International data transfers - where next?

In an age of cloud computing, data can cross borders with a click. In reality, complex legal frameworks exist to allow the flow of data between countries and continents. This piece, part of our short Data December series, takes a deep dive into international data transfers in the wake of a European ruling that rocked the foundations of international data privacy.

Earlier this year, we offered some practical tips to help navigate the uncertainty created by a ruling of the European Court (the so-called "Schrems II" case) invalidating "Privacy Shield", a mechanism used by many organisations as a means of complying with data protection requirements when transferring personal data – whether that be of customers, employees or anyone else – to the United States.

Schrems II also cast significant doubt over the future of the "Standard Contractual Clauses" (SCCs) – in our experience the most commonly used of all the available transfer mechanisms. Overlay that with the "will we, won't we?" Brexit deal uncertainty, and it was for a while difficult to see where to go next with international data flows.

The European Data Protection Board (EDPB) has recently published recommendations (the Recommendations) on this very point and we also now have a draft set of new and improved SCCs from the European Commission (EC). The UK's Information Commissioner's Office (ICO) released a statement saying that it will issue guidance in due course but will hold fast with its risk-based approach to transfers for how. So far, so positive? Not quite. The Recommendations are onerous and – in our view – will be almost impossible to comply with in practice for most organisations. Plus there is the Brexit question (one of many): what status will these documents have after 31 December? We simply don't know yet. 

In this note, we have summarised the new content from Europe (in parts 1 and 2 below) but we have also tried to turn the content into something practical to help organisations transferring data internationally (whether within a group or through a supply chain) to come up with a plan (in part 3). If you want to skip the detailed analysis and head straight to the practical recommendations, please click here.

The EDPB recommendations

The six steps for success and "supplemental measures"

The Recommendations focus on the implementation of onerous practical measures that will operate alongside an appropriate approved transfer mechanism (more on 'transfer mechanisms' below) to ensure that transferring data is adequately protected. The EDPB have outlined a six-step approach as described below.

Step 1: Know your transfers. What is going where?

If you haven't already done so (or if you have, but not for some time), you should map your data flows to identify all transfers of data outside of the EEA (and UK).

This will include (as it always has done) non-EEA cloud storage and remote access from overseas whether intra-group or as a result of third-party service provision.

You will also need to consider onward flows of data by recipients of your transfers, e.g. where you have approved the appointment of sub-processors (this is likely to be relatively challenging in practice).

Step 2: Choose an appropriate transfer mechanism

Other than in relatively limited circumstances, it's likely that most systematic transfers for the majority of organisations will rely on either:

  • Transfer to a territory that has been the subject of an adequacy decision (there are only 12)
  • Binding Corporate Rules – if this is the relevant option, it is likely to be relatively obvious (either because your corporate group has implemented the rules and had them approved by a data protection supervisory authority in Europe, or because your supplier will tell you)
  • SCCs (subject now to implementation of the Recommendations alongside simply signing the clauses)

Privacy Shield was invalidated by the Schrems II ruling and should no longer be considered available as an option for transfers to the U.S. (for the time being at least, but that is a topic for a separate article!)

Step 3: Dig deeper. Is the transfer mechanism effective in practice?

This is where things get tricky (to put it mildly). The Recommendations require you to assess the law applicable in the local territory to which you are exporting data and decide whether the data importer is prevented from complying with the terms of your SCCs, for example as a result of local state authorities' intrusive surveillance rights. You must also assess whether individuals could be prevented from exercising their rights because of local laws of the territory.  Make no mistake, this is a big ask.

Where appropriate (probably almost always in practice) your assessment can be carried out in collaboration with the importer, but it is the exporting party's responsibility to make the judgement.

The Recommendations include references to materials that may be helpful in carrying out this assessment (and there are also separate published recommendations covering some of the issues), but the reality here is that most organisations are likely to find themselves to some extent reliant on global IT service providers or group companies in overseas territories for guidance on the nature and scope of relevant local law.

Confusingly, the Recommendations expressly state that you should not factor in the likelihood of local state authorities accessing the data in question (confusing and unhelpful because this seems to go against the risk-based approach otherwise at the heart of European data protection law).

Step 4: Implement supplementary measures (technical, contractual and operational)

If your assessment in Step 3 reveals that your proposed transfer mechanism is not effective in practice (either because of the local law of the territory or for some other reason), then you must adopt supplementary measures to ensure adequate protection for the data.

By definition, the supplementary measures involve implementing practices and processes over and above those required by the relevant transfer mechanism.

