EU: EDPB guidelines on Post-Schrems II Part two: What are Supplementary Measures?
The European Data Protection Board ('EDPB') issued its long-awaited guidelines ('the Guidelines') on conducting transfers of personal data from the EU after the Court of Justice of the European Union's ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). Part one of this three-part series discussed the roadmap laid out by the EDPB for conducting a transfer impact analysis. In Part two, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, discusses the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data1 and how they can aid exporters in appropriately assessing third countries and identifying appropriate supplementary measures when required.
In Annex 2 to the Guidelines, the EDPB lists some supplementary measures that exporters can incorporate into their data processing in order to raise the level of processing to that which is essentially equivalent to that in the EU. There are three types of supplementary measures: technical, contractual, and organisational. Exporters can pick and choose the measures that are the most appropriate to the circumstances of their transfer and use several measures together. Exporters are to be especially mindful of the surveillance landscape of the location in which the data will be processed. The EDPB emphasises that in some situations, effective supplementary measures simply cannot be found. In such cases, the transfer may not be carried out.
Scenarios for which technical effective measures can be found
- A data exporter uses a hosting service provider in a third country to store personal data, e.g. for backup purposes. This can be okay with limitations including that the exporter uses encryption such that public authorities cannot access the content and are not provided with the cryptographic key.
- Transfer of pseudonymised data: This can be okay with limitation including that the additional information for re-identifying the pseudonymised data is held exclusively by the exporter in a country providing adequate protection, that public authorities do not have the additional information for re-identifying the data, and that sub-processors used do not interfere with the pseudonymised nature of the data.
- The EDPB says that factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person, their physical location, or their interaction with an internet based service at specific points in time may allow the identification of that person even if their name, address, or other plain identifiers are omitted.
- Thus, exporters must be particularly wary of the use of information services (e.g. time of access, sequence of features accessed, characteristics of the device used). This is because it is common that the importer may be under an obligation to grant access to public authorities who likely possess data about the use of those information services by the person(s) they target.
- Encrypted data merely transiting third countries: This could be okay if detailed conditions are met in connection with the strength of the encryption being sufficient to protect against active and passive attacks, without any back doors or keys given to the public authority, and the algorithm being such that can withstand the cryptanalysis capabilities of public authorities.
- Transfer to a protected recipient: This is a transfer for users protected by the third country's law e.g. jointly providing medical treatment to a patient or legal services to a client. Such transfer may be permissible if limitations apply such as that the importer being exempted from infringing access by authorities does not use processors in a way that allows access by public authorities, and that the data is encrypted with decryption keys not provided and duly secured by the importer.
- Split or multi-party processing: This is processing by two or more independent processors in different jurisdictions with the data split in such a way that no part an individual processor receives suffices to reconstruct the personal data in whole or in part. Such transfers may be permissible with limitations such as having the processors process separately, the public authorities in their respective jurisdictions do not collaborate in a manner that would allow them to access and compile the data, and that the data cannot be attributed to an individual even if cross referenced with any information accessible by public authorities.
Scenarios for which technical effective measures cannot be found
- Transfer to cloud services providers or other processors which require access to data in the clear in order to execute the service.
- Remote access to data for business purposes, for example inter-company transfers or HR/marketing data processing for an EU-based provider by phone or mail. This scenario may consist of a controller or processor established on the territory of a Member State transferring personal data to a controller or processor in a third country belonging to the same group of undertakings, or group of enterprises engaged in a joint economic activity. The data importer may, for example, use the data it receives to provide personnel services for the data exporter for which it needs human resources data, or to communicate with customers of the data exporter who live in the EU by phone or email.
The EDPB notes that in the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption, and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.
It is important to note that these transfers constitute a large part of the transfers from the EU to non-EU countries and create a very difficult hurdle to overcome.
In addition to technical measures, the EDPB sets out a variety of contractual measures that can be added to data processing agreements between the exporter and the importer. Such measures include:
Contractually require the technical measures listed in the 'Technical Measures' section.
- Information about access. This can be done by way of a questionnaire that the importer would sign together with contractual obligation to update within a set time any change to this information, and require the importer to provide:
- information on access to data by public authorities, including in the field of intelligence, provided the legislation complies with the EDPB European Essential Guarantees in the destination country; for example, enumerate the laws that apply, or information from other sources on access by public authorities;
- indicate which measures are taken to prevent the access to transferred data (if any);
- provide sufficiently detailed information on all requests of access to personal data by public authorities which the importer has received over a specified period of time (e.g. requests received, data requested, requesting body and legal basis for disclosure, and to what extent the importer has disclosed the data request); and
- specify whether and to what extent the importer is legally prohibited to provide the information mentioned under the points above.
- Warrant canaries: require the importer to regularly publish (e.g. at least every 24 hours) a cryptographically signed message informing the exporter that as of a certain date and time it has received no order to disclose personal data or the like. The absence of an update of this notification will indicate to the exporter that the importer may have received an order.
- Representation re: 'Backdoors': require the importer to certify that:
- it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data;
- it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems; and
- that national law or government policy does not require the importer to create or maintain back doors or to facilitate access to personal data or systems or for the importer to be in possession or to hand over the encryption key.
It is important to note that the existence of legislation or government policies preventing importers from disclosing this information may render this clause ineffective.
The contract must include penalties and/or the exporter's ability to terminate the contract on short notice in those cases in which the importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform the exporter once their existence comes to its knowledge.
