Convention 108+: The Council of Europe Releases Model Contractual Clauses
for Global Data Transfers
On June 27, 2023, the Council of Europe announced the
adoption of its
first module of the Model Contractual Clauses for cross-border data
transfers based on the Protocol amending the Convention for the Protection of
Individuals with Regard to Automatic Processing of Personal Data (Convention
108+). These model clauses aim to regulate data flows between data controllers
and are recommended for adoption by competent authorities.
Background: Convention 108+
Convention 108 was the first binding international instrument protecting
granting individuals’ data rights. It influenced modern data protection laws
such as the GDPR and established core principles around data transfers.
Convention 108+ modernized the framework to address emerging privacy
challenges, strengthening principles like data minimization and introducing
obligations for data breach reporting. Under Convention 108+, the transfer of
personal data to countries outside the jurisdiction of the parties must comply
with specific conditions. These conditions include obtaining the consent of the
data subject, ensuring appropriate safeguards for data protection, and
respecting the rights of the individuals involved.
Model Contractual Clauses – easier route to compliance
Model clauses provide a ready and cost-effective solution to comply with
regulatory requirements, while ensuring that personal data attracts the same
level of protection when transferred to another country.
The MCCs aim to achieve convergence among different regions that already
possess similar mechanisms (such as EU Member States, Latin America, ASEAN
countries, and national laws), while also serving as a streamlined approach to
ensure essential safeguards.
Transfers between EU Member States and countries deemed by the EU to have
sufficient data protection regulations, such as the UK, Japan,
or South Korea, will not require the use of MCCs. Where the MCCs will be most useful
is the transfer of data between non-EU or UK Convention 108+ members (due to
the EC SCCs and UK IDTA and others non-party to the Convention. Any country deemed adequate
by EC would also be outside the use of the MCCs. For instance, on 10 July 2023,
the European Commission adopted the EU-US Data Privacy Framework, which enables
unrestricted movement of data for participating organisations.
What do the MCCs say?
The MCCs can be included in broader contracts or used as standalone
provisions. They may also be combined with additional safeguards, as long as
they do not contradict the model clauses, applicable law, or infringe upon
human rights and fundamental freedoms recognized in Convention 108+. These
clauses cover various aspects, including data security, onward transfers, data
processing principles, data subject rights, and obligations related to
governmental access to personal data.
The governing law for the model clauses is determined by the
country of the data exporter (controller who is a party to the Convention 108+)
unless third-party beneficiary rights are not allowed in that country. The
rights and obligations of the parties involved are outlined in accordance with
contractual principles, ensuring compliance with data protection standards.
Finally, the clauses provide for jurisdiction of a supervisory authority of the
data exporter.
The data protection safeguards outlined in the MCCs
incorporate the principle of due diligence, placing the responsibility on the
receiving party to implement suitable technical and operational measures to fulfil
their obligations. In Annex 3 of the MCCs, the data importer is mandated to
furnish specific information concerning these safeguards. Further provisions
include data minimization, limited retention period and purpose limitation.
What’s next?
Well first, Convention 108+ needs to enter into force as it has not yet
been ratified by the necessary 38 countries.Next, the current MCCs will be further complemented by two additional
modules due to be issued in the near future. These forthcoming modules are
expected to expand the scope and applicability of the clauses.
It’s important to note that the MCCs require pre-approval by competent national
authorities to be transposed into national and regional transfer instruments
and mechanisms for data controllers. The acceptance of these clauses by
competent authorities will play a crucial role in ensuring their effective
implementation and adoption.
European Commission adopts EU-US Data Privacy Framework
The European Commission issued the long-awaited adequacy
decision for the new EU-US Data Privacy Framework on July 10, 2023. The Court
of Justice of the European Union had previously invalidated both the US-EU Safe
Harbor in 2015, and the US-EU Privacy Shield in 2020 after challenges by
Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems
II, respectively). Following those decisions President Biden signed Executive
Order 14086 on “Enhancing Safeguards for United States Signals Intelligence
Activities”, which introduced new binding safeguards.
