Beyond Schrems II: EDPB releases much anticipated guidance and roadmap on data transfers outside the EEA
- 30 November 2020
- Conferences & Publications
With the Schrems II-decision (C-311/18) of 16 July 2020 (available here), the Court of Justice of the European Union (CJEU) handed down a landmark judgment. The CJEU invalidated the EU-US Privacy Shield Decision, a decision with major implications on personal data transfers to from the European Economic Area (EEA) to the US. In that same judgement, the CJEU also ruled that Standard Contractual Clauses (SCCs) remain, in principle, a valid mechanism for transfers of personal data to non-EEA countries.
The Court however emphasized that data exporters relying on SCCs as a transfer mechanism should:
- verify on a case-by-case basis whether the law of the third country offers a level of protection that is “essentially equivalent” to the level of protection guaranteed within the EU by the GDPR, read in light of the Charter of Fundamental Rights of the EU (“the self-adequacy assessment”); and
- adopt “supplementary measures” if needed.
Due to the very broad definition of data processing and data transfers, the Schrems II-ruling affects many businesses and also has implications for data exporters exporting data to other countries than the US. By requiring data exporters to assess the level of protection of the third country and implement supplementary measures if needed, the Court placed a heavy burden on data exporters. The Court however did not define what “supplementary measures” should look like and provided little guidance on how businesses should in practice go about ensuring the legality of data transfers outside the EEA.
In an attempt to guide businesses in the complex task of ensuring legality of data transfers, the European Data Protection Board (EDPB) has recently released its much anticipated Recommendations 01/2020 on measures that supplement transfer tools (available here), together with its Recommendations 02/2020 on European Essential Guarantees for surveillance measures (available here). Both Recommendations follow-up on the first attempt of the EDPB to provide some initial clarification and preliminary guidance in a FAQ document (available here) published in the direct aftermath of the Schrems II-ruling.
In its Recommendations on measures that supplement transfer tools, the EDPB has presented a so-called “roadmap” to data transfers outside of the EEA. The EDPB has shared a useful infographic that visualizes the roadmap (to be found at the bottom of this article). The approach suggested by the EDPB involves the following six steps:
If you are a data exporter, the first step is to gain full awareness of your transfers of personal data to third countries. You should be aware what personal data you transfer, where the data is transferred to (which country) and which parties are involved. This first step is not new. Controllers and processors in any case have an obligation to keep a record of all personal data processing activities (article 30 GDPR) which should include record of all data transfers.
The EDPB emphasizes that remote access from a third country (e.g. support services being performed from the US or India) and/or storage of personal data in a cloud situated outside the EEA, is also considered to be a cross-border transfer.
2. Identify the tool your transfer relies on
Secondly, when exporting personal data, you should identify the transfer tools you are relying on (articles 45-49 GDPR). If data exporters transfer data to a third country, that is one of the 12 “adequate” countries, recognized by the European Commission through one of its adequacy decisions, personal data can flow freely to that country and no further steps in the roadmap are required. (The EPDB does remind data exporters that even the European Commission can be wrong in its assessment of the third country and an adequacy decision can be invalidated by the CJEU. Data exporters should monitor if adequacy decisions are revoked or invalidated.)
If you transfer data to a country that is not on the list of adequate countries, and rely on an article 46 GDPR transfer tool (such as SCCs, Binding Corporate Rules (BCRs), codes of conduct, certification mechanisms or ad hoc contractual clauses), you should follow the further steps in the roadmap.
3. Assess if the law or practice of the third country may impinge on the effectiveness of the appropriate safeguards of the transfer tool you rely on
If you rely on an article 46 GDPR transfer tool (the most common tool being the SCCs), you should – where appropriate and preferably in collaboration with the data importer – ensure that the level of protection guaranteed by the GDPR is not undermined by the transfer to the non-EEA country. This implies that you need to assess whether the laws and practice of the third country could undermine the protection afforded by the transfer tool.
According to the EDPB, the exporter must consider the specific characteristics of each transfer to first determine the applicable laws. The following circumstances are inter alia relevant:
- Purpose of the transfer (marketing, HR, storage, IT support, clinical trials);
- Types of entities involved in the processing (public/private; controllers/processors);
- Sector in which the transfer occurs (AdTech, telecommunication, financial);
- Categories of personal data transfers (e.g. personal data relating to children may fall within the scope of specific legislation in the third country).
After determining the applicable laws, you should assess if any of the applicable laws or the practices of the third country impinge on the commitments contained in the applicable transfer tool. The EDPB stresses that data exporters should pay specific attention to the applicable laws that are likely to require the disclosure of transferred data to or permit access to the data by public authorities, e.g. for purposes of criminal law enforcement, regulatory supervision or national security. These requirements or powers by public authorities should in any case be limited to what is necessary and appropriate in a democratic society. In this context the EDPB also adopted Recommendations 02/2020 on European Essential Guarantees for surveillance measures on 10 November 2020 (available here), providing elements which have to be assessed to determine whether the legal framework governing access to personal data by public authorities can be regarded as a justifiable interference or not.
