On 4 June, 2021 the European Commission published the highly anticipated new Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries. These new SCCs will come into effect on June 27th, 2021, and companies will have 18 months to implement new contracts from that date.
If your data transfers rely on SCCs, now is a great time to assess whether you need to update your contracts and identify whether you can still rely on SCCs for these transfers. Part of this analysis will include conducting a Transfer Impact Assessment (TIA) to see if transfers of data to that third country can continue.
The New SCCs
If you are familiar with the previous SCCs, the new SCCs will take a minute to adjust to.
With the new modular process, companies will now have to assess which modules apply to their situation. But that’s not all that’s new – both parties must now provide guarantees that the laws and practices in the third country will not prevent the receiver from meeting its obligations under the SCCs, and have the paper to prove it.
This was not a surprising development in the post Schrems II world, and many companies have already started analysing their transfers to ensure compliance with the landmark ruling. Now, the new SCCs have codified this assessment as a contractual requirement and outlined what the assessment should consider.
Transfer Impact Assessments in practice
The focus of the TIA is to ensure that the laws in the third country, including surveillance laws, do not prevent the individual from exercising their rights – including their privacy rights (to access their data or have their data deleted) and their right to redress if their data is breached or otherwise misused. Essentially, the rights that are guaranteed to them when they entrust you with their data must be respected in everything that you do with that data.
TIA’s document that you have considered the ability for governments and other public authorities (particularly national surveillance agencies) snooping on the data you send out of Europe and can provide evidence that the data you transfer will not be subject to these practices.
The European Commission and European Data Protection Board have outlined that your TIA should address the following:
1. The specific circumstances of the transfer
The first step is to know what data you are transferring and why, where it’s going, and who is receiving it. For example, if you transfer data to a service provider, you need to know where they are located and whether they are going to send it to other countries.
2. The relevant laws and practices of the third country and how they work
With help from the company in the third country, you will need to understand the laws around national surveillance and other monitoring practices by the government and other authorities in that country. The Commission recommends that case law and the experiences of the company in that third country are taken into account as well, as though a law may be in place, this may not mean that it is exercised in practice. It should be noted that subjective factors, such as the experiences of the receiving company, cannot be the only factors considered, and must be weighed against objective factors, such as case law. You should also consider whether governments have previously requested access to data in your sector, and whether the laws in question are sector specific.
3. Additional safeguards
If your analysis of the third country shows that the measures included in the SCCs are not sufficient to protect the transferred data from snooping, consider whether additional contractual, technical and organisational measures can be implemented. For example, if the data is being stored in a third country but is encrypted to a level beyond that government’s decryption capabilities, then the transfer can continue.
4. Make a decision
Once you have finished your TIA, you will need to determine whether the transfer, with additional safeguards (if required) are enough. Unfortunately, if you find that they are not, then the transfer must cease and another service provider should be found.