Update on European Data Protection Law
In mid-January 2021, the European Data Protection Board (EDPB) announced by press release that it has adopted jointly with the European Data Protection Supervisor (EDPS) written Opinions on the European Commission’s drafts for new standard contractual clauses according to Art. 46 of the General Data Protection Regulation (GDPR) and Art. 48 of the European Union Data Protection Regulation (EUDPR). In the near future, there will be two new sets of standard contractual clauses: one for the transfer of personal data between controllers and processors within the European Union/European Economic Area (EU/EAA), and another for the transfer of personal data to third countries outside of the EU/EEA.
The publishing of the Joint Opinions shall be used as opportunity to give a short overview about the latest developments in European data protection law and a prediction of what is to come, with a focus on the health sector in particular.
LEGAL BASIS AND SIGNIFICANCE OF THE JOINT OPINIONS
On 12 November 2020, the European Commission (Commission) published two drafts of standard contractual clauses (SCC). The first SCC draft shall update the SCC currently in place, covering the transfer of personal data to third countries outside of the EU/EAA independently, whether only controllers, only processors or one or more controllers and processor(s) are involved (Non-EU SCC). The second draft is an entirely new set of SCC aiming to provide on the EU level substantive and procedural rules for the data transfer between controller and processor within the EU/EAA (EU SCC) (jointly New SCC). The EU SCC are based on Art. 28 para. 7 of the Regulation (EU) 2016/679 (GDPR) and Art. 29 para. 7 EUDPR. The Commission used these enabling provisions for the first time; until now only SCC have existed for the transfer and processing of personal data outside of the EU/EAA.
In the context of the New SCC, the Commission has requested the EDPB) and EDPS to consult on the New SCC drafts according to Art. 42 para. 2 EUDPR by commenting and giving advice on whether and how they might be improved. The EDPB and EDPS published their joint opinions in mid-January 2021 (Joint Opinions); they are available on the EDPB website.
BACKGROUND AND THE LATEST DEVELOPMENTS AS TO THE NEW NON-EU SCC DRAFTS
The planned update of the Non-EU SCC should be seen in the context of the latest developments in the area of European statutory as well as case law on data protection:
The transfer of personal data, which are undergoing processing or are intended for processing after transfer to a third country or to an international organization, may only take place, if (i) the data processing is legally justified and (ii) the transfer – including onward transfers of personal data from the third country or an international organisation to another third country or international organisation – takes place on the basis of one of the safeguards laid down in the GDPR (Art. 44 et seqq.) or the EUDPR (Art. 46 et seqq.). SCC are considered one of the possible safeguards to transfer personal data to third countries in compliance with the legal standards and requirements of European data protection law (Art. 46 para. 2 c GDPR, Art. 48 para. 2 b GDPR).
The current sets of SCC were issued in 2001 and 2004 and then amended in 2010 under the former Data Protection Directive 95/46/EC of 24 October 1995. The SCC have remained in place pursuant to Art. 46 para. 5 sentence 2 GDPR after the GDPR became effective on 25 May 2018. However, these former law-based SCC do not comply fully with the requirements of the GDPR and the EUDPR. An update has been long overdue, inter alia, as the current SCC do not cover all possible scenarios of data transfer outside of the EU/EAA, but only the transfer of personal data from a EU/EAA controller to a controller or a processor located in a third country. Furthermore, the Court of Justice of the European Union (CJEU) decision on 16 July 2020 in a dispute between Maximillian Schrems and Facebook Ireland Ltd (C-311/18), known as Schrems II decision, had significant impact on the data transfer into third countries based on SCC, for the United States in particular.
