EU: EDPB publishes statement on transferring personal data to Russia
The European Data Protection Board ('EDPB') announced, on 13 July 2022, that it had published a Statement 02/2022 on Personal Data Transfers to the Russian Federation, as adopted on 12 July 2022. In particular, the EDPB highlighted that Russia does not benefit from an adequacy finding by the European Commission pursuant to Article 45 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), therefore, transfers of personal data to Russia must be carried out using one of the other transfer instruments provided for in Chapter V of the GDPR. In addition, the EDPB noted that, in order to ensure the application of appropriate safeguards when personal data is transferred to Russia, data exporters under the GDPR should assess and identify the legal basis for the transfer and the instrument to be used among those provided by Chapter V of the GDPR, such as Standard Contractual Clauses ('SCCs') or Binding Corporate Rules ('BCRs').
Furthemore, the EDPB emphasised that following the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'), and according to the EDPB's Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, data exporters should assess if, in the context of the transfer at stake, there is anything in the law and/or practices in force in Russia, in particular with respect to access to personal data by the Russian public authorities, especially for criminal law enforcement and national security purposes, that may impinge on the effectiveness of the appropriate safeguards provided by the transfer instruments identified. Moreover, the EDPB stated that, if this is the case, data exporters should identify and adopt supplementary measures that are necessary to ensure that data subjects are afforded a level of protection that is essentially equivalent to that which is guaranteed within the EU/EEA. However, the EDPB recalled that where such assessment leads to the conclusion that compliance is not or is no longer ensured, and that no supplementary measures could be identified, then data exporters have to suspend data transfers.