The final version of the EDPB recommendations on data transfers based on the Schrems II case urges companies to complete their transfer impact assessments.
After the recent adoption of the new version of the Standard Contractual Clauses, the missing block to complete a regulatory framework on data transfers was given by the EDPB recommendations adopted, whose draft version had been published in the aftermath of the Schrems II case that has now been finalized.
Following the new SCCs, whose article 14 requires the performance of a transfer impact assessment based on the peculiarities of the data transfer, commentators expected that the EDBP would have followed the same line of conduct. However, apparently, there isn’t a consistency of views between the European Commission and European data protection authorities.
What changes with the final version of the EDPB recommendations on data transfers?
The main changes implemented compared to the previous version are the following:
- More opening on data transfers based on derogations provided by article 46 of the GDPR such as consent; they simply don’t have to become the rule;
- A more detailed assessment is required of the actual practices of the third country’s public authorities, which needs to cover also the transit of data and goes beyond what is provided by the law to check whether safeguards provided in the transfer tool can be ensured. If there are problematic laws, but the data exporter believes they will not be applied in practice, it shall be able to provide a documented report proving it;
- There is a reference to the practical experience of the data importer in dealing with requests of access if the disclosure of such information is not prevented by the laws of the data importing country.
The last point is the most controversial. Apparently, the EDPB moved the needle towards a more tailored approach in line with the position of the European Commission in the new Standard Contractual Clauses. But, according to the EDPB, subjective factors such as the likelihood of risk of harm to the data subject should not be taken into account. Also, the relevant experience of the data imported shall be “relevant, objective, reliable, verifiable and publicly available or otherwise accessible information on the practical application of the relevant law”. At the same time, the absence of prior instances of requests received by the importer cannot be considered, by itself, as a decisive factor allowing a transfer to proceed without supplementary measures.
On the contrary, the SCCs expressly mention that the transfer impact assessment shall consider “the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred“.
Finally, the EDPB Recommendations confirm the types of supplementary contractual, organizational and technical measures that can allow a positive outcome of the transfer impact assessment. Still, some of these measures remain difficult to implement.
How to handle data transfers now?
The main factor to consider is that while the Standard Contractual Clauses are legally binding. Conversely, the EDPB Recommendations are mere recommendations that could be challenged in a potential dispute.
I believe that only this interpretation can be followed. Otherwise, data transfers (and the global economy) risk being paralyzed during a period when businesses need to restart running after the economic downturn.
Such a risk-based approach is embedded in the DLA Piper data transfer methodology and legal tech tool that we developed in the aftermath of the Schrems II case, submitted to most of the European data protection authorities, and now further fine-tuned after the experience gained with several clients and the latest regulatory developments.
You can read more on our methodology in this article, “Do you have a data transfer methodology based on the Schrems II decision?” and can contact either me or your DLA Piper primary contact for further details. German data protection authorities are already sending checklists to companies to investigate their data transfers. With the final version of the EDPB Recommendations, other regulators will quickly follow, making the performance of the transfer impact assessment a regulatory step that cannot be postponed any longer. Moreover, you can watch here a recording of a webinar run with my DLA Piper colleagues on the new Standard Contractual Clauses, where we also addressed the impact of the EDPB recommendations on data transfers.
Image courtesy Paul Downey