Part 1: EDPB’s guidance on "supplementary measures" for international transfers
In Schrems II, the CJEU found that organizations exporting personal data to recipients outside the European Economic Area (EEA) are responsible for verifying that they are able to comply with the requirements for international data transfers under European law (see our summary of the judgment here).
The EDPB has now provided guidance on the steps to be taken in order to ensure that such data transfers are in line with European law in light of Schrems II in its draft recommendations "on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data." The step-by-step approach suggested by the CJEU is as follows:
Step 1 – Identify international data transfers
As a first step, the EDPB advises data exporters to identify all transfers of personal data to non-EEA countries. Crucially, the EDPB emphasizes that remote access from a third country (e.g., in IT-support situations) also qualifies as a transfer of personal data outside the EEA. Building on records of processing activities and keeping a close eye on the information provided to data subjects pursuant to the GDPR's transparency obligations (Arts. 13 & 14) can prove helpful in carrying out this exercise.
Step 2 – Identify data transfer mechanisms
Once the relevant data flows are identified, data exporters must also identify the transfer mechanisms they are relying on in accordance with the GDPR’s provisions on international transfers. Such transfer mechanisms may include:
- Adequacy decisions of the European Commission (see list here);
- Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) and (d) GDPR);
- Binding Corporate Rules (BCRs) approved by the European data protection authorities (Art. 46(2)(b), Art. 47 GDPR);
- "Ad-Hoc Clauses" approved by the European data protection authorities (Art. 46(3)(a) GDPR); and
- Derogations for specific situations under Art. 49 GDPR (e.g., prior consent of the data subject).
Step 3 – Assess the law in the third country
Where organizations rely on mechanisms such as SCCs and BCRs, they must assess whether the non-EEA data importer is prevented from complying with its data transfer obligations due to legislation and practices applicable to the importer. This step necessarily requires an assessment of the legislation applicable to the non-EEA data recipient, taking into account the nature, scope and circumstances of the transfer (e.g., amount and types of personal data subject to the transfer, and type of processing performed by the non-EEA data importer).
The EDPB recommends that data exporters reach out to the non-EEA importer to request relevant information on the relevant legislation applicable to it. The EDPB also suggests using other sources of information to research applicable legislation (examples listed at Annex 3 of the EDPB's Recommendations).
Step 4 – Adopt supplementary measures
Where the assessment in step 3 reveals that the legislation applicable to the data importer affects the effectiveness of the transfer mechanisms, data exporters are advised to implement supplementary measures in order bring the level of protection of the data transferred up to EEA's standard of being essentially equivalent to European law. The EDPB recommendations include a non-exhaustive list of possible supplementary measures (see Annex 2 of the EDPB's Recommendations), including:
- Technical measures:
- Encryption: Strong, state-of-the-art encryption in-transit and at-rest can help to provide an adequate level of data protection. According to the EDPB, this will in particular apply in scenarios where a data exporter uses a hosting service provider in a third country to store personal data (e.g., for backup purposes). The EDPB, however, assumes that encryption would only be an effective supplementary measure if the cryptographic keys are retained solely by the data exporter, or other entities entrusted with this task that reside in the EEA or a third country that the European Commission has found to provide an adequate level of data protection.
- Pseudonymization: The EDPB clarifies that pseudonymization also can serve as an effective supplementary measure. This is especially so where four conditions apply: (1) a data exporter pseudonymizes data prior to the transfer, (2) any additional data is held exclusively by the data exporter and kept separately within the EEA or an “adequate” third country, (3) the data exporter retains sole control of the algorithm or repository that would enable re-identification, and (4) the data is used by the data importer for analysis (e.g., research purposes).
- Split processing: The EDPB also highlights a data exporter's option to make use of two or more independent data importers—located in different jurisdictions—without disclosing any personal data to either of them. This would be accomplished by, prior to transmission, splitting the data in such a way that it cannot be reconstructed by any one of the importers.