Supplementary measures mentioned in the Recommendations include the following three categories: technical (which will always be necessary); contractual and operational (which even taken together cannot – according to the EDPB – give enough protection without also applying technical measures). Examples of each are set out below:

Whilst these are familiar technical measures, the challenge for data exporters is that none of the technical supplementary measures included in the Recommendations will ever be appropriate for a transfer requiring open access to the importing entity (e.g. a parent company accessing local HR or customer data, or an overseas IT support provider needing to access data remotely to provide services):

  • encryption (where cryptographic keys are not available to the importing entity or anyone outside of the EEA)
  • pseudonymisation (subject to a number of conditions, including that the ability to re-identify data should be retained solely by the data exporter)
  • ‘split’ or multi-party processing (this is similar in practice to pseudonymisation, but relies on export to more than one importer, none of which are able to reconstitute or access the whole dataset)

On top of your processor clauses/DPA (if relevant to the export) and your existing SCCs (if used), you should now also consider additional contract terms including:

  • a contractual obligation to implement specific technical measures (including any of the technical supplementary measures referred to above).
  • obligations relating to transparency, e.g. for the importer to notify the exporter if it receives requests for access to the data from local state authorities, or giving the exporter enhanced audit rights, or requiring the importer to certify that there are no ‘back doors’ for access to the data either as a result of business process or local law.

The measures listed in the Recommendations include elements that many exporters already have in place and as such it is vital to remember that these are meant to be supplementary measures, i.e. over and above what may already be standard practice as part of the implantation of SCCs or other transfer mechanism. For example:

  • involving the DPO in international transfers
  • maintaining internal policies and accountability measures related to international transfer (especially for global corporate groups)
  • maintaining detailed policies in relation to confidentiality and access control, including auditing compliance

Whilst these are familiar technical measures, the challenge for data exporters is that none of the technical supplementary measures included in the Recommendations will ever be appropriate for a transfer requiring open access to the importing entity (e.g. a parent company accessing local HR or customer data, or an overseas IT support provider needing to access data remotely to provide services):

  • encryption (where cryptographic keys are not available to the importing entity or anyone outside of the EEA)
  • pseudonymisation (subject to a number of conditions, including that the ability to re-identify data should be retained solely by the data exporter)
  • ‘split’ or multi-party processing (this is similar in practice to pseudonymisation, but relies on export to more than one importer, none of which are able to reconstitute or access the whole dataset)

On top of your processor clauses/DPA (if relevant to the export) and your existing SCCs (if used), you should now also consider additional contract terms including:

  • a contractual obligation to implement specific technical measures (including any of the technical supplementary measures referred to above).
  • obligations relating to transparency, e.g. for the importer to notify the exporter if it receives requests for access to the data from local state authorities, or giving the exporter enhanced audit rights, or requiring the importer to certify that there are no ‘back doors’ for access to the data either as a result of business process or local law.

The measures listed in the Recommendations include elements that many exporters already have in place and as such it is vital to remember that these are meant to be supplementary measures, i.e. over and above what may already be standard practice as part of the implantation of SCCs or other transfer mechanism. For example:

  • involving the DPO in international transfers
  • maintaining internal policies and accountability measures related to international transfer (especially for global corporate groups)
  • maintaining detailed policies in relation to confidentiality and access control, including auditing compliance

Step 5: Follow any formal procedural steps

In very limited circumstances, this could involve notifications to supervisory authorities, but you should also consider whether you need to take any formal steps from a compliance and corporate governance perspective such as introducing new policy or updating internal compliance monitoring processes.

Step 6: Review and re-evaluate at appropriate intervals

Even if it had not been expressly included in the Recommendations, this would be a requirement of data protection's "Accountability" principle.

You will need to review all elements of your international transfer arrangements (including all five steps above) to ensure their ongoing suitability for protecting the relevant data.

Some of the example scenarios included in the Recommendations are likely to be highly problematic for data exporters. For example, the Recommendations state that where a business exports data to a group company for the provision of personnel services and where that overseas group company's local laws allow public authorities to access data in a way that goes beyond what is necessary and proportionate (e.g. as in the US), the EDPB concludes that it is "incapable of envisioning an effective technical measure to prevent that access from infringing on data subjects' rights". In other words, the EDPB sees no way of making this type of transfer legitimate in accordance with European data protection law. Sobering words.

The Draft SCCs - an overhaul

Background

For years, the current SCCs have been a sticking plaster. After a decade of seismic change in data protection law, even the newest clauses are showing their age.

The new draft is open for consultation until 10 December and so clearly there could yet be some change to the terms. In our view, the new draft SCCs represent a huge step forward. Yes, they present some obvious challenges (for example, the frankly unrealistic expectation for sub-processors to have direct relationships with controllers), but the new draft SCCs plug a LOT of gaps where for years we have had little choice but to advise clients that "no, this doesn't really work but it’s the best there is by way of risk mitigation…".

