EU: EDPB guidelines on Post-Schrems II Part one: Uphill battle for non-EU providers
The European Data Protection Board ('EDPB') issued its long-awaited guidelines ('the Guidelines') on conducting transfers of personal data from the EU after the Court of Justice of the European Union's ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In part one of this three part series, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, discusses the roadmap laid out by the EDPB for conducting a transfer impact analysis.
The transfer impact analysis
The protection granted to personal data in the European Economic Area ('EEA') must travel with the data wherever it goes. Transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EEA.
The level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent.
Standard Contractual Clauses ('SCCs') and other transfer tools mentioned under Article 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') do not operate in a vacuum. The CJEU states that controllers or processors acting as exporters are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 of the GDPR transfer tools.
The Guidelines apply to the controller or processor acting as data exporter, processing personal data within the scope of application of the GDPR – including processing by private entities and public bodies when transferring data to private bodies.
The principle of accountability, which is necessary to ensure the effective application of the level of protection conferred by the GDPR, also applies to data transfers to third countries since they are a form of data processing in themselves.
You will need to document appropriately this assessment and the supplementary measures you select and implement and make such documentation available to the competent supervisory authority upon request. The competent supervisory authority has the power to suspend or end transfers of personal data to the third country if the protection of the data transferred that EU law requires, in particular Articles 45 and 46 GDPR and the Charter of Fundamental Rights, is not ensured.
First step: Map your transfers
- Where is the data going? Create a map of transfers and destinations.
- You can build on the records of processing activities that you may be obliged to maintain as controller or processor under Article 30 of the GDPR, as well as on your privacy disclosures pursuant to Articles 13 and 14.
- Do not forget to include 'onward transfers' (sub-processors).
- Consider if the transfer adequate, relevant, and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country (in line with the 'data minimisation' principle).
- Remote access from a third country (for example in support situations) and/or
storage in a cloud situated outside the EEA, is also considered to be a transfer.
Second step: Verify the transfer tool on which your transfer relies
- If the target country is adequate - no need for further action, just monitory that the adequacy decision remains valid.
- If not adequate, and if the transfer is occasional and non-repetitive, see if you can rely on an Article 49 derogation. Those must be interpreted restrictively. You must check whether your transfer meets the strict conditions this provision sets forth for each of them.
Third step: Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguard of the transfer tools on which you are relying in the context of your specific transfer
- Assess, where appropriate in collaboration with the importer, if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the Article 46 of the GDPR transfer tool you are relying on, in the context of your specific transfer:
- verify if commitments enabling data subjects to exercise their rights in the context of international transfers (such as access, correction, and deletion requests for transferred data) can be effectively applied in practice and are not thwarted by law in the third country of destination;
- verify if the laws affect the right of redress afforded to the data subject in case of access by third country public authorities to the transferred data; and
- pay specific attention to any relevant laws, in particular laws laying down requirements to disclose personal data to public authorities or granting such public authorities' powers of access to personal data (for instance for criminal law enforcement, regulatory supervision and national security purposes). Are they limited to what is necessary and proportionate in a democratic society? (EU standards, such as Articles 47 and 52 of the EU Charter of Fundamental Rights, must be used as a reference to assess whether such access by public authorities is limited to what is necessary and proportionate in a democratic society and whether data subjects are afforded effective redress).
- Refer to the EDPB EU Essential Guarantees Recommendations to assess whether the law of the third country dealing with access to data by public authorities for the purpose of surveillance is essentially equivalent to the EU regime.
- You may complete your assessment with information obtained from other sources, such as:
- elements demonstrating that a third country authority will seek to access the data with or without the data importer’s knowledge, in light of reported precedents, legislation and practice; and
- elements demonstrating that a third country authority will be able to access the data through the data importer or through direct interception of the communication channel in light of reported precedents, legal powers, and technical, financial, and human resources at its disposal.
- Your assessment should take into consideration all the actors participating in the transfer (e.g. controllers, processors, and sub-processors processing data in the third country), as identified in the mapping exercise of transfers as well as all onward transfers.
- If the law on surveillance is vague, look at other relevant and objective factors. Do not rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.
- Look into the characteristics of each of your transfers and determine how the domestic legal order of the country to which data is transferred (or onward transferred) applies to these transfers.
