There is a difference between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts. The European Commission is assessing whether a third country’s laws are essentially equivalent to the EU General Data Protection Regulation when making adequacy decisions under Article 45 of the GDPR (Article 45 Assessment).
Data exporters using standard contractual clauses to transfer personal data to a third country are required by Article 46 of the GDPR to assess whether there are legal impediments where the data importer is located to that data importer fulfilling the requirements of the SCCs (Article 46 Assessment). Commentary about "Schrems II" has led to confusion about the differences between the Article 45 and Article 46 Assessments, and that confusion has impacted the free flow of personal data from the European Economic Area.
When the Court of Justice of the European Union issued its "Schrems II" opinion in July 2020, conventional wisdom was that it required the data exporter and its attorney to make an adequacy decision in order for a transfer to be made from the EEA to a third country when the appropriate safeguard was SCCs. This is an incorrect reading of "Schrems II." The Article 46 Assessment conducted by the data exporter (with the help of the data importer) is very different from the Article 45 Assessment conducted by the European Commission:
- The Article 45 Assessment assesses whether a third country’s laws essentially are equivalent to those in the EU. This assessment compares the laws in the third country to those in the EU to determine whether the third country in fact ensures, by reason of its domestic law, a level of protection of fundamental rights and freedoms that essentially is equivalent to that guaranteed within the EU.
- The Article 46 Assessment assesses: (1) the provisions of the appropriate safeguards, the SCCs, and (2) the enforceability of data subject rights and effectiveness of legal remedies set forth in the SCCs in the third country. When SCCs are the appropriate safeguard, effectiveness of legal remedies is assessed by looking at the relevant aspects of the legal system of the third country to determine whether public authorities of the third country can access the personal data transferred. What comprises the relevant aspects of the third country’s legal system is set out in a non-exhaustive manner in Article 45(2) of the GDPR. Finally, whether there is anything in the law or practices of the third country that may impinge on the effectiveness of the appropriate safeguard, the SCCs, is assessed.
A review of the Article 29 Working Party’s Adequacy Referential and the SCCs shows that this distinction is correct.
The referential provides guidance to the European Commission for the assessment of the level of protection in third countries by establishing core data protection principles that have to be present in a third country legal framework in order to obtain an adequacy decision: lawful, fair, and legitimate purpose; purpose limitation; data quality and proportionality; data retention; security and confidentiality; and transparency.
It also requires the rights of access, rectification, erasure and objection, and restrictions on onward transfers. Finally, the procedural and enforcement mechanisms must include competent independent supervisory authorities, a data protection system that ensures a good level of compliance, a data protection framework that requires accountability, and a data protection system that provides support and help to individual data subjects in the exercise of their individual rights and appropriate redress mechanisms.
On the other hand, when assessing the SCCs issued by the European Commission in June 2021, the provisions of the SCCs themselves are examined to determine the enforceability of data subject rights in the third country and the effectiveness of legal remedies in the third country. Section II, Obligation of the Parties, contains a Third-party Beneficiary Clause pursuant to which data subjects may invoke and enforce the SCCs, as third-party beneficiaries, against the data exporter and/or the data importer. Under Section III, Local Laws and Obligation in Case of Access by Public Authorities:
- The parties to the SCCs warrant that they have no reason to believe the laws and practices in the third country prevent the data importer from fulfilling its obligations under the SCCs and declare they have assessed the specific circumstances of the transfer, the laws and practices of the third country, and any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under the SCCs.
- The data importer warrants that, in carrying out the assessment, it has made its best efforts to provide the data exporter with relevant information; agrees to notify the data exporter if it has reason to believe it is subject to laws or practices not in line with its warranty; in case of access by public authorities, agrees to notify the data exporter and, where possible, the data subject if it receives a legally binding request from a public authority for the disclosure of personal data transferred pursuant to the SCCs, and/or becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs; if the data importer is prohibited from notifying the data exporter and/or the data subject, agrees to use its best efforts to obtain a waiver of the prohibition; agrees to review the legality of any request for disclosure and to challenge it if it concludes there are reasonable grounds to consider the request as unlawful, including seeking interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on the merits; and to provide the minimum amount of information permissible when responding to a request for disclosure.
The recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data issued in June 2021 help data exporters conduct the assessment called for by "Schrems II" and the SCCs by setting six steps to follow. The third step is to assess if there is anything in the law and/or practices in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tool the data exporter is relying on. If legislation in the third country is not applied or complied with in practice, if practices in the third country are incompatible with the commitments of the transfer tool, or if the transferred data falls within the scope of third country legislation that impinges on the transfer tool’s contractual guarantees, supplementary measures must be implemented in order for the transfer to proceed.
Thus, the provisions of the SCCs, including the assessment described in the SCCs, and the European Data Protection Board Final Recommendations support the conclusion that the scope of the Article 46 Assessment called for by "Schrems II" is the enforceability in the third country of the data subject rights set forth in the SCCs and the effectiveness in the third country of the legal remedies set forth in the SCCs.
It is important that policymakers, regulators and privacy professionals appreciate the difference between the Article 46 and Article 45 Assessments.
There is a difference between who conducts each assessment: the European Commission conducts the Article 45 Assessment and the data exporter (with the help of the data importer) conducts the Article 46 Assessment. The scope of the Article 45 Assessments (equivalency of third country law) and Article 46 Assessments (enforceability of contracts under third country law) is different.
If the distinctions between these two assessments are not understood, then data exporters may think they must do the more complex Article 45 Assessment, which is more expensive and time-consuming and may lead them to not transfer the data or may lead them to transfer the data without doing the assessment. If the wrong assessment is conducted, unnecessary expenses can be incurred (especially by small- and medium-sized companies), ultimately leading to reduction in data flows. If the assessment is not conducted, then the supplementary measures, if any, will not be identified and put in place.
All this confusion adversely impacts global data flows.
Photo by Duangphorn Wiriya on Unsplash