Provisions granting the exporter the ability to conduct audits or inspections of the data processing facilities of the importer, on-site and/or remotely, to verify if data was disclosed to public authorities and under which conditions (access not beyond what is necessary and proportionate in a democratic society), for instance by providing for a short notice and mechanisms ensuring the rapid intervention of inspection bodies and reinforcing the autonomy of the exporter in selecting the inspection bodies.
Provisions re: importer's inability to comply
- Require importers to promptly inform the data exporter of its inability to comply (e.g. as a result of a change in the law of the third country) with the contractual commitments and as a result with the required standard of 'essentially equivalent level of data protection.'
- The notification needs to take place before access is granted to the data.
- The data importer must monitor any legal or policy developments that might lead to its inability to comply with its obligations, and promptly inform the data exporter of any such changes and developments, and if possible ahead of their implementation to enable the data exporter to recover the data from the data importer.
- The clauses should provide for a quick mechanism whereby the data exporter authorises the data importer to promptly secure or return the data to the data exporter, or if this is not feasible, delete or securely encrypt the data without necessarily waiting for the exporter's instructions, if a specific threshold to be agreed between the data exporter and the data importer is met.
Obligations to push back on Government requests
- The importer is required to review, under the law of the country of destination, the legality of any order to disclose data, notably whether it remains within the powers granted to the requesting public authority, and to challenge the order if, after a careful assessment, it concludes that there are grounds under the law of the country of destination to do so.
- When challenging an order, the data importer should seek interim measures to suspend the effects of the order until the court has decided on the merits.
- The importer would have the obligation not to disclose the personal data requested until required to do so under the applicable procedural rules.
- The data importer would also commit to providing the minimum amount of information permissible when responding to the order, based on a reasonable interpretation of the order.
- The data importer commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) transfer tool and the resulting conflict of obligations for the importer. The importer would notify simultaneously and as soon as possible the exporter and/or the competent supervisory authority from the EEA, insofar as possible under the third country legal order.
Empowering data subjects to exercise rights
- Personal data transmitted in plain text in the normal course of business (including in support cases) may only be accessed with the express or implied consent of the exporter and/or the data subject.
- The importer and/or the exporter are required to notify promptly the data subject of the request or order received from the public authorities of the third country, or of the importer's inability to comply with the contractual commitments, to enable the data subject to seek information and an effective redress (e.g. by lodging a claim with his/her competent supervisory authority and/or judicial authority and demonstrate his/her standing in the courts of the third country):
- If law prevents this notification to the data subject, the exporter and importer could nonetheless commit to informing the data subject as soon as the restrictions on the disclosure of data are lifted and to make its best efforts to obtain the waiver of the prohibition to disclose. At a minimum, the exporter or the competent supervisory authority could notify the data subject of the suspension or termination of the transfer of his/her personal data due to the importer's inability to comply with its contractual commitments as a result of its receipt of a request for access.
- The exporter and importer are required to assist the data subject in exercising his/her rights in the third country jurisdiction through ad hoc redress mechanisms and legal counselling.
Depending on the specific circumstances of the transfer and the assessment performed of the legislation of the third country, organisational measures may be needed to complement contractual and/or technical measures, in order to ensure a level of protection of the personal data essentially equivalent to that guaranteed within the EU.
Internal policies for governance of transfers especially with groups of enterprises
- Adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels, and standard operating procedures for cases of covert or official requests from public authorities to access the data. Especially in case of transfers among groups of enterprises, these policies may include, among others:
- the appointment of a specific team, which should be based within the EEA, composed by experts on IT, data protection, and privacy laws, to deal with requests that involve personal data transferred from the EU;
- notification to the senior legal and corporate management and to the data exporter upon receipt of such requests; and
- procedural steps to challenge disproportionate or unlawful requests and the provision of transparent information to data subject.
- Development of specific training procedures for personnel in charge of managing requests for access to personal data from public authorities, which should be periodically updated to reflect new legislative and jurisprudential developments in the third country and in the EEA.
Transparency and accountability measures
- Document and record the requests for access received from public authorities and the response provided, alongside the legal reasoning and the actors involved (e.g. if the exporter has been notified and its reply, the assessment of the team in charge of dealing with such requests, etc.). These records should be made available to the data exporter, who should in turn provide them to the data subjects concerned where required.
- If the law prevents this, the data importer should inform the exporter of its inability to provide such documents and records, thus offering the exporter the option to suspend the transfers if such inability would lead to a decrease of the level of protection.
- Regular publication of transparency reports or summaries regarding governmental requests for access to data and the kind of reply provided, insofar publication is allowed by local law.
Organisation and data minimisation methods
- Strict and granular data access and confidentiality policies and best practices, based on a strict need-to-know principle, monitored with regular audits and enforced through disciplinary measures.
- Data minimisation re the transfer: do you need it? do you need full access?
- Development of best practices to appropriately and timely involve and provide access to information to the data protection officer, if existent, and to the legal and internal auditing services on matters related to international transfers of personal data transfers.
Standards and best practices
Adoption of strict data security and data privacy policies, based on EU certification or codes of conduct or on international standards (e.g. ISO norms) and best practices (e.g. European Union Agency for Cybersecurity) with due regard to the state of the art, in accordance with the risk of the categories of data processed and the likelihood of attempts from public authorities to access it.
- The adoption and regular review of internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary, to ensure that an equivalent level of protection to that guaranteed within the EU of the personal data transferred is maintained.
- Commitments from the data importer to not engage in any onward transfer of the personal data within the same or other third countries, or suspend ongoing transfers, when an equivalent level of protection of the personal data to that afforded within the EU cannot be guaranteed in the third country.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia