On November 11, 2020, the European Data Protection Board (EDPB) issued two much-anticipated guidance documents, outlining the approach it expects organizations to take when transferring data out of the EU. Although these guidances provide a welcome step-by-step process for reviewing and evaluating data transfers, the conclusions ultimately drawn by the EDPB create a challenging framework. Organizations may find significant obstacles to their ability to move data for routine business purposes or use service providers based outside of the European Union.
In the Schrems II case, decided this July, the European Court of Justice declared that Standard Contractual Clauses remained a viable method of transferring data from the EU to countries that had not been designated as “adequate” jurisdictions by the European Commission. However, the Court cautioned that “supplementary measures” might be required in some instances if the laws in the country to which the data was being transferred posed risks to the privacy rights of the data subjects whose data was being moved. Specifically, the Court noted that government surveillance and national security laws in the United States created risks for data subjects and required data exporters and importers to determine if additional measures could be put in place to address those risks. If additional measures could not be identified, the Court explained that the data transfer should be suspended.
Although the Court required evaluations of local laws and the adoption of “supplementary measures,” it did not describe in detail how such evaluations should be conducted and what kinds of supplementary measures might be appropriate. Shortly after the Schrems II decision, the EDPB announced it was evaluating the Court’s ruling and would issue guidance for businesses. On November 11, two documents were released by the EDPB (which are open for public consultation until November 30): Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (which describes a six-step process for evaluating a data transfer and gives examples of safeguards that could be adopted to address gaps), and Recommendations 02/2020 on European Essential Guarantees for surveillance measures (which describes how surveillance and national security laws outside the EU should be evaluated for compatibility with the GDPR).
Taking Steps: The Process for Evaluating Transfers and Identifying Safeguards
The EDPB has defined a six-step process for evaluating an international data transfer and adopting supplementary measures to ensure an adequate level of protection. The process includes:
- Identifying all transfers of data outside of the EU. Many companies have already performed this kind of data mapping, but it is a necessary step in the evaluation of a transfer mechanism.
- Identifying the transfer “tool” relied on for the transfer. The EDPB has indicated that, for transfers to jurisdictions which have been deemed “adequate” by the European Commission or which are done pursuant to a derogation to the GDPR’s general prohibition on international transfers, the analysis concludes at this stage. For all other transfers, a business would next:
- Assess whether the Article 46 transfer tool is “effective” for this transfer. Article 46 transfer tools include Standard Contractual Clauses (which were the subject of the Schrems II decision), Binding Corporate Rules and other far less commonly used tools like Codes of Conduct, Certification Mechanisms, and Ad Hoc Contractual Clauses.
- Adopt Supplementary Measures. These would be measures designed to address any identified gaps in the Article 46 tool’s effectiveness.
- Take Procedural Steps to Implement Supplementary Measures. This section of the document describes whether approval from a supervisory authority is required to implement the supplementary measure the business plans to implement.
- Re-evaluate at appropriate intervals. The EDPB expects companies to continue to monitor whether the supplementary measures identified are effective to protect data subjects.
But What If… : Evaluating Jurisdictions Outside the EU
Unlike the EU Commission’s Adequacy Decisions, none of the mechanisms for an international transfer under Article 46 directly bind the government of third countries to respect EU privacy laws or standards. Aware of this, the EDPB expects businesses to evaluate for themselves whether the laws and practices of governments outside the EU are compatible with EU privacy norms. Notably, this evaluation must include not just formal “legislation” allowing access, but also whether foreign governments have a practice of accessing data surreptitiously or by intercepting communications. Businesses are expected to consider, for example, the “technical, financial, and human resources” a foreign government can bring to bear.
The standards against which the laws and practices of other countries are to be judged are laid out in the European Essential Guarantees document. A conclusion that another country does not provide these “essential guarantees” would require the identification of “supplementary measures” that can provide protection (if any exist). For example, the EDPB indicated that it believes the Court of Justice of the European Union has officially concluded that Section 702 of the United States’ Foreign Intelligence Surveillance Act (FISA) infringes on these “essential guarantees,” and so any transfer of data that could come within the ambit of FISA requires supplementary measures.