In the Schrems II decision, the CJEU stated that transferring personal data to third countries can not be a meant to water down the level of data protection guaranteed in the EU/EEA. With that said, the CJEU declared that the transfer of personal data into the United States based on the EU-US Privacy Shield, an adequacy decision pursuant to Art. 45 GDPR with regard to the United States, violates fundamental rights of European data subjects, as the US level of data protection is not equal to the protection guaranteed by the GDPR. Due to the CJEU decision, the data transfer based on the EU-US Privacy Shield had to be stopped immediately. Since then, a data transfer to the United States is permitted only if it can be legitimized by another safeguard pursuant to Art. 44 et seqq. GDPR. As to the data transfer outside of the EU/EAA based on SCC, the CJEU provided in the Schrems II case some important clarifications, too. Although the CJEU upheld in general the validity of the current SCC, the Court underlined that data exporters may be obliged to implement supplementary measures to fill possible gaps in the protection of fundamental rights and freedoms of individuals and bring it up to the level required by EU law. Consequently, controllers and processors transferring personal data to third countries shall be responsible for verifying, on a case-by-case basis, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards intended by the used Art. 46 para. 2 c GDPR transfer tool. The CJEU did not specify which supplementary measures these could be. To help data exporters with the complex task of assessing third countries’ laws and practices as well as identifying appropriate supplementary measures where needed, the EDPB adopted on 10 November 2020 recommendations on supplementary measures (Recommendations on Supplementary Measures). The Recommendations on Supplementary Measures provide to data exporters a series of steps to follow to assess and identify the correct supplementary measures required in the individual case as well as examples of possible measures that might be adequate.
On 12 November 2020, the Commission published the drafts on the New SCC. The Non-EU SCC shall update the existing SCC, bringing them in line with the current EU data protection regulations and providing an answer to the issues arisen by the CJEU in its Schrems II decision. As to the latter, the Non-EU SCC contain specific provisions for scenarios in which third countries’ laws will affect compliance with the Non-EU SCC and/or in which third countries’ public authorities may request access to personal data transferred from the EU/EAA. These provisions in the Non-EU SCC, once the new SCC became effective, do not release the data exporter to assess and identify on a case-by-case basis possibly required appropriate supplementary measures, as the EDPB underlines in its Recommendations on Supplementary Measures.
From the date of entry into force of the New Non-EU SCC, controllers or processors may continue to rely on the SCC concluded between them before that date for a transitional period of one year, provided the clauses remain unchanged (with the exception of possibly required supplementary measures). In the case of relevant changes to the SCC, the data exporter shall replace the existing SCC with the New Non-EU SCC within one year.
Furthermore, there are sectors where the EU or a member states may rely on Art. 49 para. 5 GDPR and exclude by means of an express limitation because of important reasons of public interest that specific categories of personal data are transferred on the basis of the – current or future – Non-EU SCC to a third country outside of the EU or an international organisation. German Federal Minister of Health Jens Spahn used this exception rule in the context of his legislative empowerment to enact an ordinance for digital health applications – so-called DiGAs (Digitale Gesundheitsanwendungen) – introduced in the German statutory healthcare system in December 2019. Pursuant to Sec. 4 para. 3 of the DiGA Ordinance, the processing of personal data as controller or processor related to DiGAs may only take place within Germany, in an EU member state or in a country equivalent thereto and within a third country only if an adequacy decision pursuant to Art. 45 GDPR is available. Despite the question whether Sec. 4 para. 3 of the DiGA Ordinance is a legitimate limitation of personal data transfer and compliant with the requirements under Art. 49 para. 5 GDPR, DiGA manufacturers are not allowed under current German law to process personal (patient) data in the United States or use a tool or other services of companies, which process personal data in the United States, as the data transfer cannot rely any more on the (invalidated) EU-US Privacy Shield.
BACKGROUND AS TO THE EU SCC DRAFTS
As already mentioned, the New SCC Drafts comprise a version, which is for the first time based on Art. 28 para. 7 GDPR and Art. 29 para. 7 EUDPR, i.e., an EU-wide overarching SCC document for agreements between controllers and processors bound by the GDPR and/or the EUDPR.
