Personal data may only be transferred to countries outside the European Economic Area (EEA) where such country provides an adequate level of data protection. On 16 July 2020, the European Court of Justice declared the PrivacyShield invalid. This decision is known as the Schrems II case.
The European Court of Justice (ECJ) ruled in Schrems II that personal data may still be transferred where the data exporter and the data importer conclude a data transfer agreement on the basis of standard contractual clauses (SCCs). According to the ECJ, additional measures must then be adopted. This also applies to the use of binding corporate rules (BCRs). The European Data Protection Board (EDPB) published recommendations for such additional measures on 11 November 2020. In this blog, I summarise the recommendations for data transfer.
Following the ruling in Schrems II, many organisations fell back on the SCCs to legitimise the transfer of personal data. Although the SCCs are still valid, the ECJ indicated that supplementary measures are (or may be) necessary. The EDPB, the body in which all European privacy supervisors are represented, published frequently asked questions (FAQ’s) on this case shortly after the ruling. In these FAQ’s, the EDPB explained that it would make recommendations at a later stage as to what measures would be necessary if the SCCs or BCRs did not provide an adequate level of protection.
On 11 November 2020, the EDPB published two sets of recommendations. The first set intends to assit data exporters in their assessment of the data transfer and the supplementory data protection measures that are or may be necessary. The second set helps the data exporters in their assessment whether there may be any unjustified interference by authorities in the third country.
The recommendations for supplementory measures (the first set) contain a roadmap with a 6-step process outlining the steps data exporters must take to assess whether and how transfers of personal data to third countries can be legitimate. The EDPB distinguishes the following steps:
Step 1 – Mapping out transfers
EDPB advises data exporters to identify all data transfers. In doing so, they should describe the third countries to which they transfer personal data. When transferring personal data, data exporters must respect the principles of data minimisation and purpose limitation. This means that data exporters must ensure that they only transfer necessary and relevant personal data. They should not transfer more data than necessary. The General Data Protection Regulation (GDPR) already contains a documentation duty. Data processing activities must be recorded in the data processing register. This register must include for each processing operation whether or not it is transferred to a third country. In this first step, the processing register can be taken as a starting point.
Step 2 – Control of the transmission instrument
For each transfer of personal data, the data exporters must verify (i) whether an adequacy decision applies to the recipient country, and if not (ii) whether the transfer can be legitimised on the basis of another transfer mechanism (such as SCCs or BCRs). Where the transfer is occasional, there may be an exception. In that case, the exceptions which the data exporter may invoke should be examined.
Step 3 – Assessment of legal regimes in third countries
If the data importer transfers personal data on the basis of SCCs, BCRs or any other transfer mechanism, further assessment is necessary. The data exporter should check whether there are laws or regulations in the recipient country that may impinge on the effectiveness of the apporpriate safeguards of the transfer mechanism relied on. This is particularly important where legislation on access to personal data is ambiguous or not publicly avaible. In the absence of legislation on public access, the data exporter should look at other relevant and objective factors. The data exporter cannot rely on subjective factors such as the likelihood of access to personal data by public authorities. The EDPB advises the data exporter to seek information from the data importer about such laws and regulations. The data exporter should carefully carry out and document the assessment.
Step 4 – Adopt and implement supplementary measures
If step 3 shows that the recipient country’s legismation may impinge on the effectiveness of the transfer mechanism, additional measures are needed. The EDPB provides a non-exhaustive list of examples, including:
- Encryption. Where a data importer provides only a storage, transit, backup service and no access to the data is required, strong encryption may be applied. The key remains with the data exporter. The data importer will not have access to the personal data and will not be able to give authorities access.
- Pseudonymisation. If possible, the data exporter should only pass on pseudonymised data. The data importer should not be able to trace the data back to an individual.
- Separation of processing operations. The data exporter may use different data importers subject to different legal rules. The data may be split in such a way that none of the data importers can trace the data back to an individual data subject.
- Additional agreements with the data importer. For example, the parties may agree on transparency regarding access by authorities. They may also agree on measures to prevent and restrict access. In addition, parties can give the data exporter broad powers to carry out audits. The parties may also agree that the data importer will always check the admissibility of a request for access by a third party. Where appropriate, the data importer should contest such a request.
- Organisational measures. This may include the establishment of internal policies with a clear allocation of responsibilities for data transfer. The data importer may also maintain procedures for data access requests by data subjects. The data importer may take transparency and accountability measures, including the documentation of requests for access.
The measures that should be taken depend, among other things, on the nature of the data transferred and the country to which the data is transferred. If no additional measure is appropriate, the transfer of personal data cannot take place. The assessment of the additional measures must also be carefully documented.
Step 5 – Apply appropriate safeguards.
The data exporter and data importer must complete all the procedural formalities to implement the appropriate safeguards as implemented by the SCCs, consult a competent EU data protection authority, etcetera.
Step 6 – Evaluation
Data exporters must re-evaluate at appropriate intervals the level of protection provided and monitor developments that may affect this. This also applies if the transfer is made on the basis of an adequacy decision, as it may be reassessed from time to time by the EU Commission.
The recommendations are still open for consultation until 30 November 2020. Thereafter, the final recommendations will be adopted. In the meantime, the European Commission is working on new sets of SCCs. These are more in line with the GDPR and include data transfers between processors and sub processors as well as data transfers between a data processor in the European Union and a data controller in a third country. A first version was released on 12 November 2020.
In the coming period, supervisors, data importers and exporters will implement the recommendations of the EDPB. If you would like to know more about this, please contact Eva de Vries.