The European Data Protection Board (“EDPB”) has adopted new recommendations on international personal data transfers that provide businesses with updated guidance following the Schrems II decision. The recommendations set out a roadmap for businesses to follow to validly transfer personal data internationally and detail supplementary measures that may be required to maintain an essentially equivalent level of protection for personal data transferred to a third country under the Standard Contractual Clauses (“SCC’s”). The guidance also provides an update on the European Essential Guarantees. In this article we set out the key points from the EDPB guidance and evaluate the impact of these recommendations on international data transfers.
On 16 July 2020, the European Court of Justice invalidated the EU-US Privacy Shield as a mechanism by which to transfer personal data from the EU to the US in the ‘Schrems II’ decision. The decision upheld the validity of the European Commissions ‘Standard Contractual Clauses’ (“SCC’s”) as a data transfer mechanism but imposed additional obligations on companies intending to rely on them. Any company relying on the SCC’s to transfer personal data outside the EU must undertake a ‘transfer adequacy assessment’ to determine whether the third country to which the data will be transferred will offer protection that is ‘essentially equivalent’ to the EU. If such protections do not exist then supplementary measures must be implemented in addition to the terms of the SCC’s or the transfer of personal data should immediately cease. The EDPB has adopted the recommendations outlined in this article in order to provide businesses with guidance on the practical implications of the Schrems II judgement.
The EDPB has set out a six-step roadmap to guide businesses on how to assess their international data transfers and implement compliant supplementary measures to protect international personal data transfers.
Step 1: Know your data flows
The first step to a legally compliant international data transfer is to know your data flows. This may sound obvious but for many businesses it can be complicated to untangle and understand international personal data flows. Businesses should complete a data mapping exercise to understand what personal data is transferred internationally and to where. The EDPB make a point to remind businesses that data mapping should not be limited to one level of transfer and onward transfers to other third countries should also be considered.
Step 2: Consider your transfer mechanism
Businesses must identify what transfer tools they are relying on in order to transfer the personal data to a third country. Transfer tools may include transfer safeguards as detailed in Articles 46 and 47 of the GDPR or a derogation under Article 49. The key message from the EDPB is that no matter what transfer tool a business is relying on, there is an overarching requirement to ensure that any transfer of personal data should benefit from essentially equivalent levels of protections once it is transfer to the third country.
Step 3: Assess the transfer mechanism
Step 3 is a fundamental step introduced in response to the Schrems II judgement. Step 3 requires a business to understand the laws and practices of the third country to which the personal data is being transferred. These laws and practices must be assessed to establish if they impinge on the effectiveness of the transfer mechanism. This assessment should be undertaken in the context of the personal data being transferred, including:
- whether the public authority of the third country can access the personal data for the purpose of surveillance;
- the purpose of the transfer;
- the type of entities involved in the transfer, are they public or private;
- the businesses industry sector; and
- the categories and type of personal data that is being transferred.
Data importers may assist the data exporters in understanding local laws and should provide sources and information relating to the local data protection practices. Publically available legislation as well as the rule of law and legal system of the third country should be considered to establish whether there are any public authority powers to access personal data and if there are, are they limited to what is ‘proportionate and necessary in a democratic society’. In compliance with the data protection principle of ‘accountability’, businesses should carefully document their assessment.
Step 4: Supplementary measures
If a business has concluded that the local laws, assessed under Step 3, impact the effectiveness of the transfer mechanisms the business must consider whether any supplementary measures can be put in place to ensure essentially equivalent protections. The effectiveness of supplementary measures are not guaranteed. Different measures may be effective for different transfers and should be considered on a case-by-case basis. Business must take into account their findings from step 1, 2 and 3 to consider whether particularly supplementary measures will be effective in ensuring the effectiveness of the transfer tool.
