International Data Transfers post Schrems II decision
The European Data Protection Board (EDPB) has published their much awaited recommendations on supplementary measures for data transfers, following the CJEU’s Schrems II ruling.
This is rather important news, as it gives more clarity to businesses (both controllers and processors) on HOW to comply when transferring personal data from the EEA to ‘third’ countries.
The EDPB also gave recommendations on the European Essential Guarantees for surveillance measures.
Why do we need this?
On 16th July 2020 some big news emerged in the world of international data transfers. The Court of Justice of the EU (CJEU) ruled that the EU-US data transfer mechanism known as Privacy Shield was ‘invalid’. It was there one day, gone the next.
The CJEU also pointed the finger at Standard Contractual Clauses (SCCs) – often used as an safeguard for data transfers. They found that organisations exporting data outside the EEA must assess the laws and practices of the third country. For example, do authorities in that country carry out surveillance activities?
In these situations organisations may need to implement additional safeguards beyond the SCCs to legitimise transfers to ‘third’ countries.
All in all, a world of pain if you use SaaS, cloud, other technology / outsourcing solutions hosted in the US or other non-EU countries.
So, if you’ve been struggling to figure out how to approach your international data transfers to reach a defensible business position, you certainly wouldn’t be alone!
To get up to speed you may wish to read our earlier article on the Schrems II ruling.
Do these new recommendations help?
Yes, kind of. These new EDPB recommendations do define a pathway to compliance. But if you were expecting a silver bullet, I’m afraid that’s not going to happen. A good deal of legwork will be required to meet the standards expected.
The recommendations provide a 6-step process to follow for SCCs and Binding Corporate Rules (BCRs) and provide examples of “supplementary measures” you may be required to implement. The recommendations are open for consultation until the end of November.
EDPB Chair, Andrea Jelinek explains;
“The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed.
Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”
The 6 step process
It’s the responsibility of the controller / processor which transfers personal data to make sure an “essentially equivalent” level of protection. Here are the 6 steps the EDPB has identified.
STEP 1: Know your transfers
The first step is to map your data transfers understand what personal data you are transferring to which organisations in which third countries.
STEP 2: Verify the transfer tools your transfers rely on
Confirm which transfer tools (mechanisms) you rely on for each transfer, e.g. SSCs. These should be stated within the contractual terms, which means digging out your contracts and ideally storing them centrally.
STEP 3: Assess the laws & practices of the third country the data is transferring to and confirm the effectiveness of the safeguards of your transfer tool(s)
This will require some effort, involving gaining an understanding of surveillance laws in the destination country and how these may impact on the rights & freedoms of the data subjects whose data you are transferring. Then confirm if the current safeguards are enough or if supplementary measures are required. You may wish to refer to the EDPB’s new recommendations on the European Essential Guarantees for surveillance measures.
STEP 4: Identify & adopt any supplementary measures
The supplementary measures could be technical, contractual and/or organisational in nature. Most likely a combination of these will be used.
Alongside the EDPB recommendations, the European Commission has published their draft decision on new SCCs, aiming to address requirements from the “Schrems II” ruling. These also tackle other limitations of the current SCCs, such as transfers from processors to controllers and from processors to their sub-processors.
It’s proposed there will be a one-year transition period for organisations to migrate over to new clauses. Organisations with a large number of data transfers may find this migration a monumental task!
Organisational measures may consist of data policies, procedures and standards you insist the data importer (i.e. a service provider) adopts.
Adopting contractual and organisational measures alone may not suffice in some situations, such as where the third countries’ authorities carry out surveillance activities. Therefore, arguably the most important measures will be technical. For example, the use of end-to-end encryption and/or pseudonymisation.
Note for encryption to be effective, decryption must only happen outside of the third country. Many examples are provided in the guidance.
More examples of use cases and appropriate supplementary measures are shown in the EDPR recommendations from page 21. Two unlawful uses are highlighted on pages 26/27.
STEP 5: Take any procedural steps required for adoption of your supplementary measures
If you have identified effective supplementary measures to be put in place, you must follow certain procedures to effect these, which may differ depending on transfer tool you are using (e.g. SSCs or BCRs).
STEP 6: Re-evaluate the level of protection at appropriate intervals
You must monitor your transfers on an ongoing basis.
Let’s bear in mind that, whilst a UK adequacy decision is still undecided, personal data transfers from the EEA to the UK will require EEA based controllers & processors to carry out the 6-step process above.
But what about transfers from the UK to third countries? That’s an interesting one, bearing mind the ICO no longer has input into EDPB guidance. Perhaps the ICO might choose to take a different, more lenient approach from EDPB? That remains to be seen.
The big unknown of course is, if and when EU regulators might start to take enforcement action on data transfers which don’t meet the required standards. Again, we’ll have to wait and see.
Perhaps unsurprisingly, reactions have been mixed. Some are pleased to have direction and a new framework to follow. Others have pointed out this is a significant burden on privacy teams at what is already are already very challenging times for businesses dealing with the many impacts of COVID-19 and Brexit.
Simon Blanchard, November 2020
DPN can help you navigate these stormy waters?
Do you have the resources and specialist skills in-house to ensure your data transfers comply with these recommendations? If you’d like some help contact us. We help many organisations with pragmatic no-nonsense solutions to their data protection challenges. Let us help you too!
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.