This week has seen quite a lot of commentary concerning Standard Contract Terms (SCCs) and the possible need to augment them with additional safeguards when transferring personal data to a Third Country.
The problem has arisen because the Schrems II judgement (see references) viewed the SCCs as providing a baseline of Data Protection safeguards. It suggested that the controller and processor should implement further safeguards if required, and if the additional safeguards (if required) could not be implemented, then the transfer to the Third Country should not occur.
The problem is the “if required” (i.e. “what should a controller/processor consider in order to assess when such additional safeguards are needed?”). My answer is look to the DPA1998 transfer provisions and this blog explains why this helps.
I should add that this blog is not limited to SCCs; any transfer of personal data to a Third Country could be impacted (e.g. BCRs) with the “if required” additions, including those that satisfy a derogation requirement in Article 49. This is because the data protection issues associated with any transfer of personal data go far wider than the transfer itself (i.e. a derogation in Article 49, if used, does not negate any security or transparency obligation).
Additionally, in the UK where SCCs for controller (UK) to controller (Third Country) are implemented, remember there should be a data sharing agreement which should include many of the items discussed in this blog (as well as other requirements identified in the ICO’s Code of Practice on Data Sharing – when it is finally published).
This blog could become more important given the current "no agreement" between the EU and UK as the SCCs are likely to be used to legitimise transfers between the EU and UK.
An assessment of adequacy under the DPA1998
Those with memory of the DPA1998 will remember that a controller could assess the adequacy of protection in a Third Country by considering a number of factors. It is these factors are relevant to identifying when additional safeguards may be required to augment the SCCs.
These factors were set out in the interpretation of the Eighth Principle of the DPA1998 (paragraph 13 of Schedule 1); I quote them below (“in italics”) with a Comment that illustrates the actions a controller or processor should take.
A controller/processor can assess whether a SCCs need augmenting with additional safeguards by having regard to the following:
(a) “the nature of the personal data”. Comment: List the categories of personal data transferred. Are the personal data confidential or comprise special category of personal data or criminal offence personal data?
(b) “the country or territory of origin of the information contained in the data”. Comment: identify any Third Country where the personal data came from; remember that “obtaining” is a processing operation and needs an Article 6 lawful basis (and an additional Article 9/Schedule 1 condition if the personal data are of a special or criminal category).
(c) “the country or territory of final destination of that information”. Comment: identify any destination Third Country including any Third Country where the personal data are in transit. Remember that “transfer” is a processing operation and needs an Article 6 lawful basis (and if special category or criminal offence personal data are transferred, a condition in Article 9 or Schedule 1 of the DPA2018 to permit the transfer).
(d) the purposes for which and period during which the data are intended to be processed. Comment remember the transparency requirements (e.g. in Article 13 or Article 14) apply with respect to the purpose of the processing (as well as the four Article 5 Principles that explicitly refer to the purpose of the processing). Document how long are the personal data kept in that Third Country; explain why that is “necessary”? Check with the Article 30 Register of processing activities.
(e) the law in force in the country or territory in question, Comment identify when the law enforcement or national security agencies in the Third Country can gain access to personal data in that Third Country. Does such access use procedures or powers that operate in secret (e.g. where the controller cannot challenge via an independent judicial process).
(f) the international obligations of that country or territory. Comment: has the Third Country implemented data protection legislation that is based on the OECD or APEC Guidelines? Has the Third Country signed up to the Council of Europe Convention No 108? What is the approach to Human Rights in general in that Third Country?
(g) any relevant codes of conduct or other rules which are enforceable in that country or territory. Comment: Examples include ISO27002, ISO27701, any national or state data protection law which is not based on OECD, APEC or CoE Convention No 108 (e.g. CCPA in California), or any specific cyber/IT security law (e.g. in India).
(h) any security measures taken in respect of the data in that country or territory. Comment: . Can the personal data be encrypted or pseudonymised? Check how the requirements of the Security Principle and Article 32 etc are met and documented (e.g. to conform with standards/laws identified in (g) above). I would also include the Processor and data breach reporting requirements of the GDPR.
(i) anything else? Comment Is there an independent regulator or a judicial process which can protect the interests of the transferring controller or data subjects? How is any accountability requirement to be documented?
NOT transferring comments
So when are the scales tipping in the direction of NOT transferring personal data to a Third Country?
I think the answer is when there is a combination of the following:
- the personal data are especially sensitive or the purpose of the processing is controversial;
- there are no enforceable safeguards available to data subjects;
- the controller does not have an Article 6 lawful basis for the transfer (or when the controller cannot find a condition or authorisation in Articles 9, 10 or Schedule 1 of the DPA2018 if a condition or authorisation is needed);
- the controller has reservations about the reaction of data subjects when they are informed of the transfer via the transparency arrangements;
- there is no applicable data protection, privacy or IT security law or independent appeals process (e.g. via a Regulator or judicial process) in a Third Country;
- the security of the processing or personal data is suspect in a Third Country, or
- the law enforcement agencies of the Third Country can act in secret or at the whim of an Interior Minister or President (who may or may not be a genius).
Hope this helps.
Upcoming Data Protection Courses (in Autumn)
Obviously COVID19 has put a spanner in the training works, but the following courses are scheduled for the Autumn now lockdown is unlocked (fingers crossed).
All courses lead to the relevant BCS qualification:
- Data Protection Practitioner: London, Starts Sept 22 (6 days)
- Data Protection Foundation: London, Oct 13-15 (3 days)
- Data Protection Practitioner: Edinburgh, Starts Nov 23 (5 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
My previous blog about the Schrems II decision contains a link to all relevant references (at the end of the blog): https://amberhawk.typepad.com/amberhawk/2020/07/schrems-ii-takeaways-accountability-in-privacy-shield-out-uks-adequacy-determination-at-risk.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.