When disclosing personal data to recipients in a state without an adequate level of data protection, it is known that it is no longer sufficient to conclude only the standard contractual clauses (SCC). The ECJ required in the Schrems II judgment rather, perform a testwhether the recipient’s local law – or recipients – undermines the effectiveness of the SCC. The European Data Protection Board has Recommendations publishedwhich suggest a six-step approach for the exporter. Step 3 consists of the corresponding risk assessment:
A third step is to assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
However, access rights under the recipient’s local law are not always problematic, because even in countries with developed legal protection, certain authorities can of course access data. Only the following are questionable potential accesses that disregard certain core guarantees. The European Data Protection Board has defined these safeguards in the “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures” summarized:
7 The aim of the updated European Essential Guarantees is to provide elements to examine whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.
The FDPIC, which has adopted this view, has set out analogous requirements in its Guidance for the examination of the admissibility of data transfers with foreign reference (according to Art. 6 para. 2 lit. a FADP) set up (checking that any access by local authorities complies with four core guarantees).
A corresponding check is not only a requirement of substantive data protection law, but also a contractual requirement (with third-party protection effect) of the new standard contractual clauseswhich the FDPIC has recently issued, subject to certain conditions, also for exports under the DPA. has recognized. Clause 14 provides for all four modules of the new SCC:
(a) The parties warrant, have no reason to believethat the laws and practices in the third country of destination applicable to the processing of personal data by the data importer, including requirements for the disclosure of personal data or measures that public authorities may impose on the Allow access to this data, prevent the data importer from fulfilling its obligations under these clauses. This is based on the understanding that legislation and practices that respect the essence of fundamental rights and freedoms and do not go beyond measures that are necessary and proportionate in a democratic society to ensure one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 do not conflict with these clauses.
b) The parties declare that they with regard to the assurance in point (a), have given due consideration in particular to the following aspects: […]
This risk assessment before foreign transfers – the “Transfer Impact Assessment” – must take into account whether data is located abroad or accessible from abroad. In the case of the USA, this boils down to the question of whether
- a company is subject to U.S. jurisdiction,
- whether it is subject to problematic legislation (first and foremost FISA Section 702) (i.e., whether it is an “electronic communication service provider” within the meaning of § 1881(b)(4) of FISA),
- whether this company can access data,
- Whether such data relates to persons outside the United States (§ 1881a(a) FISA),
- and how likely such access is, which depends, among other things, on the technical measures taken, but also on the appetite of a local authority to access the data concerned via problematic legislation.
For this test, David Rosenthal recently developed a Form published, the which IAPP has now adopted and published for its part.
It should be noted that the verification of data subject to a special secrecy (i.e. a professional secrecyArt. 35 FADP/Art. 62 revDSG is not sufficient) is somewhat different. If one assumes that every access by a foreign authority completes the objective facts of disclosure – which is not always the case – the risk of such access must be examined in the first place, not just access in violation of the core guarantees. Here – but only here – provisions based on or modelled on Art. 18 of the Cybercrime Convention are relevant, e.g. the US Stored Communication Act (SCA; with the amendments by the US CLOUD Act). Also for this, broader examination, David Rosenthal has a Form provided, which the IAPP has adopted.