Articles

Renovation on the Security Line of GDPR with SCCs

January 22, 2023January 22, 2023
Renovation on the Security Line of GDPR with SCCs

Author: Shahlar Ibadzade, LLM in Saarland University: Europa-Institut – European and International law, 2019-2022, e-mail: [email protected]

Editor: Bobbie Smith, MA Geography University of Aberdeen 2016-2020 / Graduate Diploma in Law University of Exeter 2020-2022, e-mail [email protected]

Abstract

One of the most serious concerns of the previous century was that no EU members had effective data protection regulations. In this article, the new data protection law known as the General Data Protection Regulation (GDPR), and its incremental improvement over the years to protect of personal data will be presented and evaluated.

The GDPR primarily regulates the transfer of personal data, which means that there is no space for entities in the sphere of personal data; hence, only persons fall under the law on personal data. In this regard, primary safety mechanisms were discussed, with a particular emphasis on SCCs, a collection of pre-approved legal terms by the European Commission.

Nowadays, parties who engage in international data transfers can include the SCC in their contracts. However, there are new SCCs applicable to both exporters and importers of personal data, which should be mentioned. The review of the Schrems II decision of the European Court of Justice (CJEU) and its effect on SCCs, the GDPR provisions pertaining to foreign data transfers, and new requirements for data exporters and importers, is rooted in the exploration of this article.

Despite the updated SCCs and additional security measures, information can only be transmitted to a third country if the data is not safeguarded from significant government access. Even though it has new security measures, this is the current situation. In addition, the article perpetuates that the modified SCCs are insufficient to entirely resolve the problem. That’s why data exporters must use increased vigilance while picking recipients in the third country and assembling documentation. In turn, the insufficient points and new modifications with future notes have been detailed. Briefly, all parties are asked to provide explicit assurances and warranty statements regarding the security of personal data.

INTRODUCTION

According to the findings of the research conducted throughout the 1980s and 1990s, the advancement of information technologies has posed several legal challenges for the countries that make up the EU. One of the most significant problems was that none had adequate data protection laws. This was one of the main issues. In addition, such regional laws and regulations only sometimes complied with one another, nor were they always compatible with one another. In the end, the European Union, which will be referred to hereafter as “the EU,” took action and established the minimum requirements with the following goals in mind:

  1. aligning all of the member states of the EU,
  2. making it more straightforward for data to travel across EU borders, and
  3. ensuring that all member states comply with Data Protection Directive 95/46/EC.

The new data protection act, known as the General Data Protection Regulation (“GDPR“), was also improved over the years in order to impede the free flow of information across the European Union and slow down the progression of time.

  1. The second line of Defence by GDPR

1.1. What defence mechanisms does the GDPR provide international transfers with?

In our day-to-day lives, the transmission of data results in a significant amount of personally identifiable data[1] leaving the EU and being sent to other parts of the world. Before delving further into the topic of protecting personal data, it is important to state unequivocally that there is no place for legal persons in the realm of personal data, and in this regard, the GDPR’s scope only includes natural persons, as stated in article 1 of the GDPR. When we get back to the subject at hand, the use of foreign vendors or the distribution of personal data within a group located outside of the EU is both activities that are subject to the rules that the GDPR applies to the international transfer of personal information. In accordance with Article 46 of the GDPR, only if the controller[2] or processor[3] is only permitted to transfer personal data to a third country outside of the EU or an international organization if they provide appropriate safeguards for the data, as well as if there are enforceable data subject rights and available effective legal remedies for the data subjects. As it’s highlighted in the GDPR, there is a specific list of the appropriate safeguard measures. The list consists of:

  1. a legally binding and enforceable law between public authorities,
  2. binding corporate rules,
  3. standard contractual clauses adopted by the EU Commission,
  4. standard data protection clauses adopted by a local supervisory authority and approved by the EU Commission,
  5. an approved code of conduct,
  6. an approved certification mechanism.[4]

When the period of new amendments to the GDPR in 2018 was entered, The European Commission updated the above-mentioned safeguard measures, and the Standard Contractual Clauses (“SCCs”) became the most popular method to utilize when the receiving country does not have a sufficient degree of data protection in comparison to the GDPR.

