Update on the Legal Situation for Data Transfer to Third Countries (the US and China in Particular)
February, 2021 - Hans Markus Wulf
When it comes to the general transfer of data to third countries, even, for example, intra-group data transfers, recourse to US providers such as Microsoft (Office 365), Amazon (AWS), Google or Salesforce has been ill-fated since the ECJ ruling of July 16, 2020 (C-311/18 “Schrems II”). The EU-US Privacy Shield is now invalid and the only legal basis that comes into question for the use of cloud services from these US providers as well as data transfer to third countries in total (including China) is, in practice, the EU Standard Contractual Clauses ("SCCs"). However, there are some new developments with regard to these SCCs which are summarized in this article and can be practically implemented by the reader.
I. Current state of affairs
According to the above ECJ ruling, data transfer to third countries outside the EU is only permitted under special conditions, insofar as the third countries in question have laws on the (arbitrary) monitoring of communications without adequate legal protection. This is the case in the US and in China, among other countries.
The EU-US Privacy Shield is invalid as a legal basis for data transfer to the US. Data protection declarations on websites sometimes still contain references to this, which could lead to fines.
In practice, therefore, only the current SCCs are still possible and these are now called "standard data protection clauses" in the GDPR. In practice, however, the ECJ only permits their use in the presence of government control when supplementary obligations have been agreed. Therefore, supplementary agreements have to currently be concluded with the US and Chinese providers, which, however, these are frequently unwilling to accept. Microsoft, on the other hand, has designed such an agreement in consultation with a German data protection authority and makes this "addendum" available to its customers.
This is why numerous companies today still violate the requirements of the GDPR. This was recently confirmed on January 26, 2021 by the State Data Protection Officer in Baden-Württemberg: "European companies are currently facing a massive risk of fines."
The EU Commission is therefore currently endeavoring to issue new SCCs as soon as possible (Article 46 II GDPR). At the same time, there are indications coming from the US that a new Privacy Shield with a new name might soon be agreed with the EU Commission.
However, the focus of the EU Commission is currently on the new SCCs, which can also be considered as a legal basis for data transfer to other third countries where government supervision exists (such as China).
II. Path to new standard data protection clauses
The first draft of the new SCC (third country) was published on November 12, 2020. At the same time, the EU Commission has provided a separate draft of the SCCs (Inland) for intra-European data transfer to contract processors which should replace the contracts for order processing in this area in the future. The latter will be positively received by clients, because the SCCs (Inland) may only be changed under strict conditions, so laborious contract negotiations for individual clauses of the order processing contracts should be dispensed with in the future. However, this article primarily deals with the SCCs (Third Countries), i.e. for data transfer to third countries such as the US or China, for example, by using cloud services from providers in these countries or internal group data transfers.
In the meantime, there have been a large number of comments on the new draft of the SCCs (Third Countries), not only from the private side, but also from the European Data Protection Board (EDPB, German EDSA), which has to be involved in the legislative process and which issued its opinion on the new SCCs just a few days ago, on January 14, 2021.
The comments of the EDPB (an association of the EU supervisory authorities) on the draft of the new SCCs were largely positive, as well as those of the EU Data Protection Officer, Wojciech Wiewiórowski. Changes were called for in both versions of the SCCs, such as in the areas of a) third parties joining a contract, b) rights of data subjects, c) information obligations of the data importer, d) delimitation of the two SCCs from one another or e) immutability. However, according to this statement, it can now be assumed that both new SCCs (in a slightly modified form) will probably be issued in this form in the coming weeks (after consultation with the EU Parliament).
III. Content of the new standard data protection clauses
The old SCCs were available in two versions (Controller-Controller, Controller-Processor), whereby, in the present application, the controller is in particular the EU data exporter (e.g. the German company) and the processor is the US/China data importer (provider, i.e. Microsoft, Amazon, Alibaba). In future, the new SCCs (Third Countries) will also regulate the relationship between the processor-controller and the processor-processor. All four variants of data transfer are affected.
The structure of the new SCCs (Third Countries) is regulated in such a way that text modules for all four variants are included in each clause, whereby the inapplicable parts in the document are to be erased.
