EU: EDPB adopts final version of recommendations on supplementary measures
The European Data Protection Board ('EDPB') announced, on 21 June 2021, that it had adopted, on 18 June 2021, the final version of its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In particular, the EDPB highlighted that the recommendations, which were first adopted in November 2020, following the Court of Justice of the European Union ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where needed, to ensure an essentially equivalent level of protection to data transferred to third countries.
In addition, the EDPB outlined the following key revisions to the recommendations:
- the emphasis on the importance of examining the practices of third country public authorities in the exporters' legal assessment to determine whether the legislation and/or practices of the third country, in practice, impinge on the effectiveness of the chosen transfer tool under Article 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR');
- the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and
- the clarification that the legislation of the third country of destination, allowing its authorities to access the data transferred, even without the importer's intervention, may also impinge on the effectiveness of the transfer tool.
Notably, the EDPB stated that, in relation to the new Standard Contractual Clauses ('SCCs') for international transfers, the recommendations may be used to check the local laws and practices affecting compliance with the SCCs and the possible need to implement supplementary measures.
Andrea Jelinek, EDPB Chair, commented, ''The impact of the Schrems II Case cannot be underestimated: already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels. The goal of the EDPB recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area. By clarifying some doubts expressed by stakeholders, and in particular the importance of examining the practices of public authorities in third countries, we want to make it easier for data exporters to know how to assess their transfers to third countries and to identify and implement effective supplementary measures where they are needed. The EDPB will continue considering the effects of the Schrems II Case and the comments received from stakeholders in its future guidance.''