Last year’s European Court of Justice (ECJ) judgement in Data Protection Commissioner v Facebook Ireland LTD, Maximillian Schrems, C-311/18 (Schrems II) continues to have ramifications for cross border data transfers. The basic premise of Schrems II was that the protection afforded to personal data within the European Economic Area (EEA) must travel with the personal data wherever it goes — personal data transferred and processed outside the EEA should enjoy a level of protection “essentially equivalent” to the protection afforded in the EEA.
Last week, the European Data Protection Board (EDPB) issued its final recommendations on supplementary measures for data transfers. The final recommendations adopt the same six steps that appeared in the draft guidance (summarized in our previous alert) that each data exporter should take before transferring any personal data outside the EEA, in order to ensure that such transfer is done in accordance with the General Data Protection Regulation (GDPR) and the Schrems II decision.
However, in a major change, the draft recommendations now permit data exporters to take a subjective and risk-based approach. Whereas the previous guidance discouraged subjective analysis of the risks of data transfers, the final guidance, allows organizations to take into account the actual practices in third countries, provided that such an approach is fully assessed and documented. However, to take advantage of this his additional flexibility, companies will face significant additional internal compliance burdens.
We outline each step below, with the EDPB’s guidance on Steps 3-6 being particularly useful for data exporters who currently rely on the standard contractual clauses (SCCs), new versions of which were published by the European Commission shortly before publication of the EDPB’s guidance, summarized in our previous alert.
Step 1: Know your transfers
An exporter must be aware of where its data is going and how it is getting there. To do this, all data transfers should be mapped and recorded. The EDPB stresses that it is important to consider onward transfers — for instance, onward transfers by a non-EEA processor to its sub-processors.
Step 2: Verify the transfer mechanism used
After mapping the transfers, an exporter must identify a lawful transfer mechanism for each.
The GDPR provides for the following lawful transfer mechanisms:
- Reliance on an adequacy decision published by the European Commission deeming certain countries as safe for the purposes of international data transfers
- SCCs, which are probably the most widely used transfer mechanism - see our client alert regarding updates to SCCs
- Binding Corporate Rules — in certain circumstances, the reliance on derogations set out in Article 49 of the GDPR.
If a transfer occurs pursuant to an adequacy decision or a derogation in Article 49, then no further analysis of the transfer is required. If the transfer takes place pursuant to SCCs or Binding Corporate rules, then the exporter must complete Steps 3-6 of the EDPB Guidance. Although the GDPR also theoretically permits transfers pursuant to codes of conduct, certifications or “ad hoc” contractual clauses, these mechanisms have not yet been operationalized by EU authorities.
Step 3: Assess the effectiveness of the transfer tools in light of the third country rules
The data exporter and importer must assess and document together the laws and practices in force in the third country to see whether any of them may impinge on the effectiveness of the transfer mechanism used. This assessment must include review of:
- The practices and legislation relevant to the specific transfer and the transfer mechanism that is being used.
- The state of the rule of law in a third country (which may be relevant to assess the effectiveness of available mechanisms for data subjects to obtain judicial redress against unlawful government access to personal data).
- All actors participating in the transfer (e.g., sub-processors).
- Other publicly available information — provided it is relevant, objective, reliable and verifiable — about government and third-party practices.
In the new draft of the guidelines, however, the EDPB acknowledges that the parties may also, in assessing the effectiveness of the data transfer mechanism, take into account the practical experience relevant prior instances of request for access by public authorities in the third country. However, this practical experience should be corroborated by relevant, objective, reliable, verifiable and publicly available or otherwise accessible information on the practical application of the relevant law. The assessment cannot be purely subjective and should take into account the experience of other organizations operating in the same sector and/or processing similar personal data.
The guidance also provides some welcome flexibility in allowing a risk-based approach where the parties believe problematic legislation will not be applied in practice to the transfer.
Step 4: Identify and adopt supplementary measures needed to protect EU data
If the Step 3 assessment reveals issues, then the parties must consider whether any supplementary measures could be used to provide that extra protection.
These measures should be considered on a case-by-case basis and can be contractual, technical or organisational in nature. The EDPB states that contractual and organisational measures sometimes are not enough on their own. Technical measures, like encryption or pseudonymization, may be needed to ensure adequate protection, and a combination of all may be necessary to reach an EEA level of protection.
If the assessment concludes that the lawful transfer mechanism — plus the supplementary measures — ensures that the transferred data enjoys an essentially equivalent level of protection to that in the EEA, then the transfer can take place. If not, the exporter cannot legally transfer the data and should stop immediately (or not begin).
Step 5: Take formal steps to adopt supplementary measures
Depending on the lawful transfer mechanism utilized, there are different ways of implementing supplementary measures. However, if using SCCs, there is no need for any authorisation from the competent supervisory authority, provided that the SCCs are supplemented and not modified (unless the new supplementary measures could be construed as restricting the rights and obligations in the SCCs).