14 December 2020
For nearly two decades, the EU Standard Contractual Clauses (SCCs) have been a key legal mechanism for transferring personal data out of the EEA (and now, the UK). Despite this, the SCCs’ requirements for onward transfers – i.e. when an initial recipient (a data importer) passes the data to someone else – have received little attention.
That seems set to change: new (draft) guidance from the European Data Protection Board (EDPB) stresses the importance of assessing who might subsequently receive the data being transferred – whether a peer (such as a research collaborator), another database, or even just a vendor (such as a laboratory or a cloud computing provider).
The SCCs then provide different options to ensure this is GDPR-compliant:
|Basis for onward transfer||Practical implications|
|The onward transferee is covered by an EU adequacy decision||Data can potentially be passed on to recipients in places like Israel, New Zealand or Switzerland without extra formalities. Canada and Japan are also permitted destinations, subject to limitations.|
|The onward transferee becomes a signatory to these SCCs or another approved data transfer agreement||Unclear whether this literally means adding a party to the exporter’s own SCCs (directly), or just ensuring “back to back” use of SCCs by a data importer with its onward transferees (which has advantages as well as disadvantages). Directly adding new parties can be made more practical by adding extra provisions to the SCCs, allowing easy adherence by new parties without needing all the existing parties’ signatures.
Note that it can be difficult to get public bodies (such as clinical trial inspectors, or state-run research institutes) to agree to the SCCs – they might fear this would unacceptably fetter their statutory responsibilities (e.g. impede clinical trial oversight), or expose them to data protection litigation and enforcement in the UK / EEA (raising sovereign immunity issues).
|Notice was given to data subjects, giving them a chance to opt out||Unless this notice was given when collecting data directly from data subjects, it might often not be practical to notify all data subjects of a new onward transfer – for example long after sample collection or study completion. There will also be a question of what to do if a data subject objects.|
|With regard to onward transfers of sensitive data, data subjects have given their unambiguous consent||This includes health and genetic data.
The drafting of 2004 C2C SCCs possibly makes this the only basis for onward transfers of such data under those SCCs. In the alternative 2001 version, it is clearer that this is one alternative. Organisations working with health and genetic data should balance this against the 2001 version’s drawbacks.
The 2004 version’s ambiguity is thankfully also absent from the (2020) draft SCCs issued by the European Commission.
Table 1: C2C SCC onward transfer options
In the (2020) draft SCCs just released by the European Commission, those onward transfer options are preserved, and a “docking” mechanism – for easy addition of new parties – is included as standard. In addition, onward transfers are also permitted to users of other GDPR-compliant transfer safeguard mechanisms, such as Binding Corporate Rules or approved codes of conduct. The consultation on these “next-gen” SCCs ran until 10th December, and their finalisation is expected in the first quarter of 2021.
For both current and next gen SCCs, it seems likely that those using the SCCs for genomic data transfers will need to assess and (if necessary) compensate for transfer risks, both for initial exports and – potentially – for onward transfers, applying the Schrems II criteria; they may also need.to stay abreast of and respond to evolutions in those risks over time, especially as foreign laws change.
Relevant GDPR Provisions
Phil Bradley-Schmieg is a senior associate in Bird & Bird LLP’s Privacy and Data Protection Group.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.