Finally, the EDPB requires that businesses conduct these evaluations “objectively,” meaning that businesses are expected to evaluate whether a foreign government could infringe on the “essential guarantees” of the GDPR. Businesses are specifically instructed not to rely on “the likelihood of public authorities’ access.” There is no reason in principle why this should not be subject to an objective assessment by data exporters, based on the evidence available to them, although the EDPB clearly wants to discourage subjective or impressionistic analyses of the risk to the GDPR’s essential guarantees. For the vast majority of companies, who have little to no interaction with government intelligence gathering, applying the EDPB’s objective standard will require them to consider hypothetical scenarios and intelligence gathering capabilities beyond their experience.
Spoiler Alert — It’s Just Encryption: Identifying and Adopting Supplementary Measures
Assuming a business identifies a local law or practice that’s not consistent with the “essential guarantees” of EU data privacy law, it’s expected to adopt a supplementary measure to address the gap. Although there was much hope that the EDPB would identify non-technical measures capable of securing data, it did not. Instead, the EDPB’s recommendations are primarily based on encryption or pseudonymization of data.
In five Use Cases laid out by the EDPB, the key control applied in two cases is encryption that prevents anyone other than the controller from accessing the data. Pseudonymization of data is described in a third Use Case for research data, and a fourth use case describes a scenario where data is split up between multiple processors in a manner that prevents any processor from identifying an individual. Only one Use Case, describing the transfer of data to doctors, lawyers, or others who are protected from making disclosures by laws enabling privileged communications, does not focus solely on encryption (though even this Use Case requires the data be encrypted in transit and at rest by the recipient).
Failure of Imagination: Scenarios Where the EDPB Sees No Path Forward
In two Use Cases, however, the EDPB specifically determined that no supplementary measures would be effective in addressing the gap between local laws and the “essential guarantees” of the GDPR.
Notably, both of the Use Cases involved situations where the recipient of the data would need to use it in an unencrypted form — either as a processor on behalf of the data exporter or as a controller in its own right. Specially, the EDPB stated that “when unencrypted personal data is technically necessary for the provision of the service by the processor,” it was “incapable of envisioning an effective technical measure to prevent [government] access from infringing on data subject rights.” Likewise, the EDPB could not “envision . . . an effective technical measure to prevent [government] access from infringing on data subject rights” when data is transferred to a controller’s affiliate outside the EU “for shared business purposes,” including human resources data or data needed to “communicate with customers of the data exporter who live in the European Union by phone or email.” Because such data must be unencrypted to be used, the data importer would not be able to prevent government access that does not comply with the GDPR.
In these (very common) scenarios, the EDPB appears to anticipate that businesses will need to suspend transfers of data to non-adequate jurisdictions. Derogations under Article 49 of the GDPR may also be available in some circumstances, although the EDPB restates its previous position that derogations can typically only be relied upon in exceptional situations mainly involving occasional and non-repetitive transfers.
False Warrant Canaries: The EDPB’s Additional List of Supplementary Measures
Following the discussion of Use Cases, the EDPB outlines a series of possible additional contractual and administrative measures that could be adopted between a data exporter and data importer. Although many of these measures would increase the protections afforded to data and give data exporters notice of any potential infringement of the “essential guarantees,” the EDPB is careful to indicate the limitations applicable to each one. In general, as the EDPB notes, these measures would only be effective to the extent that the law of the local jurisdiction permits the data importer to adopt them and to refuse government requests for access on the basis of such measures. For example, the EDPB suggests daily cryptographically signed certificates representing that no warrants have been received by a service provider — called “Warrant Canaries” — could be used to provide notice to a data exporter about any court orders. But such notices would only be effective if permitted by law and if government authorities could not force a processor to issue a “false Warrant Canary.”
The EDPB’s guidance has been eagerly awaited by the business community since the Schrems II decision earlier this year. Although the step-by-step evaluation process is now reasonably and helpfully clear, businesses will struggle with the EDPB’s conclusions about the permissibility of transferring unencrypted data out of the EU.