New Standard Contractual Clauses for transfer of personal data to third countries – Legal Monitoring Letter #5

On 4 June 2021, the European Commission (“EC”) published the final implementing decision on Standard Contractual Clauses (“the transfer SCCs”) for the transfer of personal data from the European Union (“EU”) to third countries.

The transfer SCC were published in the Official Journal of the EU on the 7 June 2021 and will enter into force on the 27 June 2021. The business will have 18 months to transition to the transfer SCCs.

What does it mean for iCOVER and its third-party country located Clients?

• We are to use processor [iCOVER] to controller [Client] Module 4 approach: “The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.”

• iCOVER is to take a risk-based approach when assessing the possibility of (foreign) public authorities accessing the data under their local laws.

• iCOVER must assess the general circumstances of the transfer.

• iCOVER must assess the laws and practices of the third country of destination “relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards” and this analysis includes the evaluation of “practical experience with prior instances of requests for disclosure from public authorities”.

• iCOVER must document/store/make available to the relevant supervisory authority upon request assessments.

• The Client must review the legality of all data disclosure requests made by public authorities, and must notify the data exporter of such requests, or even forward them to the data exporter. In cases of doubt, it must challenge the requests regarding their lawfulness.

• The transfer SCC must describe the specific technical and organizational measures to be implemented by the data importer which measures must ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

• Many of the provisions in the transfer SCC confer rights to individuals that they are entitled to invoke although they are not a party to the underlying agreements, or the transfer SCC.

• The transfer SCC provide a termination right to the data exporter in case of certain breaches of the transfer SCC.

Key dates:

On the 27 September 2021, the decisions under which the old Standard Contractual Clauses were adopted will be repealed. Up until this date, the organizations can enter into contracts using either the transfer SCCs or the old SCCs. After that date, the old SCCs could not be used for entering into new contracts but parties who entered into contracts using the old SCCs before 27 September 2021 may continue to rely on them until 27 December 2022.

 As of 27 December 2022, the use of the old SCC will no longer be deemed to provide appropriate safeguards for a data transfer to a third country, and by then, they shall be replaced by the transfer SCC.

Overview:

– Modular approach and new scenarios

The transfer Standard Contractual Clauses combine general clauses with a modular approach based on the nature of the relationship between the parties. There are 4 modules as follows:

. Module 1: transfer controller to controller

. Module 2: transfer controller to processor

. Module 3: transfer processor to processor

. Module 4: transfer processor to controller The transfer SCCs are much more flexible covering transfer processor to processor and processor to the controller while the old Standard Contractual Clauses were limited only to the controller to controller and controller to processor transfers.

– Third party beneficiaries

According to the transfer SCCs the data subjects, as third-party beneficiaries, may invoke and enforce the SCCs against the data exporter and/or data importer (with some exceptions noted in clause 3 (a).

– Optional “docking clause”

The transfer SCCs contain an optional “docking clause” which gives an opportunity to an entity that is not a party to the Clauses, with the agreement of the Parties, to accede to them at any time, either as a data exporter or as a data importer. This means that additional controllers and processors are allowed to accede to the Standard Contractual Clauses as data exporters or importers throughout the lifecycle of the contract.

– Local Laws affecting compliance with the SCCs

The transfer SCCs require that the parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, prevent the latter from fulfilling its obligations under the SCCs.

 Furthermore, the SCCs note the elements that shall be taken into consideration by the parties in making the assessment.

– Obligations of the data importer in case of access by public authorities

Notification

The data importer shall notify the data exporter and, where possible, the data subject: (i) if it receives a legally binding request from a public (including judicial) authority under the law of the country of destination for disclosure of personal data transferred pursuant to the SCCs and (ii) if becomes aware of any direct access by public authorities to such personal data, in accordance with the law of the third country of destination.

Review the legality of the request

The data importer shall also review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority. If the review shows that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity, the data importer shall challenge the request.

On 28 May 2021, the Information Commissioner’s Office (“ICO”) opened a consultation on the first chapter of its Draft anonymisation, pseudonymisation and privacy enhancing technologies guidance for comments. The ICO will consult on the full draft guidance at the end of 2021.

The first draft chapter – Introduction to anonymisation, defines the concepts of anonymisation and pseudonymisation, explains the difference between them and notes their benefits. It explores the legal, policy and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law. The chapter analyzes the following questions:

. What is personal data?

. What is anonymous information?

. What is anonymisation?

.  Is anonymisation always necessary?

.  Is anonymisation always possible?

.  What are the benefits of anonymisation?

.  If we anonymise personal data, does this count as processing?

.  What is pseudonymisation?

.  What about ‘de-identified’ personal data?

.  What is the difference between anonymisation and pseudonymisation?

.  What are the benefits of pseudonymisation?

ICO intends to continue to publish draft chapters for comments throughout the summer and autumn. The chapters will include:

.  Identifiability;

.  Guidance on pseudonymisation techniques and best practices;

.  Accountability and governance requirements in the context of anonymisation and pseudonymisation, including data protection by design and DPIAs;

.  Anonymisation and research;

.  Guidance on privacy enhancing technologies and their role in safe data sharing;

.  Technological solutions;

.  Data sharing options and case studies.

The European Data Protection Supervisor (“EDPS”) and the Spanish Data Protection Authority (“AEPD”) published a joint paper on “10 misunderstandings related to anonymisation”.

The document is aiming to raise public awareness about these misunderstandings and explains some facts and details regarding the anonymisation.

Below are 2 of the most common 10 misunderstandings:

1. “Pseudonymisation is the same as anonymisation” – False!

“Pseudonymisation is different from anonymisation.”

Pseudonymisation – the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. However, the use of “additional information” can lead to the identification of the individuals.

Anonymisation – the data cannot be associated to specific individuals, they are no longer identifiable.

2. “Encryption is anonymisation” – False!

“Encryption is not an anonymisation technique, but it can be a powerful pseudonymisation tool.”

Encryption – secret keys are used to transform the information in a way that reduces the risk of misuse, while keeping confidentiality for a given period of time. The transformations applied by encryption algorithms are designed to be reversible (decryption). The secret keys used for decryption are the aforementioned “additional information”, which can make the personal data readable and, consequently, the identification possible.