To what extent is the data importer required to inform the data exporter about data disclosure requests received from public authorities (e.g., law enforcement or national security authorities)?

ANSWER

First, the SCCs contain a requirement for the data importer to inform the data exporter about access by public authorities to the transferred data.

According to Clause 15.1, the data importer must promptly notify the data exporter if it receives from a public authority or court in a third country a request for the disclosure of transferred personal data. The data importer must also inform the data exporter if it becomes aware of any actual access by public authorities to such data (e.g., interception). The SCCs acknowledge that national law may prohibit the data importer from disclosing information to the data exporter about public authority actions. In such cases, the data importer must use its best efforts to obtain a waiver of that prohibition in order to inform the data exporter as soon as possible. If the data exporter is itself a processor, it must pass this information on to the controller.

In addition, the data importer must provide the data exporter, at regular intervals, with aggregated information about the access requests it has received (Clause 15.1(c)). This obligation applies only if the data importer is authorized under national law to provide such information. If the data exporter is also a processor, it must pass this information on to the controller.

Second, the SCCs contain additional notification requirements where the data importer becomes subject to laws and/or practices that prevent it from complying with the clauses.

According to Clause 14(e), the data importer undertakes to promptly notify the data exporter, if, after entering into the clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices that are inconsistent with the requirements of Clause 14(a). This also applies where the laws of the third country change after the initial assessment has been completed, or where the data importer becomes subject to legal measures (e.g., a disclosure request) in the third country that indicate the laws are being applied in practice in a manner that is inconsistent with the initial assessment. If the data exporter is a processor acting on behalf of a controller, it must communicate the relevant information to the controller.

The SCCs also recognize that the data importer may not be authorized (under national law) to disclose specific requests for access to data or actual access by public authorities. In particular, Clause 16(a) contains a general notification requirement under which the data importer must promptly inform the data exporter, if, for any reason it is no longer able to comply with the requirements of the clauses. Based on this clause, the data importer must notify the data exporter that it can no longer comply with the SCCs, without necessarily revealing specific details about government access to the data. The data exporter can then take the necessary measures, including potentially suspending data transfers or terminating the SCCs.