On November 10, 2020, the recently established Taskforce of the European Data Protection Board (EDPB), a body consisting of representatives of all the Data Protection Authorities (DPAs) in the European Economic Area (EEA), adopted two sets of Recommendations (one draft and the other finalised), both addressing the aftermath of the landmark Schrems II decision of the Court of Justice of the European Union (CJEU), which had scrutinised international personal data transfers under the General Data Protection Regulation (GDPR). Any international business should be aware of the significant impact that Schrems II has had on cross-border data transfers, as the judgment reinforced that protection granted to personal data of EEA individuals under the GDPR should travel with that data, even when the data leave the EEA. International businesses should therefore consider the key takeaways from both sets of Recommendations which we summarise below. Action will be required immediately after the draft set becomes final, which is expected in early 2021, as the public consultation is currently open until December 21, 2020.
The two Recommendations
The first set of Recommendations (Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, the "Supplementary Measures Recommendations") is in draft and sets out a proposed six-step plan aimed at helping EEA data exporters to assess if they need to put in place supplementary measures, i.e. measures in addition to those that they already have in place, in order to transfer personal data outside the EEA in compliance with Schrems II. One of these steps is assessing whether widely used transfer mechanisms such as the Standard Contractual Clauses (SCCs) provide an equivalent level of protection to the personal data in the country to where such information is transferred. That assessment requires that consideration is given, on a case-by-case basis, to whether access to personal data by public authorities of the receiving country (such as national security and law enforcement agencies) is limited to what is strictly necessary in a democratic society. The Supplementary Measures Recommendations also strive to identify a non-exhaustive list of supplementary technical, contractual and organisational measures that could be effective in achieving Schrems II compliance, provided certain conditions are satisfied.
The second set of Recommendations (Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures, the "EEG Recommendations") are an update to the Article 29 Working Party's Working Document 01/2016, published in April 2016, concerning European Essential Guarantees for surveillance measures. The EEG Recommendations aim to provide guidance on how the assessment discussed in the Supplementary Measures Recommendations regarding access to personal data by public authorities of the receiving country could be carried out.
The proposed six steps outlined in the Supplementary Measures Recommendations are broadly in line with expectations following the Schrems II judgment. The examples of the concrete supplementary measures however lay bare the hurdles which businesses would need to overcome in order to continue relying on SCCs for cross-border personal data transfers. At least a part of those examples may not be possible or practicable. Thought to alternative solutions should be given.
Step I: Data mapping
A comprehensive data mapping exercise has to be carried out under Step I. Organisations should identify which data they transfer and where to. Onward transfers, where a data recipient in a non-EEA country transfers the personal data to further recipients, either to another country or inside that same country, should also be identified. The Supplementary Measures Recommendations reiterate a point which often creates confusion: remote access from a non-EEA country or storage in a cloud situated outside the EEA is considered to be a transfer under the GDPR. Without a mapping exercise, the next steps cannot be completed.
Step II: Which lawful transfer mechanism is relied upon
For any transfers to non-EEA countries, EEA data exporters should identify the lawful mechanism under the GDPR upon which they rely. The GDPR provides a number of mechanisms which could be relied upon for carrying out a personal data transfer. Which mechanism is appropriate should be considered and implemented before any transfer takes place.
If the intended transfer is to one of the few countries deemed adequate by the European Commission, the EEA data exporter will not be required to take any further steps, provided that the adequacy decision remains in force. The UK, which is leaving the EU on December 31, 2020, is hoping to receive an adequacy determination by the European Commission as soon as practicable.
If an organisation is relying on one of the derogations for a personal data transfer, which mainly apply when such transfer is occasional and non-repetitive, the organisation needs to focus on satisfying the criteria for the derogation. No further steps in terms of supplementary measures are required.
In circumstances where there is no adequacy decision (as is the case with the United States, for example, following Schrems II) and where no derogation is used, organisations will be reliant on one of the other mechanisms for lawful transfers, mainly SCCs or Binding Corporate Rules (BCRs). In such circumstances, organisations will have to proceed to steps III to VI.
Step III: Assess if your mechanism is effective for the specific transfer
Step III requires EEA data exporters relying (in particular) on SCCs or BCRs to conduct their own assessment on whether a non-EEA country's laws and practices may impinge on the effectiveness of the personal data protection envisaged in the SCCs or BCRs. That assessment should essentially consider if the non-EEA country provides an equivalent level of personal data protection to that provided under the GDPR, and in particular whether access to personal data by the public authorities of the non-EEA country (such as national security and law enforcement agencies) is limited to what is strictly necessary in a democratic society.
The Supplementary Measures Recommendations state that an EEA data exporter could turn to a few sources in order to carry out the assessment, including publicly available legislation of the non-EEA country; reported precedents and practice; information received from the data importer about its own national laws and practices. If legislation in the non-EEA country is lacking, the Supplementary Measures Recommendations state that the EEA exporter should not rely on subjective factors such as the likelihood of the public authorities' access to the data, but rather only on relevant and objective factors. The data exporter should conduct the assessment with due diligence and document it thoroughly, as it may have to demonstrate this assessment to the relevant data protection authority, in accordance with the accountability principle of the GDPR.
