As expected, this version retains the approach of the original one by setting out the recommended six steps to ensure compliance with the Schrems II decision of the European Court of Justice, which was primarily concerned with avoiding disproportionate access to EU personal data by foreign governments. Two of those six steps are particularly important, namely the assessment of the law and practices in force of the third country, and the adoption of any necessary supplementary measures to bring the level of protection of the data transferred up to the EU standard of essential equivalence.
The good news for organisations attempting to assess the scope and effect of other countries’ laws is that they may take into account the practical experience of the importer in dealing with government access requests. This provides a welcome degree of realism to what would otherwise be a fairly theoretical legal analysis. However, the EDPB points out that this assessment needs to be done with due diligence and thoroughly documented, as the competent supervisory or judicial authorities may request it and hold the parties accountable on that basis.
The main emphasis of the document continues to be on the implementation of additional safeguards that may be required to protect the data beyond the standard contractual clauses approved by the European Commission. These additional measures are explored in much detail by the EDPB, which splits them into technical measures and contractual measures. With regard to the technical measures, the EDPB’s position remains essentially unchanged and from their point of view, they must render the personal data completely inaccessible to be effective.
Given the EDPB’s stance on the use of technical measures, the contractual measures may in practice provide the best additional protection for the purposes of meeting the Schrems II requirements. All in all, the regulators place the onus firmly on those involved in exporting or importing EU personal data and it is clear that any future regulatory scrutiny in this area will be guided by the detailed approach set out in these recommendations.
This post was originally published in The Legal Diary.
Authored by Eduardo Ustaran.
