Earlier this month, the European Data Protection Board (EDPB) issued its long-anticipated draft guidance on supplemental tools to ensure that data transfers out of the European Union (EU) to third countries comply with the GDPR.
The guidance was necessary due to the landmark Schrems II decision in July 2020 by the Court of Justice of the EU, which invalidated the previously developed EU-U.S. "Privacy Shield" framework and, at the same time, clarified what companies transferring data outside of the European Economic Area (EEA) had to do to ensure that such transfers provide the same level of protection for the data as that established in EU data protection law.
The new draft guidance sets out the following roadmap for how to transfer data while remaining in compliance with the GDPR.
Step One: Conduct Data Mapping
The first step for data exporters is to ensure that they are "fully aware" of any cross-border transfers by mapping all data flows out of the EEA. This should occur as part of broader data mapping efforts, including considering whether any outside-the-EEA data processors might transfer the exported data to yet another third country or countries.
Notably, the EDPB highlights the importance of mapping transfers involving remote access from a third country (e.g., in the context of IT support), as well as use of cloud services located outside of the EEA. The EDPB also reminds data exporters to ensure that any data transferred is adequate, relevant, and limited to what is necessary for the purposes of transfer and processing.
Step Two: Identify Transfer Mechanisms
After a company maps its data flows, it must determine the appropriate transfer mechanisms for any cross-border data transfers. Transfers made to a third country that the European Commission has found provides an adequate level of data protection may proceed.
Because the Court in the Schrems II decision determined that the Privacy Shield did not provide adequate data protection, U.S. companies must rely on another cross-border transfer mechanism, such as standard contractual clauses (SCCs) or binding corporate rules. Currently, the only SCCs available are those approved by the European Commission, subject to the EU Data Protection Directive (which preceded the GDPR), but new versions of the SCCs should be available soon: on November 12, 2020, the Commission published a draft implementing decision regarding updated SCCs.
Future options may include model clauses drafted by supervisory authorities, codes of conduct, or certification mechanisms, as approved according to processes described in the GDPR. Cross-border data transfers may also occur under certain "derogations," such as explicit consent, in specific situations.
Step Three: Assess the Effectiveness of the Transfer Mechanism in Light of Circumstances
According to the EDPB's guidance, cross-border transfer mechanisms alone may not be enough to ensure an adequate level of protection. As a result, it is essential that companies transferring data outside of the EEA ensure that whatever mechanisms they rely on are effective in practice. The EDPB envisions this as a highly fact-specific exercise.
Reiterating the rationale behind Schrems II, the EDPB states that a transfer is not adequately protected "if the data importer is prevented from complying [with] their obligations under the chosen Article 46 GDPR transfer tool due to the third country's legislation and practices applicable to the transfer." Companies should consider in particular any laws of the third country granting public authorities access to personal data, whether for the purposes of law enforcement, regulatory supervision, or national security.
For transfers into the United States, this would include a review of laws governing law enforcement investigative subpoenas, warrants and other court orders issued under (for example) the federal Stored Communications Act provisions that are part of the federal Electronic Communications Privacy Act, as well as access for counterintelligence investigations under the Foreign Intelligence Surveillance Act. These assessments should be documented thoroughly.
Step Four: Adopt Supplementary Measures if Transfer Mechanisms Are Insufficient
Should a company's assessment reveal that its chosen transfer mechanisms are insufficient to uphold EU standards of data protection, it must adopt additional protective measures.
The EDPB's guidance states that contractual and organizational measures alone are likely insufficient to "overcome access to personal data by public authorities of the third country," and that technical measures will often be the only adequate means to provide sufficient protection, particularly with regard to surveillance. Such technical measures include, for example, encryption, pseudonymization, and split or multi-party processing.
Step Five: Adopt Formal Procedural Steps
Depending on the particular transfer tool being used under Article 46 of the GDPR, companies should then adopt any procedural steps that are necessary in order to implement effective supplementary measures. These steps will vary depending on the Article 46 transfer mechanism adopted.
For example, in certain cases, modifying SCCs requires advance authorization from the relevant supervisory authority. Guidance on ad hoc contractual clauses remains under consideration by the EDPB, which will provide more details "as soon as possible."
Step Six: Reevaluate Transfers on an Ongoing Basis
Compliance with the GDPR's restrictions on cross-border transfer—like compliance with the GDPR overall—is an ongoing commitment.
Companies must continue to monitor developments in third countries that could affect the scope and effectiveness of data protection within those countries. The EDPB guidance states explicitly that companies should implement mechanisms to suspend or terminate transfers when supplementary measures are no longer effective in third countries.
Next Steps for the Draft Guidance
The draft guidance is open for public consultation until November 30, 2020. This guidance makes it clear that each company transferring data outside of the EEA is directly accountable for examining its cross-border data transfers and putting appropriate compliance measures in place.
Companies engaged in such transfers should ensure that cross-border data transfer mechanisms are part of their continued GDPR compliance efforts. U.S. companies in particular should take note of this draft guidance following the Schrems II decision, which was based largely on the conclusion that U.S. surveillance and national security authorities created a situation in which data transfers into the United States were not adequately protected.