In our article “Schrems II: What Next for Businesses? ” we wrote about the decision of the Court of Justice of the European Union (CJEU) to declare the Privacy Shield framework invalid and considered the impact of that decision on international data transfers.
Now, some five months after the CJEU’s decision, the European Data Protection Board (EDPB) has issued its recommendations to help data exporters with the task of assessing transfers of personal data to third countries and identifying appropriate supplementary measures where needed.
The full document can be found here. This is a summary of the 6 steps the EDPB recommends for data exporters:
Step 1: Know your transfers
Map all personal data transfers to ensure you have full oversight of where personal data goes. You must also verify that any transfer of personal data adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred.
Step 2: Identify the transfer tools you are relying on
Most organisations will rely on standard contractual clauses, binding corporate rules, an adequacy decision from the European Commission, or another one of the transfer methods available under Article 46 of the GDPR. Alternatively, you may rely on an Article 49 derogation for occasional and non-repetitive transfers.
Step 3: Assess the effectiveness of the transfer tools
Assess whether the laws of the third country can undermine the effectiveness of the Article 46 transfer tool on which you are relying. To help data exporters with this Step, the EDPB has published the European Essential Guarantees for surveillance measures (EEGs) . The EEGs provide guidance on how to determine if national laws governing public authorities’ access to personal data for surveillance purposes are justifiable and do not go beyond “what is necessary and proportionate in a democratic society”.
Step 4: Adopt supplementary measures
If an assessment under Step 3 shows that the laws of the third country undermines the effectiveness of the relevant Article 46 transfer tool, you should identify and adopt supplemental measures to ensure an essentially equivalent level of protection to EU standards. Annex 2 of the EDPB European Essential Guarantees contains examples of supplementary measures and they include:
encryption using a strong, state-of-the-art algorithm, which is flawlessly implemented, reliably managed, and its keys solely retained by the data exporter
pseudonymisation with the algorithm or repository that enables re-identification being held exclusively for the data exporter in an adequate territory
Additional contractual measures
obligations on the recipient to use specific technical measures
additional transparency obligations on the recipient to provide information about the laws that may permit public authorities to access the data to be transferred
adequate internal policies with clear allocation of responsibilities for data transfers and reporting channels
transparency and accountability measures which require requests for access received from public authorities to be recorded
adopting standards and practices that are based on EU certification or codes of conduct or an international standard
Where no supplemental measures can ensure level of protection equivalent to EU standards, transfers must cease.
Step 5: Take formal procedural steps
If you need to implement supplementary measures then consider any formal procedural steps that need to be taken. For example, if the supplementary measures will modify standard contractual clauses then approval from a supervisory authority will be needed.
Step 6: Re-evaluate at appropriate intervals
You must regularly monitor the level of protection in each third country to which personal data has been transferred and re-assess your approach to ensure that effective protection is in place.
The EDPB’s recommendations provide welcome guidance on the approach needed to be taken by data exporters in light of the ruling in Schrems II. However, implementing the recommendations will be a complex task for data exporters and Step 3 sets what is seemingly a very high bar, particularly for data exporters that do not have the legal resources required to conduct an assessment of a country’s laws and practices.
We know that the US does not currently meet the EEGs and the CJEU has recently found that the surveillance laws of France, Belgium and the UK also fall foul of EU standards. The question for data exporters is: which nation’s laws do meet EU standards?
We expect data exporters to be cautious here and simply determine that supplementary measures will be needed in respect of each transfer to a third country using an Article 46 transfer tool. Some of these measures (e.g. encryption, pseudonymisation) may already be in place.
We also expect organisations to continue to adopt a risk-based approach to compliance and don’t expect that to change for as long as supervisory authorities continue to adopt a similar approach to enforcement. The UK ICO has already stated that it will “continue to apply a risk-based and proportionate approach to our oversight of international transfers”.
We will continue to monitor and provide updates on the regulatory position as it develops in the coming weeks.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.