- The applicable legal context will depend on the circumstances of the transfer, in particular:
- purposes for which the data are transferred and processed (e.g. marketing, HR, storage, IT support, clinical trials);
- types of entities involved in the processing (public/private and controller/processor);
- sector in which the transfer occurs (e.g. adtech, telecommunication, financial, etc);
- categories of personal data transferred (e.g. personal data relating to children may fall within the scope of specific legislation in the third country);
- whether the data will be stored in the third country or whether there is only remote access to data stored within the EU/EEA;
- format of the data to be transferred (i.e. in plain text/ pseudonymised or encrypted; and
- the possibility that the data may be subject to onward transfers from the third country to another third country.
Fourth step: Identify and adopt supplementary measures
- Identify, on a case-by-case basis, and with the help of the importer, where relevant, which supplementary measures could be effective for a set of transfers to a specific third country when using a specific Article 46 of the GDPR transfer tool.
- Check the Annex 2 non-exhaustive list of examples of supplementary measures.
- You may need to combine several supplementary measures (contractual, technical, or organisational) in order to enhance the level of protection and reach EU standards.
- Some supplementary measures may be effective in some countries, but not necessarily in others. You will be responsible for assessing their effectiveness in the context of the transfer.
- Conduct this assessment of supplementary measures with due diligence and document it.
- If you find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer, you must avoid, suspend, or terminate the transfer to avoid compromising the level of protection of the personal data.
- There will be situations where only technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes. In such situations, contractual or organisational measures may complement technical measures and strengthen the overall level of protection of data, e.g. by creating obstacles for attempts from public authorities to access data in a manner not compliant with EU standards.
- You may, in collaboration with the data importer where appropriate, look at the following (non-exhaustive) list of factors to identify which supplementary measures would be most effective in protecting the data transferred:
- format of the data to be transferred (i.e. in plain text/pseudonymised or encrypted);
- nature of the data;
- length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them (e.g. do the transfers involve multiple controllers or both controllers and processors, or involvement of processors which will transfer the data from you to your data importer (considering the relevant provisions applicable to them under the legislation of the third country of destination)); and
- the possibility that the data may be subject to onward transfers, within the same third country or even to other third countries (e.g. involvement of sub-processors of the data importer).
- Where you are not able to find or implement effective supplementary measures that ensure that the transferred personal data enjoys an essentially equivalent level of protection, you must:
- not start transferring personal data to the third country concerned on the basis of the Article 46 of the GDPR transfer tool you are relying on;
- suspend or end the transfer of personal data if you are already conducting transfers; and
- have the importer return to you or destroy in its entirety any data you have already transferred to that third country and the copies thereof.
- If the law of the third country prohibits the supplementary measures you have identified (e.g. prohibits the use of encryption) or otherwise prevents their effectiveness, you must not start transferring personal data to this country, or you must stop ongoing existing transfers to this country.
- If you decide to continue with the transfer notwithstanding the fact that the importer is unable to comply with the commitments taken in the Article 46 of the GDPR transfer tool, you should notify the competent supervisory authority in accordance with the specific provisions inserted in the relevant Article 46 of the GDPR transfer tool. The competent supervisory authority will suspend or prohibit data transfers in those cases where it finds that an essentially equivalent level of protection cannot be ensured.
Fifth step: Take any formal procedural steps the adoption of your supplementary measure may require
Consult your supervisory authority where needed.
There is no need for supervisory authority authorisation when using supplementary measures in addition to SCCs, provided that the identified supplementary measures do not:
- contradict, directly or indirectly, the SCCs;
- restrict the rights/obligations under SCCs in any way; or
- lower the level of data protection proposed in them,
and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined.
The competent supervisory authorities have the power to review these supplementary clauses where required (e.g. in case of complaint or own-volition inquiry). Where you intend to modify the standard data protection clauses themselves or where the supplementary measures added ‘contradict’ directly or indirectly the SCCs, you are no longer deemed to be relying on SCCs and must seek an authorisation with the competent supervisory authority in accordance with Article 46(3)(a) of the GDPR.
BCRs and ad hoc contractual clauses
The Schrems II judgment applies but the EDPB is still analysing and will provide more details soon regarding the precise impact on Binding Corporate Rules's ('BCRs') and ad hoc contractual clauses.
Sixth step: Regularly review
Re-evaluate at appropriate regular intervals and, where appropriate, with the collaboration of data importers, the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it.
Put sufficiently sound mechanisms in place to ensure that you promptly suspend or end transfers where:
- the importer has breached or is unable to honor the commitments it has taken in the Article 46 of the GDPR transfer tool; or
- the supplementary measures are no longer effective in that third country.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia