The European Data Protection Board (EDPB) provided yesterday much-awaited guidance on how to carry out transfers of personal data outside the EU/EEA after the CJEU’s judgement in Schrems II. This six-step guide will provide companies with useful tools for assessing international data transfers and measures required to be taken in light of the GDPR and the Schrems II judgement.
Next we will give you a brief summary of these rather complex and lengthy steps and assess the practical implications these may raise in terms of your business.
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued judgement, which not only invalidated the EU-US Privacy Shield Framework as a transfer mechanism for exports of personal data to the US, but impacted on the use of Standard Contractual Clauses (SCC) by adding a significant due diligence burden and risk assessment requirements on organisations that want to rely on the SCC. In its judgement, the CJEU stated that due to their contractual nature, SCC cannot bind the public authorities of third countries, since they are not party to the contract. Consequently, data exporters in the EU may need to supplement the guarantees contained in those standard data protection clauses with supplementary measures to ensure compliance with the level of protection required under EU law in a particular third country.
However, the GDPR or the CJEU do not define or specify what are those the “additional safeguards”, “additional measures” or “supplementary measures” to the safeguards provided by SCC (and other transfer tools listed in the GDPR that controllers and processors may adopt to ensure compliance with the level of protection required under EU law in a particular third country). Thus, until the guidance by the EDPB, organisations across the EU and data importers outside the EU have also been struggling to find solutions to keep on transferring data outside the EU in a compliant manner.
EDPB’s Guidance – a six-step guide for transfer assessments
In its transfer guidance, the EDPB provides organisations with a six-step roadmap for assessing international data transfers.
- Step 1: Know your transfers
- Step 2: Identify the transfer tools
- Step 3: Assessment of effectiveness of transfer tool you are relying on
- Step 4: Adopt supplementary measures
- Step 5: Procedural steps if you have identified effective supplementary measures
- Step 6: Re-evaluate at appropriate intervals
Steps 1 & 2: Know your transfers and identify the current transfers tools
Obviously, in order to be able to carry out the transfers in a compliant manner and to assess the effectiveness of the transfer tools, EU organisations will need to know (a) what data they are exporting, (b) where they are exporting it, (c) the recipients of the such data, and (d) transfer tools that are currently being used for such transfers. For example, if you have transferred data to the US by using the EU-US Privacy Shield, you will need to seek alternative transfer tools after the invalidation of the Privacy Shield.
Step 3: Assess the effectiveness of the transfer tool you are relying on
The GDPR provides that the transfer tool must ensure that the level of protection guaranteed by the GDPR is not undermined by the transfer. In other words, your transfer tool must be effective in practice. Therefore, after you have completed the data flow mapping exercise in Steps 1 & 2, the EDPB recommends you to assess if there is “anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer”. EU data exporters should require their data importers to provide the exporter with the relevant sources and information relating to the third country in which it is established and the laws applicable to the transfer.
In the assessment process, all the actors involved in the transfer, the legal context and the characteristics of transfers will need to be taken into consideration, e.g.
- the purposes for which the data are transferred and processed (e.g. marketing, HR, storage, IT support, clinical trials);
- the types of entities involved in the processing (public/private; controller/processor); the sector in which the transfer occurs (e.g. adtech, telecommunication, financial, etc);
- the categories of personal data being transferred (e.g. personal data relating to children may fall within the scope of specific legislation in the third country);
- whether the data will be stored in the third country or whether there is only remote access to data stored within the EU/EEA;
- the format of the data to be transferred (i.e. in plain text/ pseudonymised or encrypted);
- onward transfers from a third country to another third country.
The requirement to evaluate foreign laws has turned out to be a true headache for many organisations. To relieve the pain, the EDPB has provided a second document, European Essential Guarantees for surveillance measures, that outlines the elements to be taken into account when evaluating foreign laws. From a practical point of view, the EDPB recommends not to rely on subjective factors when assessing foreign law, such as the likelihood of public authorities’ access to the data in a manner that is not in line with EU standards. This is important for companies who may have used the “likelihood” as one of the factors when assessing the need for additional safeguards.
Step 4: Adopt supplementary measures
After the transfer impact assessment (TIA) in Steps 1–3, the EDPB recommendation gets to the core of the issue: If the TIA reveals that supplementary measures are needed, what would be those measures and how to adopt them?
The EDPB recommendation contains a non-exhaustive list of examples of supplementary measures (in Annex 2), including certain conditions required to be met in order these measures to be effective. These measures are divided into:
a) Technical safeguards, e.g.:
- Encryption – the EDPB describes the requirements for “sufficient encryption” as follows: strong encryption prior to transmission, the state-of-the-art and robust encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) to resilience of the encryption against cryptanalysis by public authorities, “flawless” implementation of the encryption algorithm, and reliable management and maintenance of the keys in the EEA
- Pseudonymization and split or multi-party processing, each subject to protocols and protections
b) Contractual safeguards, e.g.:
- Recipients’ obligation to use specific technical measures
- Transparency obligations, such as a “best efforts” obligation to provide information to the exporter if accessed by public authorities in a third country, reinforced audit rights for exporters, an importer assurance not to provide any “back doors” for authorities’ access, importers’ duty to notify the exporter of its inability to comply with the contractual commitments
c) Organisational measures, e.g.:
- internal policies, organisational methods, and standards that controllers and processors could apply to themselves and impose these on the importers of data in third countries
The EDPB has provided useful examples of cases where these effective measures can be used, but also examples of cases where no effective technical safeguards can be found (such as unencrypted data processing by cloud service providers or remote access situations and that has been received from a third country for business purposes, such as human resource processing purposes). The importance of technical measures is emphasised by the EDPB’s note that contractual and organisational measures alone will generally not overcome access to personal data by third-country public authorities.
Steps 5 & 6: Procedural measures and periodic re-evaluation
As the final steps, the EDPB recommends organisations to document their approach and seek authorisation or consultation with the supervisory authority, where required by the chosen transfer mechanism (Step 5), and to reassess their approach on a regular basis if there have been or there will be any developments that may affect the approach (Step 6).
These recommendations provided by the EDPB are applicable immediately, but they are open for comments until 30 November 2020. We note that the recommendations are rather complex and lengthy (over 50 pages in total) and require thorough reading and understanding. We will continue to assess the practical implications and questions these recommendations may raise in terms of our clients’ businesses. We will also follow any public commentaries on this topic. Borenius’ data protection experts are available to assist you in navigating through these recommendations and in addressing any other questions you may have on data protection.