In future, the parties to the SCC (third country) must assess the legal system of the third country concerned to determine whether the data importer can also comply with the specifications of the SCC there. If this is not possible (for example, because there are laws there that allow uncontrolled monitoring of personal data by government agencies without guaranteeing sufficient transparency and legal protection), the data transfer must cease. This assessment must be documented, i.e. handed over to the supervisory authorities upon request. At this point, EU companies are faced with an enormous additional burden.
If the new SCCs (Third Country) result in state access to personal data (for example, from the US or Chinese government), the data importer (provider) must contact the data exporter (e.g. the German company) and – where possible – also inform the data subjects immediately. In addition, all possible legal remedies against the surrender of information must be exploited. If notification is prohibited by law, the data importer must try to obtain an exemption from the government agency; this attempt is to be documented.
Further, new contents are, for example; a) possibility of other companies acceding to the SCCs major agreement; b) disclosure of information on all controllers with regard to contracts between processors; or c) specific regulation of the categories for technical and organizational measures.
IV. Course of action for companies
The new SCCs are not yet in force. The legal situation that has existed since July 2020 therefore continues to apply: the old SCCs must be concluded with the companies (providers) in third countries with government supervision (the US and China in particular) by concluding a supplementary agreement. Otherwise, data transfer must cease. If the provider has its IT infrastructure, i.e. the data center, (also) within the EU (EU option) and guarantees that all personal data is only processed there, this does not yet achieve legal conformity (see Interview from January 26, 2021), but it is a step in the right direction and reduces the likelihood of a fine.
Companies that have not yet concluded SCCs via a supplementary agreement with their third-country providers should react promptly.
As soon as the new SCCs have been issued by the EU Commission (maybe in a few weeks), they should be concluded with all contractual partners as soon as possible. Although there is a transition period of one year, we recommend that the new SCCs be concluded immediately as, until that happens, there is a risk of fines due to the above legal situation. If the contractual partner is based in the EU and acts under instruction as a processor (cloud provider, SaaS provider, IT service provider, software manufacturer, etc.), then the new SCCs (Inland) are to be used. For contractual partners based in third countries (i.e. outside the EU), the new SCCs (Third Country) are to be used while the correct module, usually Controller-Processor, needs to be selected.
Before that, according to the new SCCs (Third Country) - and according to stipulations of the supervisory authorities, even today it is necessary to assess to whether laws exist in the respective third country that allow the government to access the personal data without transparency and legal protection. Here, it is particularly important to check whether the provider in question is subject to the relevant security laws at all (in the US, for example, Section 702 Foreign Intelligence Surveillance Act). This assessment (Transfer Impact Assessment) must be documented and submitted to the supervisory authority upon request. We would be happy to support you with this assessment and documentation.
Link to article
I. Current state of affairs
According to the above ECJ ruling, data transfer to third countries outside the EU is only permitted under special conditions, insofar as the third countries in question have laws on the (arbitrary) monitoring of communications without adequate legal protection. This is the case in the US and in China, among other countries.
The EU-US Privacy Shield is invalid as a legal basis for data transfer to the US. Data protection declarations on websites sometimes still contain references to this, which could lead to fines.
In practice, therefore, only the current SCCs are still possible and these are now called "standard data protection clauses" in the GDPR. In practice, however, the ECJ only permits their use in the presence of government control when supplementary obligations have been agreed. Therefore, supplementary agreements have to currently be concluded with the US and Chinese providers, which, however, these are frequently unwilling to accept. Microsoft, on the other hand, has designed such an agreement in consultation with a German data protection authority and makes this "addendum" available to its customers.
This is why numerous companies today still violate the requirements of the GDPR. This was recently confirmed on January 26, 2021 by the State Data Protection Officer in Baden-Württemberg: "European companies are currently facing a massive risk of fines."
The EU Commission is therefore currently endeavoring to issue new SCCs as soon as possible (Article 46 II GDPR). At the same time, there are indications coming from the US that a new Privacy Shield with a new name might soon be agreed with the EU Commission.
However, the focus of the EU Commission is currently on the new SCCs, which can also be considered as a legal basis for data transfer to other third countries where government supervision exists (such as China).
II. Path to new standard data protection clauses
The first draft of the new SCC (third country) was published on November 12, 2020. At the same time, the EU Commission has provided a separate draft of the SCCs (Inland) for intra-European data transfer to contract processors which should replace the contracts for order processing in this area in the future. The latter will be positively received by clients, because the SCCs (Inland) may only be changed under strict conditions, so laborious contract negotiations for individual clauses of the order processing contracts should be dispensed with in the future. However, this article primarily deals with the SCCs (Third Countries), i.e. for data transfer to third countries such as the US or China, for example, by using cloud services from providers in these countries or internal group data transfers.
In the meantime, there have been a large number of comments on the new draft of the SCCs (Third Countries), not only from the private side, but also from the European Data Protection Board (EDPB, German EDSA), which has to be involved in the legislative process and which issued its opinion on the new SCCs just a few days ago, on January 14, 2021.
The comments of the EDPB (an association of the EU supervisory authorities) on the draft of the new SCCs were largely positive, as well as those of the EU Data Protection Officer, Wojciech Wiewiórowski. Changes were called for in both versions of the SCCs, such as in the areas of a) third parties joining a contract, b) rights of data subjects, c) information obligations of the data importer, d) delimitation of the two SCCs from one another or e) immutability. However, according to this statement, it can now be assumed that both new SCCs (in a slightly modified form) will probably be issued in this form in the coming weeks (after consultation with the EU Parliament).
III. Content of the new standard data protection clauses
The old SCCs were available in two versions (Controller-Controller, Controller-Processor), whereby, in the present application, the controller is in particular the EU data exporter (e.g. the German company) and the processor is the US/China data importer (provider, i.e. Microsoft, Amazon, Alibaba). In future, the new SCCs (Third Countries) will also regulate the relationship between the processor-controller and the processor-processor. All four variants of data transfer are affected.
The structure of the new SCCs (Third Countries) is regulated in such a way that text modules for all four variants are included in each clause, whereby the inapplicable parts in the document are to be erased.
In future, the parties to the SCC (third country) must assess the legal system of the third country concerned to determine whether the data importer can also comply with the specifications of the SCC there. If this is not possible (for example, because there are laws there that allow uncontrolled monitoring of personal data by government agencies without guaranteeing sufficient transparency and legal protection), the data transfer must cease. This assessment must be documented, i.e. handed over to the supervisory authorities upon request. At this point, EU companies are faced with an enormous additional burden.
If the new SCCs (Third Country) result in state access to personal data (for example, from the US or Chinese government), the data importer (provider) must contact the data exporter (e.g. the German company) and – where possible – also inform the data subjects immediately. In addition, all possible legal remedies against the surrender of information must be exploited. If notification is prohibited by law, the data importer must try to obtain an exemption from the government agency; this attempt is to be documented.
Further, new contents are, for example; a) possibility of other companies acceding to the SCCs major agreement; b) disclosure of information on all controllers with regard to contracts between processors; or c) specific regulation of the categories for technical and organizational measures.
IV. Course of action for companies
The new SCCs are not yet in force. The legal situation that has existed since July 2020 therefore continues to apply: the old SCCs must be concluded with the companies (providers) in third countries with government supervision (the US and China in particular) by concluding a supplementary agreement. Otherwise, data transfer must cease. If the provider has its IT infrastructure, i.e. the data center, (also) within the EU (EU option) and guarantees that all personal data is only processed there, this does not yet achieve legal conformity (see Interview from January 26, 2021), but it is a step in the right direction and reduces the likelihood of a fine.
Companies that have not yet concluded SCCs via a supplementary agreement with their third-country providers should react promptly.
As soon as the new SCCs have been issued by the EU Commission (maybe in a few weeks), they should be concluded with all contractual partners as soon as possible. Although there is a transition period of one year, we recommend that the new SCCs be concluded immediately as, until that happens, there is a risk of fines due to the above legal situation. If the contractual partner is based in the EU and acts under instruction as a processor (cloud provider, SaaS provider, IT service provider, software manufacturer, etc.), then the new SCCs (Inland) are to be used. For contractual partners based in third countries (i.e. outside the EU), the new SCCs (Third Country) are to be used while the correct module, usually Controller-Processor, needs to be selected.
Before that, according to the new SCCs (Third Country) - and according to stipulations of the supervisory authorities, even today it is necessary to assess to whether laws exist in the respective third country that allow the government to access the personal data without transparency and legal protection. Here, it is particularly important to check whether the provider in question is subject to the relevant security laws at all (in the US, for example, Section 702 Foreign Intelligence Surveillance Act). This assessment (Transfer Impact Assessment) must be documented and submitted to the supervisory authority upon request. We would be happy to support you with this assessment and documentation.
Link to article