The EDPB issued its recommendations on how to deal with transfers of personal data outside the EEA after the Schrems II case, which have a major impact on any business.
This blog post was initially published on DLA Piper Privacy Matter.
On 11 November 2020, the European Data Protection Board (“EDPB”) published recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the “Data Transfer Recommendations”) as well as recommendations on the European Essential Guarantees for surveillance measures (“EEGs”) to deal with data transfers after the Schrems II case.
More information on the Schrems II decision can be found in our Privacy Matters blogpost.
Supplementary Data Transfer Recommendations after the Schrems II case
The Data Transfer Recommendations provide a six-step roadmap to help data exporters understand how to logically assess data transfers to a non-EEA country and how to determine whether rights and protections in place are ‘essentially equivalent’ to those in the EU.
Annex 2 to the Data Transfer Recommendations provides a number of use cases providing examples of the technical, organizational and contractual measures that may be adopted to provide ‘supplementary measures’ where the third country does not provide sufficient guarantees within its legal framework.
Assessment roadmap on data transfers
The six-step process outlined by the Recommendations is as follows:
- Step 1: Identify and map the data transfers, including any onward transfers. This step is about understanding the data flows, noting that remote access (for example, for customer support purposes) and use of cloud storage solutions (including for back-up) located outside the EEA are both considered a transfer.
- Step 2: Identify the legal basis for transferring data – for example Article 45 (adequacy decision); Article 46 (appropriate safeguards such as standard contractual clauses (“SCCs”) or binding corporate rules); or Article 49 (derogations). The Recommendations reiterate that derogations can only be relied on in limited circumstances.
If an adequacy decision applies, or if the transfer meets the narrow requirements for a derogation, then no further action is required. Alternatively, if the transfer relies on Article 46 appropriate safeguards, then move to Step 3.
- Step 3: Assess whether the circumstances of the transfer ensure an equivalent level of protection as guaranteed by EU law. This involves a substantive legal assessment as to whether the laws or practices of the third country “impinge on the effectiveness of the appropriate safeguards of the transfer…, in the context of your specific transfer” and requires specific consideration as to whether the EEGs (set out in the separate paper published by the EDPB, see an overview on this below) are met. In conducting this assessment it is relevant to look at specific aspects of the transfer as this may have a bearing on how local law in the destination country treats the data:
- the purposes for which the data are transferred and processed;
- the types of entities involved in the processing;
- the sector in which the transfer occurs;
- the categories of personal data transferred (e.g. certain data categories may fall within the scope of specific legislation in the third country);
- whether the data will be stored in the third country or whether there is only remote access to data stored within the EU/EEA;
- the format of the data to be transferred (i.e. in plain text/ pseudonymised or encrypted etc.); and
- the possibility that the data may be subject to onward transfers from the third country to another third country.
- Step 4: If the assessment at Step 3 concludes that the laws of the third country applicable to the transfer do not meet the EEGs (i.e. do not provide essentially equivalent protection), it is then relevant to consider the impact of supplementary measures which may be adopted to support the transfer (see ‘Supplementary Measures’ below). If appropriate supplementary measures cannot be adopted, the transfer should not proceed without notification to the competent supervisory authority.
- Step 5: If any further procedural steps are needed to proceed with the transfer (e.g. notification / approval from a supervisory authority) these should be carried out at this stage. A specific approval from the relevant supervisory authority will have to be sought if the supplementary measures will modify the SCCs in place.
The impact of the Schrems II decision on BCRs and ad hoc contractual clauses are still under discussion. It is expected that the EDPB will indicate at a later stage whether additional formalities would be needed regarding these transfer mechanisms.
- Step 6: There is an expectation that the exporter will continue to monitor the situation to ensure effective protections remain in place, including monitoring developments in third countries that may impact the initial assessment.
Supplementary measures to deal with data transfers
Annex 2 of the Recommendations contains a non-exhaustive list of supplementary measures which may be adopted. These are presented in a number of scenarios, providing clarity on the range of technical, contractual, and organisational safeguards that may be adopted (see below).