It goes without saying that the task of assessing the practice and legal system of the relevant third country is very challenging. This exercise requires advanced knowledge not only of the law and practice of the third country (including national case law, surveillance programs, laws, etc.), but also of the law of the EU (including the jurisprudence of the CJEU and the jurisprudence of the European Court of Human Rights dealing with surveillance issues). Even with the EDPB’s additional guidance on the European Essential Guarantees for surveillance measures, it is unlikely that data exporters are properly equipped to perform such an assessment. It should be recalled that even the European Commission, with all its expertise and resources has not been able to correctly assess the situation in the US (resulting in the invalidation first of the Safe Harbour regime and recently the Privacy Shield decision by the CJEU). It seems unrealistic to ask data exporters to succeed in making assessments that even the European Commission has failed to correctly make…
If the assessment reveals that in light of the law and practice of the third country the transfer tool you rely on does not effectively ensure an essentially equivalent level of protection, the data should not be transferred unless supplementary measures are adopted.
Given the difficulty of assessing the law and practice of third countries and the uncertainty that will inevitably go with that assessment, data exporters who wish to continue transferring personal data to third countries should consider to play it safe and adapt supplementary measures either way.
4. Identify and implement effective supplementary measures
As a fourth step, you should on a case-by-case basis identify which supplementary measures can be taken in light of the assessments under the earlier steps of the roadmap, and check the potential effectiveness of the supplementary measures in guaranteeing the required level of protection.
Supplementary measures to bring the level of protection of the data transferred up to the EU standard of essential equivalence, may have a contractual, technical, or organizational nature.
Given the fact that national security agencies in third countries are not necessarily bound by contractual or organizational measures, technical measures appear to be the most important measures.
The EDPB has included some examples of supplementary measures a data exporter could take and has presented certain use cases. Relevant measures include encryption, pseudonymization, adequate internal policies, etc.
Strong encryption of personal data seems to be one of the most important relevant supplementary measures. For example the EDPB considers that personal data that is strongly encrypted before transmission can be hosted in a third country, if the encryption algorithm is conform to the state-of-the-art and can be considered robust against cryptanalysis by public authorities in a third company, the encryption is implemented flawlessly, the keys are reliably managed and the keys are retained solely under the control of the data exporter or another entity in the EEA or an adequate country.
Where you are not able to find or implement effective supplementary measures, you cannot transfer personal data to the third country and you should suspend or end transfers of personal data if you are already conducting transfers.
If you have been able to put in place effective measures, your transfers may go ahead.
5. Take necessary formal procedural steps
The fifth step is to take any formal procedural steps the implementation of your supplementary measures may require, depending on the used transfer tool. Which procedural steps you should take depends on which transfer tool you are using.
According to the EDPB, there is no need to request authorization from the supervisory authority to add supplementary measures to ‘existing SCCs’.
However, if the supplementary measures amend or contradict the SCCs, the exporter will require prior authorization from the competent supervisory authority. In that case, the exporter is no longer using SCCs but ad hoc clauses, which do require prior authorization.
6. Keep it under review
The sixth step is to re-evaluate at appropriate intervals – again, preferably in collaboration with the data importer – the level of protection afforded to the transferred data and to monitor if there have been or there will be any developments that may affect it.
The much-anticipated guidance by the EDPB is helpful, yet it does not take away the major uncertainty and complex challenges that businesses are faced with when transferring data outside the EEA.
Businesses wishing to operate in absolute legal certainty may have to consider looking for alternative solutions and service providers located in the EEA (or one of the countries that enjoy “adequacy”) and avoid transfers outside the EEA altogether. If that is not an option (which given the global reach of companies, will often be the case), businesses should follow the steps in the EDPB’s roadmap and should document that process carefully.
Most businesses will likely have to consider implementing supplementary measures to try and bring the level of protection for the data transferred outside the EEA up to the level of protection in the EU. Strong encryption measures could prove a good solution in some situations.
Businesses that conclude that their transfers of personal data outside the EEA do not fulfil the requirements, should suspend or stop the transfers. Continuing the transfers could result in severe sanctions by the data protection authorities, including an order to suspend data transfers and substantial fines.
Meanwhile, yet another milestone for data transfers is at the horizon. The European Commission has recently published new draft SCCs (available here).The existing SCCs dating from before the adoption of the GDPR, their replacement is long overdue. Data exporters should closely monitor the adoption of the new SSCs and should take this into account when mapping and adjusting their data transfer framework.