In the ruling, the European Court of Justice rescinded the privacy shield as a mechanism for transferring personal data to the United States, but ruled that standard terms of the contract could still be applied. However, the person responsible for personal data must examine whether the law in the recipient’s country ensures adequate security of personal data prior to outsourcing.
In the fall of 2020, the European Data Protection Board (EDPB) issued the first edition of recommendations regarding the transfer of personal data to countries outside the EU / EEA. The European Commission has developed proposals for new fixed-term terms to change the terms of the GDPR and take into account the Shrews II ruling.
In early June this year, the final version of the EDPB’s recommendations for transferring personal data to countries outside the EUP / EEA was released. The final version of the European Commission’s standard contract terms came before mid-summer. In addition, in a decision on June 28, the European Commission allowed the transfer of personal data to the United Kingdom.
Below I will comment on the impact they have on the outsourcing of these news and IT services.
Recommendations of the EDPB regarding the transfer of personal data to countries outside the EU / EEA
The first version of the recommendations was criticized during public consultation as being too strict and impractical. ETPP took into account the views, especially on the question of how the law should be assessed in practice in the recipient’s country.
In my opinion, the new status is a relief in the possibility of transferring personal data to countries outside the EU / EEA in the event of an outsourcing event. Before I comment in more detail, let me first review what the recommendations mean.
Among the recommendations “Road map“Information on what companies, officials and other entities must comply with before a third country transfer (and in relation to current transfers) and what additional protections may be required for a third country transfer in accordance with GDPR.
Various steps to be followed by companies in Third Country Exchange:
- Identify which personal data exchanges take place to third countries.
- Identify the transfer mechanism in Chapter V of the GDPR (e.g. standard contract clauses),
- Investigate whether law or practice in a third country controls the effectiveness of the transfer mechanism;
- Identify and take additional safety measures if necessary,
- Take the necessary practical steps for the application of additional safety measures;
- Evaluate the level of security of personal data transferred to a third country at appropriate intervals and monitor whether there are any changes that could affect the level of security.
Examples of additional security measures according to point 4 are the encryption of personal data, for example, the storage of service data provided by a cloud service provider. Another security measure highlighted is the nickname of personal data, which means that personal data is not displayed in clear text, but additional data is required to identify the individual.
The most important change in the final recommendations is the evaluation of the law and the view of how the law should be applied in the recipient country. It is no longer “black or white” in the way it feels in the previous version of the recommendations.
Focuses on how law and practice in the recipient’s country affects the current transfer of personal data In practice. For example, Section 702 of the U.S. FISA Act explicitly states in the examples given in the recommendations that the United States may be allowed to transfer personal data if it does not apply to the transfer in question in practice. Transfer mechanism (e.g. standard contract clauses).
It is emphasized, however, that the study of law and practice in the third country to be carried out must be complete.
Key factors of the study:
- Whether the data sent in the law and / or practice of the recipient country and / or applicable to the recipient;
- Experience and / or related data transfer experience from outsourcing provider and other related providers in the relevant field;
- Whether the authorities of the recipient’s country have requested access to data such as that of the hijacker;
- Whether access to the outsourcing provider was allowed or denied if there was an official request.
It is emphasized that evaluation-based information should be relevant, objective, reliable, verifiable, and publicly available.
As can be seen, extensive work needs to be done to document how laws and practices in the recipient’s country affect the transfer of personal data when outsourced. It is appropriate for the outsourcing provider – who has the closest access to information – to participate in the investigation. To get the assessment right, it is best to approach a lawyer who specializes in the law of the recipient’s country.
The softening done by EDPB in the final version of the recommendations is welcome. In practice, the regulation means that it is still possible to outsource personal data to a country outside the EU / EEA).
However, before the transfer can take place, a comprehensive examination must be carried out to ensure that the law or practice in the recipient’s country, for example, does not constrain the security provided by the terms of the standard contract. If the investigation shows that the fixed contract sections do not provide adequate protection because the recipient uses law or practice in the country for similar transfers, additional security measures (Step 4) should be taken.
New Fixed Contract clauses of the European Commission
The new standard contract clauses are suitable for GDPR. Different types of transfers are collected in one document and the obligations of the parties are divided into different blocks:
- Switch from Personal Data Controller to Personal Data Controller
- Transfer from Personal Data Controller to Personal Data Assistant
- Switch from Personal Data Assistant to Personal Data Assistant
- Transfer from Personal Data Assistant to Personal Data Controller
The responsibilities of the parties will vary depending on which block is currently in use. The idea is that more than two parties can use standard contract clauses.
The standard contract clauses reflect Section 14 of the EDPB’s recommendations. In the assessment, the specific circumstances surrounding the relocation will be taken into account:
- Length of treatment chain;
- The number of actors involved;
- Receiver type;
- Types and formats of personal data transferred; And
- Storage location of changed personal data.
A footnote to the subsection states that if the parties wish to believe the “practical experience” of previous requests from public authorities to disclose the data, this must be supported by other relevant, objective aspects and the parties must carefully consider these aspects. Together is enough to prove the assumption.
Parties should especially take into account whether their practical experience is confirmed by publicly available and reliable information about public authorities’ requests for access to personal data. Through case law or reports from independent regulatory bodies. The assessment should be further documented and disclosed to the competent oversight authority upon request.
New standard contract clauses can now be used in signed contracts. However, earlier versions of the standard clauses may still be used under certain conditions, meaning that you do not need to directly change the terms of the standard contract. This applies to agreements with previous fixed-term terms signed / signed prior to 27 September 2021. In these cases, the standard contract terms must be replaced by new clauses after 27 December 2022.
As a result, as a practical consequence, changes should be made to purchased contracts that use the previous standard contract terms as a means of transferring personal data to countries outside the EU / EEA. By 27 December 2022, the previous standard contract terms must be replaced with new ones. Transfer work must begin in advance.
As a further step in the task of simplifying the transfer of personal data, the European Commission decided that data transfer from the EU to the UK could take place even after the interim arrangements made on 28 June 2021 in connection with the exit of the United Kingdom from the European Union. Have expired. The European Commission states that the United Kingdom ensures adequate security, and that personal data may continue to be transferred to the UK without any special transfer mechanisms, e.g. Fixed contract clauses, to be used.
Personal data processing is a big and important part of IT outsourcing contracts. Many efforts are now being made to clarify and simplify matters for the public sector and others who want to outsource their IT management. At the same time, the area is complex and requires careful preparation and consideration, especially for outsourcing to a supplier outside the EU / EEA.
We can expect further clarifications in the future to create a regulatory framework for balanced and predictable outsourcing.
Lawyer, Law Firm Delphi
“Passionate beer ninja. Extreme problem solver. Thinker. Professional web fan. Avid communicator. Hardcore troublemaker.”