There is likely to be a 'sunset period' for the current SCCs. The current draft refers to a one year transition period but this could of course change (ideally get longer) as a result of the consultation.

New draft, new possibilities

The draft SCCs are effectively four separate sets of clauses covering four different scenarios.

There are generally applicable provisions covering issues such as interpretation, hierarchy (the SCCs will take precedence) and a new and welcome "docking clause" allowing parties to be joined to the signed SCCs during the term.

The operative clauses are drafted in modular form, covering transfers from:

  • Controller to controller, commonly used when data sharing intra-group
  • Controller to processor, used when a data controller appoints a processor such as a service provider in the HR, customer data or IT services supply chain
  • Processor to sub-processor (at last!), allowing a processor within the EEA to appoint a sub-processor outside of the EEA
  • Processor to importing controller (thank goodness), plugging a gap that has become particularly relevant in the context of Brexit and European supply chains

Helpfully, the draft SCCs also allow use by a non-EEA established exporter (another gap in the coverage of the current version of the clauses).

Some highlights and low-lights from the SCCs

I thought I had overseas transfers covered. Where do I go from here?

Good question! Yet again, we find ourselves in the unsatisfactory position of advising clients that there is no 'silver bullet' solution for most organisations. We have however, set out a few suggested pointers below:

Our suggestions

You will need to engage a range of internal stakeholders. A legal team in isolation can’t meaningfully mitigate risk in this area. At the very least, this is likely to need meaningful engagement from risk and compliance, operations, tech/IT/digital, information security, commercial and procurement.

The need to know your transfers is more important than ever. Whatever the final version of the new SCCs looks like, it’s clear that most organisations are going to have to reassess and ‘repaper’ at least some of their international data flows. Start now, work out where your biggest risk is, and prioritise accordingly.

Engage early with the importing/recipient entity since you’re highly likely to need their help with the risk assessment and implementation of supplementary measures, particularly in the context of the local law element.

It’s clear that organisations exporting data will need to carry out and document a transfer risk assessment. In practice, existing template documents and processes used for DPIAs could be a good starting point.

Ask yourself the hard questions about alternative options. Might this be the time to look at implementing Binding Corporate Rules? Are there transfers that you simply cannot legitimise and may need to suspend (e.g. by changing suppliers or migrating data or services back into Europe)? How can you mitigate risk if the commercial objectives and risk appetite don’t align?

Look at your existing processes and update them if necessary to make sure that any proposed new international transfers are identified early and that enough time and resource is made available during the procurement process (or other relevant business process) to carry out the necessary assessments and implement necessary supplementary measures.

In terms of data flows as part of life outside the EU (we had to mention it), for the time being it’s likely to be more about implementation of supplementary measures than about executing the new SCCs since we simply don’t know what status the new SCCs will have under UK law when they are finally published.

You will need to engage a range of internal stakeholders. A legal team in isolation can’t meaningfully mitigate risk in this area. At the very least, this is likely to need meaningful engagement from risk and compliance, operations, tech/IT/digital, information security, commercial and procurement.

The need to know your transfers is more important than ever. Whatever the final version of the new SCCs looks like, it’s clear that most organisations are going to have to reassess and ‘repaper’ at least some of their international data flows. Start now, work out where your biggest risk is, and prioritise accordingly.

Engage early with the importing/recipient entity since you’re highly likely to need their help with the risk assessment and implementation of supplementary measures, particularly in the context of the local law element.

It’s clear that organisations exporting data will need to carry out and document a transfer risk assessment. In practice, existing template documents and processes used for DPIAs could be a good starting point.

Ask yourself the hard questions about alternative options. Might this be the time to look at implementing Binding Corporate Rules? Are there transfers that you simply cannot legitimise and may need to suspend (e.g. by changing suppliers or migrating data or services back into Europe)? How can you mitigate risk if the commercial objectives and risk appetite don’t align?

Look at your existing processes and update them if necessary to make sure that any proposed new international transfers are identified early and that enough time and resource is made available during the procurement process (or other relevant business process) to carry out the necessary assessments and implement necessary supplementary measures.

In terms of data flows as part of life outside the EU (we had to mention it), for the time being it’s likely to be more about implementation of supplementary measures than about executing the new SCCs since we simply don’t know what status the new SCCs will have under UK law when they are finally published.

Please do get in touch if you need support. Our team is highly experienced in advising on international data transfers. We focus on delivering business-enabling advice and would be delighted to help. We will be developing a 'tool kit' for organisations transferring personal data across borders within a corporate group, and we would be happy to discuss this with you if that sounds like something that could make life easier.

Key Contacts

Related