The Principles
The privacy principles contained in Annex I of the Framework
(Principles) remain the same as under the Privacy Shield. These are:
- Notice: which focuses on providing individuals with transparency about how their
personal data will be processed and how to exercise their rights of
access, objection, rectification, and erasure, among others. - Choice: which allows individuals to choose whether their personal data is
disclosed to third parties and whether it may be used for purposes
different from those for which it was originally collected and authorised
by the individuals. - Accountability: for onward transfer, which limits transfers of personal data to third
parties to specified purposes and where there is the same level protection
under the Principles. - Security: which requires personal data to be protected from loss, misuse,
unauthorised access, disclosure, alteration, and destruction. - Data: integrity and purpose limitation, which requires that processing be
fair and lawful and used for specific purposes. - Access: which grants individuals the ability to correct, amend, or delete
inaccurate data or data processed in violation of the Principles. - Recourse, enforcement, and liability: which requires organisations to be
monitored by and cooperate with supervisory authorities.
Which companies are in scope?
Under the Framework, organisations may self-certify by submitting an
application and accompanying documents to the US Dept. of Commerce showing
their adherence to the Principles. Only those organisations under the authority
of the US Federal Trade Commission or the Department of Transportation may
self-certify. For example, banks and insurers are not included. The Principles
apply immediately upon certification, and organisations are required to
re-certify annually. Certified organisations will be listed in a public list
(Framework List). In
a statement issued on July 10, 2023, the DOC stated that it expects that
the new Framework site will be up and running sometime in the next few days.
Certification under the Framework requires organisations to publicly declare
their commitment to comply with the Principles, publish their privacy policies
and fully implement them. In addition, organizations must provide a description
of purposes of processing personal data to the DOC, identify the scope of
personal data covered by the certification, verify their compliance and
designate an independent recourse mechanism as well as the statutory body
empowered to enforce compliance with the Principles.
Monitoring and enforcement
The DOC will monitor compliance with the Framework and carry out random
spot checks as well as investigate potential compliance issues, such as when
reported to the DOC by third parties. Organisations that persistently fail to
comply with the Principles will be removed from the Framework List and must
return or delete the personal data received under the Framework.
Other data transfer mechanisms
The EC also clarified in its Q&A on the Framework that the new
safeguards that were put in place under Executive Order 14086 apply to all data
transfers to the US. The new safeguards thus facilitate other data transfer
mechanisms, such as transfers based on Standard Contractual Clauses and binding
corporate rules. Organizations will have to update their Transfer Impact
Assessments in light of the new US safeguards. An update of the SCCs will
usually not be required.
What’s next?
Schrems III?: Max Schrems has already announced
that he plans to challenge the Framework. Despite the EC’s adequacy
decision, there is no legal certainty as to whether the Framework will survive
a challenge before the CJEU. It could be invalidated, like its two
predecessors, or be upheld as an adequate mechanism, as is the case with the
standard contractual clauses and binding corporate rules. Given the nearly 100%
likelihood of a challenge to the Framework, organisations may wish to take a
wait and see approach. Alternatively, eligible organisations may self-certify
so that they may benefit from unencumbered transatlantic data transfers. Either
way the next step is critical.
Choose the appropriate mechanism: Organisations
involved in data transfers to the US should assess what is their preferred and
most appropriate data transfer mechanism. For some organizations a
certification for the Framework in the US will be best; others might prefer
relying on the SCCs plus the new US safeguards.
For EU data exporters: EU data exporters should check their agreements
with US data importers and request information on whether current data transfer
mechanism will continue to be used going forward and whether there will be
changes to any subprocessors or onward transfers. Further, EU data exporters
must prepare to update their transfer impact assessments and, if the data
transfer mechanism is changed to the Framework, amend privacy policies/notices,
records of processing activities, and information in cookie consent tools. Data
exporters should also check if tools or solutions that could not be used in the
past due to data transfers issues may now safely be used.