The EDPB makes a number of observations on the relative efficacy of each of these measures noting that contractual and organisational measures alone are unlikely to be sufficient to overcome non-compliance with the EEGs in a third country in respect of a specific transfer. This is an aspect of the Recommendations that will likely attract particular attention as it will have a practical bearing on organisations that routinely transfer data without meeting the suggested minimum technical measures. It will be critical to see how the EDPB refine their thinking on this aspect of the Recommendations as part of the ongoing consultation process.
- Technical measures:
- Encryption with an emphasis that keys be retained under the control of an entity located in EEA or in a country or being in a sector benefiting from an adequacy decision.
- Pseudonymisation with the data exporter retaining the sole control of the algorithm or repository that enables re-identification.
- The data is sent to a protected recipient who is exempt from government access.
- Split or multi-party processing that means the data importer receives personal data that cannot be attributed to a specific data subject.
- Contractual measures:
- Obligations on the data importer to put in place specific technical measures.
- Additional transparency obligations on the data importer (e.g. to provide proactive disclosure of law enforcement requests / government access to data).
- Obligations on the data importer to take specific actions, such as reviewing and challenging government access requests and/or a commitment to inform the requesting public authority of the incompatibility with the SCCs.
- Specific enhancements to data subject rights.
- Organisational measures:
- Internal policies and procedures regulating internal data transfers.
- Transparency and accountability measures, e.g. publication of transparency reports.
- Organisation methods and data minimisation, such as rules on data access and confidentiality.
- Adoption of standards and best practice, such as data security and data policies that comply with EU certification or codes of conduct.
EDPB data protection recommendations on the Europena Essential Guarantees
These recommendations supplement the consultation paper providing specific guidance on how to assess whether a third country’s surveillance laws that interfere with the right to privacy (including government access to data) are justifiable in accordance with EU standards of protection (including the Charter of Fundamental Rights, the European Convention on Human Rights and case law of the European Court of Justice and European Court of Human Rights).
The paper establishes four EEGs that must be considered:
- Processing should be based on clear, precise and accessible rules. This means any interference must be justified by law, which must clearly define the scope of any limitation on fundamental rights and provide protections against arbitrary interference and the risk of abuse.
- Necessity and proportionality with regards to the legitimate objectives pursued need to be demonstrated.
- Existence of an independent and impartial oversight mechanism, either by a judge or another independent body (e.g. administrative authority) that has the power to adopt decisions that are binding and can be relied upon by data subjects.
- Effective remedies available to individuals through redress rights and notification, to enable the effective exercise of rights, bearing in mind that such notification may be delayed or even avoided to avoid jeopardizing the purpose of the authorities tasks, and subject to adequate safeguards.
The recommendations provide helpful guidance to organisations on what to consider when carrying out the assessment under Step 3 of the roadmap set out above.
What’s next to deal with data transfers after the Schrems II case
The recommendations on the supplementary measures will be subject to a public consultation (ending on 30 November 2020) and will be applicable following their publication. As mentioned above, the recommendations also make clear that the EDPB did not fully assess the impact of Schrems II on other Article 46 safeguards, such as binding corporate rules and ad hoc contracts. We can therefore expect further details on these to follow.
The Recommendations provide welcome guidance on the step by step approach needed to be taken to determine how to comply with the CJEU ruling in Schrems II. However, practical implementation will be a challenge in cases where a transfer does not meet the EEGs, given the suggestion that contractual and/or organisational measures alone are unlikely to be sufficient supplementary measures to overcome a shortfall. Given the significant impact on international data transfers that are such an integral part of global business infrastructure as well as the detail in the Recommendations, it is expected to draw a significant volume of comments during the consultation period.
The global data protection, privacy & security team at DLA Piper has developed a standardized data transfer methodology to assist clients in carrying out an assessment consistent with the judgment when relying on SCCs or other transfer mechanisms. The methodology includes a five-step assessment process which is broadly aligned to EDPB Recommendations. For further information please see our global data transfer webpage.
The Data Transfer Recommendations are published as a draft document and remain open for consultation until the end of November 2020. We will continue to monitor and reflect on what is a complex and evolving regulatory position and provide updates with our further considerations in the coming weeks.
Image credit Morgan Johansson