The European Data Protection Board has published for consultation its much anticipated recommendations on international data transfers following the European Court of Justice's decision in Schrems II.
In addition to providing guidance on the steps organisations should take when transferring personal data outside the EEA, the recommendations will also be relevant to transfers from the EEA to the UK from 1 January 2021, if the European Commission has not made a finding of adequacy in relation to UK law.
In its press release, the EDPB acknowledges that the Schrems II decision presents challenges for organisations:
"The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data."
What does the guidance say?
The guidance takes the form of recommendations that have been adopted by the EDPB. The overall structure and steps recommended by the EDPB are similar to those set out in our recent blog:
- Step 1: know your transfers - ensure you have full oversight of your transfers, including what data being is transferred to where (and to whom)
- Step 2: identify the transfer tools you are relying on - for example, an adequacy decision, standard contractual clauses (SCCs), binding corporate rules or another Article 46 transfer tool, or an Article 49 derogation
- Step 3: if relying on an Article 46 transfer tool, assess whether it is effective in providing an essentially equivalent level of protection to EU law
- Step 4: identify and adopt (if necessary) supplementary measures
- Step 5: consider any procedural steps (for example, any requirement to notify the relevant supervisory authority)
- Step 6: monitor and re-evaluate your approach on a regular basis
When assessing the impact of Schrems II, it is necessary to look not just at the immediate data importer, but also any subsequent transfers.
For example, section 702 of FISA, the US surveillance law considered in Schrems II, applies to US electronic communications service providers. While your supplier may not be subject to section 702 of FISA, it may use third party processors (such as cloud service providers) that are.
How can I assess the laws of a third country?
As part of step 3, exporters will need to assess the surveillance laws of the relevant third country (or countries) to understand the extent to which they undermine EU rights and protections and the effectiveness of any rights granted to data subjects or mechanisms for judicial redress.
In addition to asking the data importer to provide information on the laws that apply to it, the EDPB recommends that exporters consider a variety of sources, including ECJ case law, resolutions and reports from organisations such as the Council of Europe and the UN, together with national case law and privacy regulators in the destination territory and reports from NGOs and trade associations.
In practice, this is likely to mean that data exporters will have to seek legal advice to help review the laws in the third country and validate the responses provided by the data importer. In accordance with the accountability principles in GDPR, exporters will need to be able to demonstrate the steps that they've taken and the basis for their decision.
What supplementary measures can I use?
The EDPB's recommendations include an annex with examples of technical, contractual and organisational measures that could be considered.
These run to 18 pages, and will need to be considered on a case by case basis, depending on the nature of the transfer, how the laws of the destination territory operate, and the feasibility of technical and operational measures. In the annex, the EDPB gives examples of where it considers the supplementary measures may or may not be effective.
If you are not able to implement supplementary measures such that an equivalent level of protection is provided, then the transfer should not be made. If transfers are already being carried out, then these should be suspended or terminated and any copies of data in the third country destroyed or returned.
What else has the EDPB said?
In addition to publishing its recommendations on supplementary measures, the EDPB has also published the European Essential Guarantees recommendations.
The EEG recommendations are intended to provide data exporters with information to help them to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data.
If the interference is justifiable, then those surveillance rights will not impinge on the effectiveness of Article 46 transfer mechanisms such as the SCCs.
What does this mean for using US based service providers?
The EDPB's recommendations include a specific example in relation to US law. The EDPB states that as section 702 of FISA does not provide essentially equivalent protection to EU law, if any processor is subject to section 702 of FISA then a transfer may "only" be made under the SCCs or another Article 46 transfer tool if additional supplementary technical measures make access to the data "impossible or ineffective".
In other words, the EDPB is saying that given how section 702 of FISA operates, supplementary contractual or organisational measures alone will not be sufficient.
This is reinforced in Annex 2, which includes cloud service providers that require access to data in order to provide the service as a scenario in which no effective technical measures could be found. The EDPB reaches a similar conclusion in relation to remote access to EU hosted data.
This creates a big challenge for the use of services where data is hosted or remotely accessed from countries such as the US, including "follow the sun" IT support. Identifying whether technical measures can be effective will require additional diligence and a detailed analysis of the data flows, the data being transferred, how encryption is used and who holds the encryption keys.
It will be incumbent on data importers and their advisors to work with exporters and provide information to help them understand these issues and identify potential solutions. Longer term, this is likely to lead to service providers re-engineering systems and delivery models to ensure that data is not transferred to countries such as the USA.
What does this mean for transfers between the EU and the UK following the post-Brexit transition period?
The UK becomes a third country for the purposes of EU data protection law following the expiry of the post-Brexit transition period on 31 December 2020. If there is no adequacy decision from the European Commission, then EU based organisations transferring personal data to the UK will need to consider the steps described above. This will include assessing the potential application of UK surveillance laws to the UK importer and other recipients.
If you are a UK based importer of personal data from the EEA, then you should take steps now to identify what UK surveillance laws apply to your processing activities and what supplemental measures you may need to adopt.
For more on Brexit and data protection, read our guide to Brexit and data protection.