On November 11, 2020, the European Data Protection Board (“EDPB”) released two documents as a follow-up to the Court of Justice of the European Union’s (“CJEU”) notable July 2020 decision, known as Schrems II. These documents are intended to assist companies navigating the ever-evolving world of data transfers from the EU to third countries. The “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (the “Recommendations”) were adopted on November 10 and are open for public consultation until November 30. They provide data exporters, or the parties sending personal data out of the EU to third countries, with a set of steps to take in order to help with the “complex task of assessing third countries and identifying appropriate supplementary measures where needed.” The other document, entitled “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures” (“EU Essential Guarantees”) and providing further information for the assessment of third countries, was adopted outright.
In July, the CJEU invalidated one of the primary mechanisms enabling the transfer of personal data from the EU to the U.S.—the EU-U.S. Privacy Shield—and cast doubt on the sufficiency of other existing transfer mechanisms such as the European Commission Standard Contractual Clauses. We have previously written about Schrems II and its implications here. After Schrems II, many companies that were previously relying on the ability to transfer EU personal data to the U.S. and other third countries under these mechanisms found themselves having to take a number of quick unilateral measures to secure their transfers. These measures included conducting internal risk assessments concerning their exposure to U.S. surveillance laws (one of the key concerns in Schrems II), pivoting to other appropriate safeguards, and implementing additional measures to supplement those safeguards, as suggested by the CJEU.
Through the adoption of these documents during its forty-first plenary session, the EDPB has attempted to provide more clarity on what companies can do to comply with the EU General Data Protection Regulation (“GDPR”) and Schrems II when transferring EU personal data to a third country.
The Recommendations outline a step-by-step process for data exporters to navigate the implications of Schrems II:
- Step One: “Know your transfers.” In other words, map all transfers of EU personal data to third countries. This includes onward transfers. Also, determine whether the personal data transferred is “adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.”
- Step Two: “Verify the transfer tool your transfer relies on.” Identify which mechanisms, whether an existing adequacy decision or a transfer tool under Article 46 of GDPR, are being used to justify the transfer. The EDPB also reiterates its view that an exporter is able to rely on the derogations listed in Article 49 of GDPR only in some cases of occasional and non-repetitive transfers.
- Step Three: “Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.” The evaluation of the law of a third country—insofar as that country’s public authorities may have access to data for surveillance purposes—should take into account the EU Essential Guarantees.
- If the law governing the public authority’s access to data is ambiguous or not publicly available, this should be carefully considered.
- If the legislation does not exist, and a data exporter would still like to proceed with the transfer, the Recommendations suggest that the data exporter looks at “other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.”
Annex 3 to the Recommendations provides a non-exhaustive list of sources of information for this assessment. The assessment in this step should be documented and conducted with due diligence.
- Step Four: “Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.” Step Four is only necessary if your Step Three assessment shows that the third country’s laws “impinge on the effectiveness of the…transfer tool you are relying on or intend to rely on.” Annex 2 to the Recommendations includes a non-exhaustive list of examples of supplementary measures that might be used by a data exporter. In the EDPB’s view, in most instances, only technical measures may result in the required standard of protection. Contractual and organizational measures are discussed, but with an understanding that these kinds of measures alone will usually not be sufficient.
Unfortunately, the EDPB’s views are strict: Annex 2 also contains several examples of measures that the EDPB expressly states “do not constitute a supplementary measure that ensures an essentially equivalent level of protection.” This includes scenarios such as the “[t]ransfer to cloud services providers or other processors which require access to data in the clear” (Use Case 6) and “[r]emote access to data for business purposes” (Use Case 7).
- Step Five: “Take any formal procedural steps the adoption of your supplementary measure may require.” The Recommendations provide further discussion on the formal steps, although they also say that a data exporter may have to consult competent supervisory authorities in some cases.
- Step Six: “Re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and monitor if there have been or will be any developments that may affect it.”
The EU Essential Guarantees, referenced by Step Three in the Recommendations, provide four factors for the assessment of the “level of interference with the fundamental rights to privacy and to data protection” presented by public authority surveillance measures in third countries. Further, they outline what legal requirements must apply in order to figure out whether those levels of interference are acceptable under the European Charter of Fundamental Rights.
The four factors are:
- Processing should be based on clear, precise and accessible rules.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
- An independent oversight mechanism should exist.
- Effective remedies need to be available to the individual.
We will provide more in-depth analysis of these documents, the supplementary measures suggested, and their implications in future blog posts.