1.2. The importance of the SCCs for the 2nd line of defence

SCCs are a collection of legal terms that the European Commission has pre-authorised. From time to time, they are also referred to as “model contracts”. Briefly, if parties want to engage in international data transfers, they need to include these clauses in their contracts and it applies to both exporters and importers of personal data. After the modifications that were made to SCCs, 4 different modules depending on the status of the data exporter and importer. While two modules of the SCCs cover the personal data transfers from an EU data controller to a non-EU or EEA data processor and/or controller, the other two modules focus on the personal data transfers from an EU data processor to a non-EU or EEA data processor and/or controller.[5]

Moreover, the SCCs are helpful in a variety of contexts. For instance, if an Italian corporation would like to outsource its database processing to an American IT company, it may employ an SCC between controller and processor. Or, to communicate with a hotel in San Francisco about a reservation, a Dutch travel agency could utilize another SCC between these 2 controllers.[6]

The establishment of rights for the individuals whose personal data is transferred by companies and the provision of mechanisms by which those individuals may impose their rights immediately against data exporters and importers are two of the primary goals served by SCCs. Although companies are required to provide SCCs in their entirety and cannot make any changes to them, signatories are permitted to include addendums to more precisely establish the data transfer conditions. As an illustration, the European Commission provides both templates of SCCs and the other relevant documents as addendums for further usage.[7]

  1. A new era for standard contractual clauses

2.1. Where did the update of the SCCs come from?

However, the utilization of the SCCs has become more complicated due to the decision made by the Court of Justice (“CJEU“) in the case of Schrems II.[8] Unfortunately, the Schrems II case has thrown some light on the drawbacks that the SCCs have. One of the shortcomings of SCCs was that they must allow mandatory access that the public authorities have to individuals’ personal data. Due to the inadequacy of SCCs to prohibit valid requests for data by foreign governments, the ECJ, the Commission, and the EDPB have placed a more outstanding obligation on data exporters to provide adequate protection through extra measures (such as organizational, technical and etc.). However, in the end, decision-makers need to acknowledge that there are reasonable limits to what business actors can do concerning valid government requests, particularly those addressing matters of national security.

All in all, this decision clarified the rules of the GDPR pertaining to international transfers and imposed new obligations on data exporters and importers. The ruling in Schrems II invalidated the EU-US Privacy Shield, which was intended to regulate the flow of personal data between the EU and the USA. Meanwhile, the CJEU confirmed the legitimacy of SCCs as a valid transfer mechanism, but it did observe that extra supplementary measures may be required to offer adequate protections, depending on the laws and regulations of the nation that is doing the importing.[9] Additionally, the ruling brought attention to the responsibilities of data exporters when working with non-EU suppliers or intra-group transfers that included a non-EU component. In conjunction with the fact that previous SCCs are somewhat outdated, this has resulted in the need for a new SCC mechanism to be developed.[10]

2.2. Which Novation did New SCCs bring?

In accordance with the modifications regarding the SCCs, companies that either have global supply chains or intend to utilise offshore resources are required to complete Transfer Impact Assessments (often abbreviated as “TIA”) and comply with the new SCCs for each transfer they make. This requirement applies to both types of businesses. Before transmitting personal data to a third country, each data exporter must conduct and record a TIA to analyze the risks associated with data processing and the necessary procedures to reduce the risks.[11] The new rules that were implemented as part of the GDPR for the SCCs stipulate that controllers are obligated to conduct legal research on the recipient country and determine whether or not the GDPR requirements can be met by the entity that is responsible for importing the data. The Commission intended for there to be a transition period that would continue for the businesses who had signed up for the older SCCs prior to the 27th of September 2021, and these businesses will be able to maintain their contracts in effect until the 27th of December 2022. However, beyond the deadline, all businesses who transmit personal data outside of the EU must have already repapered their SCCs and this requirement comes into effect only for enterprises that transfer data internationally.