Supplementary measures can include technical, contractual or organisational measures. EDPB provide a non-exhaustive list of examples of supplementary measures and scenarios where such measures may or may not be effective. Technical measures include encryption (provided it is correctly implemented), pseudonymisation (provided the data exporter has exclusive access to any additional information required to re-identify individuals) and split or multiparty processing. To be effective, technical measures must be implemented correctly and effectively.
Any contractual and organisational measures do not bind third country public authorities who are not party to the contract, and as such can only be sufficient to supplement a transfer mechanism when combined with other technical measures.
Supplementary measures should be considered carefully because if no supplementary measure can practically provide essentially equivalent protections for the transfer, the transfer must not be made or the transfer must immediately stop.
Step 5: Take steps to adopt supplementary measures
If there are supplementary measures available which rectify the insufficiency in the chosen transfer mechanism, then those measures must be formally implemented. For example, if the business decides to implement amendments to the SCC’s, these must be authorised by the applicable supervisory authority to be valid. EDPB have left open the impact of Schrems II for businesses relying on Binding Corporate Rules or ad hoc contractual clauses as a transfer mechanism. However, it appears that businesses relying on these transfer mechanisms would still need to ensure that the data has essentially equivalent protections in the third country under those transfer mechanisms. As such, it is possible that the EDPB would recommend that businesses relying on these transfer mechanisms should undertake a similar six-step assessment as they would with the SCC’s.
Step 6: Review
Supplementary measures, transfer mechanisms and the personal data transfers should be regularly reviewed and monitored to ensure the level of protection afforded to the personal data remains at an acceptable level. Businesses should ensure they have the capability to adapt to any changes in the data protections offered by a third country including being able to suspend any data transfer as soon as the transfer mechanism is no longer valid.
New Standard Contractual Clauses
The European Commission has published new draft SCC’s which include new data transfer standard clauses. The draft SCC’s are open for consultation until the 10th December 2020 and it is not yet certain when or in what form they will be implemented. According to the current draft, businesses will have a transition period in which to replace their old SCC’s with the new contractual clauses. Any business undertaking the above six-step review of their international data flows should be aware of the possibility that they will need to amend their contracts when the new SCC’s are approved.
Since July questions have remained unanswered and guidance has been pending on the practical requirements following the Schrems II judgement. The EDPB’s recommendations are welcome guidance although they show businesses that the EDPB are taking a strict approach to international data transfers in line with the Schrems II judgement. Businesses should take particular note of the examples provided in Annex 2 of the recommendations on supplementary measures to consider and assess their own data transfers. One example where technical measures were not considered adequate by the EDPB will be particularly relevant to businesses with international group structures. EDPB concluded that if a group company (that is a data importer) is given ‘open’ access to a CRM system in the United Kingdom, uses that information freely for its own purposes and is located in a country whose public authority have access to transferred data beyond was is necessary and proportionate in a democratic society, then there are no effective technical measure to validate such transfer. This is a limited example, and it may be that additional contractual, organisational and technical measures may assist to validate this transfer. However, this commentary shows that the EDPB is taking a strict approach and businesses should assess, with equal rigor, international data transfers between group companies.
As a final note on SCCs (which will, in the short to medium term, represent the preferred/only realistic transfer mechanism available for a number of businesses), a key practical takeaway point is that an additional assessment and, where appropriate, supplementary measures must be demonstrated whenever the SCCs are now used. Whether this ‘SCCs + assessment + supplementary measures’ solution ultimately provides for a sustainable and problem free transfer of data overseas will depend in part on the subsequent approach of the relevant supervisory authorities. On that point, the ‘mood music’ coming from the regulators to date is already proving interesting. The ICO has released a statement saying that it is reviewing the EDBP’s recommendations and that “We continue to apply a risk-based and proportionate approach to our oversight of international transfers in accordance with our Regulatory Action Policy.” The CNIL by comparison has released guidance that French businesses that handle health data should now avoid using US cloud hosting companies altogether. Further national developments will be closely observed.