According to the Commission, these new sets of SCC are justified by the interest of a coherent approach to personal data protection throughout the EU and the free movement of personal data. The new EU SCC can be used by natural or legal persons, public authorities, agencies or other public bodies in the EU member states under the GDPR as well as by Union institutions, bodies, offices and agencies under the EUDPR. Pursuant to the EU SCC recitals, the use of the new EU SCC is not obligatory. They are just one possible instrument to comply with the European data protection requirements for situations, in which (1) two controllers, (2) one controller and one processor or (3) two processors, all subjects to the GDPR and/or the EUDPR, are involved in the data processing. Alternatively, the controller(s) and processor(s) are free to negotiate an individual data processing agreement pursuant to Art. 28 para. 3 sentence 1 GDPR, provided that the agreement contains the compulsory elements laid down in Art. 28 para. 3 sentence 2, para. 4 GDPR, Art. 29 para. 3, para. 4 EUDPR respectively. The parties may also rely only in part on the new EU SCC and integrate other clauses or additional safeguards in their processing agreement given that the additional clauses do not contradict, directly or indirectly, the SCC or prejudice the fundamental rights or freedoms of data subjects. In scenarios in which personal data are both processed within the EU as well as transferred and processed outside of the EU in a third country, it will be finally sufficient under the New SCC that the controller(s) and/or processor(s) rely on the Non-EU SCC drafts only. The Commission points out this aspect in recital 10 of the EU SCC Draft by stating “To fulfil the requirements of Article 46(1) Regulation (EU) 2016/679, the Commission adopted standard contractual clauses pursuant to Article 46(2)(c) Regulation (EU) 2016/679. Those clauses also fulfil the requirements of Article 28(3) and (4) of Regulation (EU) 2016/679 for data transfers from controllers subject to Regulation (EU) 2016/679 to processors outside the territorial scope of application of that Regulation or from processors subject to Regulation (EU) 2016/679 to sub-processors outside the territorial scope of that Regulation.” That is an improvement and overdue step to less paperwork for the parties involved, as the current non-EU SCC additionally require an agreement under Art. 28 GDPR or Art. 26 GDPR.
KEY CONTENT OF THE JOINT OPINIONS
The Joint Opinions of the EDPB and the EDPS comprise each (i) a core part with general comments and (ii) an annex with additional comments made directly within the Draft SCC. There is no hierarchy between the two parts of the Joint Opinions, but they are meant to complete each other and shall be considered together.
The Joint Opinions clearly show that the EDPB and EDPS understand their consultation role as an assignment to be a “peer discussion partner” of the Commission. The EDPB and EDPS suggest corrections and at some points deletions to the drafts on the New SCC, but in particular they focus on those chapters in the drafts, which in their view require further clarification in the course of the ongoing drafting process. The EDPB and EDPS seek to contribute to the scope to publish at the end of the drafting process clear and unambiguous SCC, which can be easily used by everyone and do not need any further clarifications or guidelines for interpretation. This mindset runs like a golden thread through both Joint Opinions.
The EDPB and EDPS suggest, inter alia,
To clarify whether the EU SCC shall cover only the processing of personal data between controllers and processers located within the EU/EAA or also situations where the controller and/or the processor have to comply with the GDPR according to Art. 3 para. 2 GDPR;
To clarify whether in situations where several scenarios of the Non-EU SCC are affected and therefore several modules of the SCC must be applied, the parties can enter into one SCC document only or whether several documents are required;
To assist the contracting parties with more clarity on how to rule comprehensively, but at the same time in an efficient way, on the rights and obligations of each party under the clauses, guaranteeing a high level of transparency with regard to the allocation of responsibility and accountability; and
To clarify and complete the requirements for the parties to comply with the obligations, which derive from the Schrems II decision and/or which are described in the Recommendations on Supplementary Measures. The New SCC Drafts should cover all possible scenarios, in which third countries’ laws or acts of third countries’ authorities may legally or factually impinge the data protections rights guaranteed under the GDPR/ EUDPR.
PROSPECTS AND FURTHER DEVELOPMENTS WITH REGARD TO DATA PROTECTION IN THE HEALTHCARE/ LIFE SCIENCES SECTOR
Now, it is again the Commission’s turn. The Commission has to go through the Joint Opinions and assess to which extent it will consider the suggestions provided by EDBP and EDPS. There is no timeframe for the Commission to respond to the Joint Opinion and either to consider the suggestions given in the New SCC or overrule them. Therefore, not only the question “whether and to which extent” the Commission will consider the suggestions, but also “when” is currently open.
In the meantime, the EDBP adopted in its 45th session on 2 February 2021 its response to the request from the Commission for clarifications on the consistent application of the GDPR with regard to health research. The EDPB’s response is available on its website. The response is to be considered a first step to overcome some common misunderstandings and misinterpretations as to the application of the GDPR in the scientific health research sector. The EDPB underlines in its answers that most of the Commission’s questions require further and deeper-digging analysis and a search for examples and best practices. Thus, the Commission’s questions cannot be fully answered at this stage. Rather, The EDPB is currently working on guidelines on the processing personal data for scientific research purposes, which shall provide a more comprehensive interpretation of the various provisions in the GDPR that are relevant for the processing of personal data in this context. The guidelines shall be published in the course of 2021.