It should not be shocking that the new SCCs employ a risk-based policy when it comes to international transfers. It means that data importers can evaluate the risk of their data being available to government agencies, which ensures that the first set of SCCs covers international transfers. Moreover, it means that data exporters can evaluate the danger of their data being accessible by government agencies. In the end, they will be used for “data exporters” and “data importers,” respectively, where the former will provide data to the latter, and the latter will collect, store, and/or analyze the data being received from the former. In this regard, there are four sections to them:

  • The provisions for the general introduction and the docking clause are described in Section I. Such topics, including the purposes of SCC, invariability, interpretation, and third-party beneficiaries, are discussed.[12]
  • The obligations of the parties can be found in Section II.[13] This section contains the essential protections for data protection, as well as the laws that regulate sub-processors, monitoring and other responsibilities.
  • Section III covers topics such as local regulations and public access. Control is exercised over the local practices and rules that have an impact on SCCs, as well as the obligations of the parties in the case that public authority access is granted.
  • In Section IV, we cover the Final Provisions, including non-compliance, termination, and the law that will govern the agreement. It makes the consequences of the parties not adhering to the SCCs as well as the venue and jurisdiction choices clear.[14]

Conclusion

Foremost, even though there are new updated SCCs and new security measures details, there is no means of information exchange with the third nation if the data is not protected against significant access by government bodies. Despite new details of security measures, the barrier remains. In addition, the revised SCCs are not able to solve the issue in its entirety by themselves. Consequently, data exporters will have to exercise a higher level of caution going forward when selecting recipients in the third nation and compiling documents. As such, a parallel union of both parties is fundamental for offering specific assurances and warranty statements relating to the security of personal data.

[1] According to article 4(1) of GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

[2] The term “controller” refers to a natural or legal person, local authority, organization, or other institution that chooses, on their own or in collaboration with others, the purposes and means for processing personal data under GDPR Article 4(7).

[3] Under Article 4(8) of GDPR, a natural or legal person, government body, or other organization that processes personal data on behalf of the controller is referred to as a “processor.”

[4] Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016], art 46.2.

[5] EU Commission, “Questions and Answers for the two sets of Standard Contractual Clauses”, (25 May 2022); <https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en> accessed on 29 November 2022

[6] ITIF Foundation, “The Role and Value of Standard Contractual Clauses in EU-U.S. Digital Trade”, (December 2020); <https://www2.itif.org/2020-standard-contractual-clauses.pdf> accessed on 29 November 2022

[7] Ibid.

[8] Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, [16 July 2020];  https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en

[9] Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, [16 July 2020];  https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en

[10] ITIF Foundation, “The Role and Value of Standard Contractual Clauses in EU-U.S. Digital Trade”, (December 2020); <https://www2.itif.org/2020-standard-contractual-clauses.pdf> accessed on 29 November 2022

[11] Data Guidance, “International: How are companies dealing with transfer impact assessments in practice?”, (14 July 2022); <https://www.dataguidance.com/opinion/international-how-are-companies-dealing-transfer#:~:text=A%20TIA%20is%20a%20process,data%20to%20a%20third%20country> accessed on 29 November 2022

[12] National Law Review “New Standard Contractual Clauses Under the GDPR”, (9 August 2021); <https://www.natlawreview.com/article/new-standard-contractual-clauses-under-gdpr> accessed on 29 November 2022

[13] European Commission “Standard Contractual Clauses for International Transfers” (4 June 2021) < https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en> accessed on 29 November 2022

[14] National Law Review “New Standard Contractual Clauses Under the GDPR”, (9 August 2021); <https://www.natlawreview.com/article/new-standard-contractual-clauses-under-gdpr> accessed on 29 November 2022

 

This article is written within the Academic Essay Project (AEP) organised by LAWELS. AEP aims to increase the number of quality academic writings on legal topics, encourage young lawyers to participate in academic writing, and lay the foundation of an online database on legal science. The team of legal editors and legal writers share their knowledge through high-end essays that we are publishing on our website and social media accounts for the world to read and learn from.

The articles on the LAWELS platform are not, nor are they intended to be, legal advice. You should consult a lawyer for individual advice or assessment regarding your own situation. The article only reflects the views of the author.