Contractual measures: The EDPB confirms that it is possible to rely on contractual measures (such as "SCC Plus" clauses that we covered in a prior blog post), including:
Obligations of the data importer to use specific technical measures.
Transparency obligations, including provisions requiring the data importer to provide the data exporter with reports on any access requests received from public authorities, to inform promptly the data exporter of the importer's inability to comply with the contractual commitments, or enhanced audit rights (e.g., by access logs and other similar audit trails).
Obligations to review and challenge the legality of any compelled disclosure order of a local law enforcement authority.
Stipulation that data may only be accessed with the express or implied consent of the exporter and/or the data subject. Also, the EDPB refers to the option of the exporter and importer to contractually commit to assist data subjects in exercising their rights in the non-EEA jurisdiction through ad hoc redress mechanisms and legal counselling.
Internal policies for governance of transfers (especially with groups of enterprises) specifying the reporting channels and standard operating procedures for cases of governmental access requests.
Documentation of governmental access requests, alongside the legal reasoning and the actors involved.
Regular publication of transparency reports or summaries regarding governmental access requests.
Adoption of strict and granular data access and confidentiality policies, based on a strict need-to-know principle, monitored with regular audits and enforced through disciplinary measures.
Involvement of the data protection officer on all international data transfer matters.
Adoption of strict and state-of-the art data security and data privacy policies, based on EU certification or codes of conducts or on international standards (e.g., ISO norms) and best practices (e.g., ENISA).
Other measures such as a regular review of internal policies to assess the suitability of the implemented supplementary measures, or commitments from the data importer to not engage in onward data transfers.
The EDPB emphasizes that data exporters remain responsible for ensuring the effectiveness of these measures in the context of the transfer, and will be held accountable for their decisions.
Step 5 – Adopt necessary procedural steps
Data exporters must take any formal procedural steps that may be required to deliver the necessary protections, depending on which data transfer mechanism is used, such as by adopting them into formal company policy.
Step 6: Re-evaluate at appropriate intervals
Under their accountability obligations, data exporters must monitor on an ongoing basis—and where appropriate in collaboration with data importers—developments in the third country to which they have transferred personal data that could affect their initial assessment of the level of protection and the effectiveness of supplementary measures.
Part 2: EDPB’s guidance on European Essential Guarantees for surveillance measures
The EDPB complemented the practical guidance on international data transfers, outlined above, by also issuing a document containing its recommendations "on the European Essential Guarantees for surveillance measures".
These recommendations appear to follow in the steps of the earlier Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (WP237) that was adopted shortly after the CJEU’ Schrems I judgment that invalidated the EU-US Safe Harbor framework. In that earlier guidance, the former Article 29 Working Party drew on CJEU and European Court of Human Rights jurisprudence to identify the "European Essential Guarantees" that must be taken into account when transferring personal data in order to ensure that interferences with the rights to privacy and protection of personal data through surveillance measures do not go beyond what is necessary and proportionate in a democratic society.
These new recommendations are meant to update WP237 by further developing the European Essential Guarantees in light of the CJEU’s Schrems II judgment and provide elements to examine whether national security and law enforcement surveillance measures allowing access to personal data by public authorities in a third country can be regarded as a justifiable interference in line with European law. The specific European Essential Guarantees analysed by the EDPB are:
Guarantee A – Processing should be based on clear, precise and accessible rules;
Guarantee B – Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
Guarantee C – Independent oversight mechanism; and
Guarantee D – Effective remedies need to be available to the individual.
The way forward
The recommendations issued by the EDPB are due to be formalised very shortly after the current consultation period is closed at the end of November 2020. Given their level of detail, no significant changes are likely to be made to them, so this guidance likely is here to stay and companies can start to incorporate them.
The EDPB has adopted a pragmatic and constructive approach by providing clear and sensible guidance. However, the complexity of legitimising international data transfers post Schrems II should not be underestimated and each of the steps suggested by the EDPB will require detailed thought and considerable work.
Authored by Eduardo Ustaran, Bret Cohen, Henrik Hanssen, Laur Badin, and Julian Flamant.