandating that the processor obtains consent for the transfer (and did it actually request it? Also worth checking). It is also necessary to check the tools and services we use based on contracts concluded, for example, on the basis of acceptance of non-negotiable terms and conditions. Issues of transferring personal data to countries such as the US, Australia or other third countries may be part of such provider's terms of service or privacy policy. At this stage, it is also recommended to verify that the transfer complies with the guiding principles of processing like data minimization.

• Second, it is necessary to verify the legal basis for the transfer. This may be one of the safeguards provided for in Article 46 of the GDPR, but perhaps also an exception provided for in Article 49 of the GDPR (e.g., consent of the data subject). It is important to monitor such safeguards.

In this regard, it is very important to keep in mind that the standard contractual clauses, which are the most popular means of securing data transfers outside the EEA, have changed. They must be updated in existing contracts by December 27, 2022.

• Third, it is necessary to assess the entire legal system of the country to which we intend to export personal data. Such assessment must include:

- The legal system of the third country in question and whether it is applied in practice (if it would formally meet the European standard) and the relevant elements of practice in the third country in question - including the possibility for European persons to enjoy effective means of protection

- Can public authorities attempt to access data without the knowledge of the data recipient in a third country (in light of current law, practice and precedents)

- Whether public authorities may attempt to access the data through a data recipient in a third country, telecommunications operators or communication channels (in light of applicable law, technical, financial and human capabilities of such authorities)

- The context of data export: the purposes of processing, the nature of the recipient of the data and the relevant sector, the categories of data transferred, where the data will be stored, the format of the data and issues of further transfers. 

It is important to remember that while the data exporter may rely on information and assurances obtained from the recipient in a third country, the responsibility to check any publicly available sources - the contents of the law, publicly available decisions, NGO or business reports - remains its responsibility. If the data recipient's statements contradict publicly available information, the responsibility for the unlawful transfer will fall on the data exporter.

• Fourth, if necessary due to problematic legislation or practice in the third country in question, additional safeguards are needed to keep data transfers secure despite such difficulties. Suggested safeguards by the European Data Protection Board include:

- Technical measures: primarily encryption (including in transfer), pseudonymization, separation of processing among several recipients

- Taking advantage of available exceptions in the law of the recipient country - such as statutory professional secrecy obligations

- Additional contractual obligations: to list any applicable regulations, to provide information on data release requests received, including statistics relating to the past, measures taken to prevent disclosure of data, no obligation to leave workarounds for authorities, to provide no-request reports (Warrant Canary), to use all remedies to challenge data release, to inform the data subject of a data release request, to support the data subject against public authorities.

- Organizational safeguards at the third-country data recipient: delineating clear roles and responsibilities, including the organization's response to a request for data received from a public authority; records of requests and responses made available to the exporter; ensuring a strict approach to data access (on a need-to-know basis), adherence to these principles, regular auditing and implementation, including through disciplinary measures.

It is worth mentioning that one of the additional safeguards for the transfer of personal data to a third country is the obligation of the recipient to take all procedural steps available under local law to challenge a request by administrative authorities or services for access to data.

This was the situation in the case of Microsoft Corp. V. United States from 2018. In that case, Microsoft sought to win the right to deny access to its service recipients' data, which was stored on Microsoft servers in Ireland, before the US courts. The case went all the way to the Supreme Court, where Microsoft came close to winning (a win was prevented by the passage of the CLOUD Act, which we write about in the earlier box).

• Fifth, you should take the steps necessary to ensure that the security method you apply is valid. It may be that the modified contractual clauses you have applied, for example, will require confirmation by the relevant supervisory authority.
• Sixth, it is necessary to ensure regular repetition of the entire procedure for assessing the impact of the transfer on data protection, because the risks, as well as the safeguards in place change and outdate, while the high standard of personal data protection required by the European Union does not diminish.

Need to update clauses

As we mention above, sets of standard contractual clauses that were adopted before 2021 are gradually becoming obsolete. Starting as early as the fall of 2021, they should not be used for new contracts, and as of December 27, 2022, they should be updated to the new model adopted by Commission Decision 2021/914 of June 4, 2021.

There were several reasons for updating the sets of standard contractual clauses:

·       The clauses adopted in 2001 and 2010 (i.e., those still in force until 2021) were drafted at a time when the applicable EU data protection legislation was still Directive 95/46/EC - while as of 2018, GDPR is in force and introduces new obligations;

·       The clauses were drafted more than a decade ago in a different reality than the one we face today. It was necessary to ensure that the sets of clauses enabled both the correct reflection of factual situations - long chains of processing and onward entrustment of data, transfers between processors or controllers in different countries, as well as enabling clauses between more than two entities and the dynamic accession of additional entities to the agreements.

The new standard contractual clauses are based on a modular system that allows the selection of contractual elements that are most appropriate for the actual relationship between the parties. This is intended to provide more practical data protection in transfers outside the EEA.