For US data importers: US data importers should be prepared for
questions from their EU data exporters about exploring a change from their
existing the data transfer mechanism to the Framework. The FTC has published
requirements and procedures on https://www.dataprivacyframework.gov/s/.
Outlook: It is certainly good news that the EC has issued its adequacy
decision in relation to the Framework and has done so earlier than expected.
Further good news is that EU organizations will have fewer obstacles when doing
business with US organizations. It should also provide renewed confidence for
US organizations that receive transfers of personal data from their EU-based
subsidiary and affiliates. That good news must be tempered, however, given
Schrems’ upcoming challenge to the Framework, as it will be up to the CJEU to
determine whether Biden’s Executive Order 14086 and the respective safeguards
are enough to survive the challenge. If we were inclined towards betting, we
would, together with the US and EC, back the Framework as being here to stay.
UK-US data bridge: Advancing Data Flows and Privacy
On 8 June 2023, the UK Secretary of State for Science,
Innovation, and Technology, and US Commerce Secretary jointly announced the
intention to establish a UK-US data bridge.
The proposed data bridge between the UK and the US would build upon the EU-US
Data Privacy Framework (DPF) as the UK Extension allowing free transfers of
personal data from the UK to organisations in the US certified under the EU-US
DPF. It is contingent on the UK’s assessment of US data protection laws and
practices, as well as the US designation of the UK as a qualifying state.
Safeguarding Data: Transfer Mechanisms in the UK-US
Context
Currently, businesses wanting to transfer personal data from the UK need to
navigate between layers of legal and regulatory requirements. Following Brexit,
the UK introduced the GDPR as domestic law (UK GDPR) but added its own data
transfer mechanisms. Transfers of personal data from the UK to a third country
need to comply with safeguards set out in Article 46 of the UK GDPR. This can
be achieved, among other options, by incorporating the International Data
Transfer Agreement (a UK version of the Standard Contractual Clauses) into
commercial agreements or as a standalone agreement. If organisations are
already signing the EU Standard Contractual Clauses (SCCs) and the UK is one of
the territories the personal data is transferred from, a UK Addendum to the EU
SCCs can be used for efficiency.
Additionally, Binding
Corporate Rules (BCRs) are another mechanism for multinational
organizations to transfer personal data within their corporate group globally.
Post-Brexit, BCRs need to be approved by the Information Commissioner’s Office
(ICO) to facilitate data transfers between from the UK entities, unless the ICO
acted as a lead authority for BCRs approved pre-Brexit.
Organisations also need to complete a Transfer Risk
Assessment (TRA) for transfers from the UK or EU, which is required to evaluate
local laws of the third country in connection to government access to personal
data.
The proposed UK-US data bridge aims to simplify data
transfers from the UK for those US organisations that will sign up to the EU-US
DPF.
Whilst the large volume of transatlantic data flows
signifies an urgency for a UK-US data bridge, it is still at a very early stage
and clarity is needed regarding the scope, criteria and requirements for
participating organisations.
What’s next?
The EU-US DPF remains under scrutiny by the European Parliament. The UK-US
data bridge is dependent on the development of negotiations on the EU-US DPF,
expected to be finalized in summer 2023. Both the UK and US aim to finalize the
agreement in 2023.
Contributors
Model 108+ clauses: Cynthia O’Donoghue, Alicja Lysik
Data Privacy Framework: Cynthia O’Donoghue, Asélle Ibraimova, Dr Andreas Splittgerber, Christian Leuthner, Friederike Wlde-Detmering & Sven Schonofen
UK-US Data Bridge: Asélle Ibraimova, Alicja Lysik
This article has been adapted from posts originally
published on Reed Smith’s Technology Law Dispatch blog and they have kindly
agreed to allow us to republish them here.