In order to help EEA data exporters, the EDPB has issued an update to its EEG Recommendations, explaining that the European Essential Guarantees for surveillance measures form part of the above assessment. The EEG Recommendations outline four "essential guarantees", which, if present in the non-EEA country's legal system, could mean that the limitations on data protection rights in that non-EEA country are justifiable (and therefore supplementary measures are likely not required). At a high level, these guarantees with respect to personal data are as follows:
- processing should be based on clear, precise and accessible rules;
- necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- an independent oversight mechanism should exist; and
- effective remedies need to be available to the individual.
Whilst the EDPB stresses that the European Essential Guarantees do not, on their own, define all the elements that are necessary to consider that a non-EEA country provides an equivalent level of protection, the EDPB also states that if a non-EEA country legislation does not ensure the "essential guarantees" requirements, that non-EEA country would not offer a level of protection essentially equivalent to that guaranteed within the EU.
For example, in Schrems II, the CJEU held that the level of protection of the programs authorised by Section 702 of the U.S. Foreign Intelligence Surveillance Act ("FISA") is not essentially equivalent to the safeguards required under EU law. Therefore, if a data importer in the US, or any further recipient to which that data importer may disclose the data, fall under Section 702 of FISA, an EEA exporter may rely on SCCs for personal data transfers only if additional supplementary measures are put in place.
Step IV: If mechanism not effective, adopt supplementary measures
Step IV takes effect if the EEA data exporter's assessment reveals that legislation in the non-EEA country impinges on the effectiveness of the data protection envisaged by the SCCs or the BCRs relied upon for the specific transfer.
In such a case, EEA data exporters must identify and adopt supplementary measures in order to bring the level of protection of the transferred data up to the EU standard of essential equivalence. EEA data exporters may use a combination of supplementary measures to achieve this.
However, the EDPB notes that in some cases it is possible that no supplementary measures may be adequate in ensuring essential equivalence, and in such circumstances the transfer in question must be avoided, suspended, or terminated, as appropriate.
The EDPB provides a non-exhaustive list of examples of supplementary measures, as well as the conditions that need to be satisfied in order for those measures to be effective, at Annex II of the Supplementary Measures Recommendations. The examples of supplementary measures are divided into technical, contractual and organisational measures, as set out below:
- Technical measures: Technical measures are designed to preclude the receiving country's public authorities from identifying data subjects or from inferring information about them by associating transferred data with other data sets in their possession. Examples of technical measures include encryption, pseudonymization and split or multi-party processing.
- Contractual measures: Examples of contractual measure include importer commitments to transparency (e.g. publishing transparency reports and sharing information on the number of government requests for data), enhanced audits to verify whether data have been provided to government authorities and commitments to notify the data exporter if the importer can no longer comply with its commitments due to changes in law or practice.
- Organisational measures: Organisational measures may consist of internal policies, methods, and standards that organisations can impose on themselves and on a third party data importer. They are intended to ensure that the protection of personal data is consistent throughout the full data cycle of processing as well as improving the exporter's awareness of risk to data in a non-EEA and its capacity to react. Examples include internal policies for governance of transfers, transparency policies, data minimisation procedures, internationally recognised security standards, and policies not to transfer the data onwards to any other non-EEA country which does not have essentially equivalent protections.
Steps V and VI: Put measures in place and review regularly
Step V requires organisations to take any formal procedural steps to adopt the chosen supplementary measures. Step VI requires that organisations monitor and re-evaluate the level of protection afforded to data transfers to non-EEA countries at appropriate intervals. The Supplementary Measures Recommendations make it clear that organisations should ensure that they carefully document their analysis under Steps I to VI, as they will be held accountable for any decisions made.
There are three key take away points from the draft Supplementary Measures Recommendations, coupled with the EEG Recommendations.
First, if supplementary measures are required, a combination of technical, contractual and organisational measures would have higher chances of achieving a Schrems II compliant international personal data transfer, rather than adopting any of the proposed measures on their own.
Second, which supplementary measures might work in any given situation is not a straightforward question. Many of the measures raise conflict of law points, where the measure, or the conditions for its implementation, which would satisfy the GDPR requirements may not be legally allowed in the non-EEA country. Each transfer may need to be considered on its own merits and thought should be given to alternative solutions that would enable business operations.
Third, the supplementary measures will be applicable immediately following their finalisation, which is expected in early 2021. The data mapping exercise and the assessment as to whether any supplementary measures are required and if so, which ones, are likely to take time and resources. Businesses should consider what can be executed now so that the implementation of any supplementary measures can be achieved rapidly once the consultation period expires and the Supplementary Measures Recommendations are published in final form.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.