EU: EDPB publishes final recommendations on supplementary measures – Reaction and analysis
The European Data Protection Board ('EDPB') announced, on 21 June 2021, that it had adopted, on 18 June 2021, the final version of its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In particular, the EDPB highlighted that the recommendations, which were first adopted in November 2020, following the Court of Justice of the European Union ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Judgment') aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where needed, to ensure an essentially equivalent level of protection to data transferred to third countries.
In this Insight, we outline some of the key takeaways and gather the reactions and analysis of EU experts with regards to how organisations should interpret the recommendations. In addition, we will be highlighting some of the key updates from the draft version and analysing how the recommendations fit into the broader EU data transfers regime, including in relation to the new Standard Contractual Clauses ('SCCs') for international transfers, which were released by the European Commission on 4 June 2021.
Continuing its series of webinars on the fallout since Schrems II, OneTrust DataGuidance and Sidley are also hosting an expert panel discussion to provide insight on the EDPB’s recommendations, how they differ from the draft version, and how organizations can approach international data flows. In this webinar, we will be joined by a cross-industry panel including William Long, Partner at Sidley, Lee Parker, DPO at Biogen, Caroline Louveaux, CPO at MasterCard, Tina Maisonneuve, CPO at Nokia, Chris Foreman, CPO at Merck Sharp & Dohme, and Monika Tomczak-Gorlikowska, CPO at Prosus.
Key Takeaways will include:
- In-depth reaction and analysis of the new Recommendations
- What are key changes with the finalized Recommendations and the draft
- Key questions that remain and practical steps to take
- How to plan for international data transfers over the next few months
Join OneTrust DataGuidance and a cross-industry panel for this webinar here.
The EDPB outlined that the final version of the recommendations includes several changes aimed at addressing the comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.
In particular, the EDPB outlined the following key revisions to the recommendations:
- the emphasis on the importance of examining the practices of third country public authorities in the exporters' legal assessment to determine whether the legislation and/or practices of the third country, in practice, impinge on the effectiveness of the chosen transfer tool under Article 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR');
- the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and
- the clarification that the legislation of the third country of destination, allowing its authorities to access the data transferred, even without the importer's intervention, may also impinge on the effectiveness of the transfer tool.
Notably, the EDPB stated that, in relation to the new SCCs for international transfers, the recommendations may be used to check the local laws and practices affecting compliance with the SCCs and the possible need to implement supplementary measures.
In response to the modifications, Jimmy Orucevic, Data Protection & Privacy Consultant at KPMG Switzerland, highlighted, ''The final version of the recommendations is significantly more risk-oriented than the previous draft and thus also better fits the requirements of the new SCCs regarding the risks associated with transfers to third countries. However, the transfer impact assessments will be a challenging task for companies, not to be underestimated."
Furthermore, David Dumont and Laura Léonard, Partner and Associate respectively at Hunton Andrews Kurth LLP, commented, ''The recommendations now recognise that there are situations where data transfers may proceed even where there are problematic laws in the country where the data importer is located, provided that it can be demonstrated that there is no reason to believe the 'problematic' legislation will, in practice, be applied to the data transfer. However, this requires a documented and detailed report that should be prepared with the assistance of the data importer and based on relevant, objective, reliable, verifiable, and publicly available or otherwise accessible information.''
The six steps roadmap
From a practical standpoint, the recommendations provide a six step roadmap aiding data exporters (both controllers and processors) to determine whether they need to put in place supplementary measures in order to be able to legally transfer data outside the European Economic Area ('EEA').
Step one: Know the transfers
As a first step, the recommendations provide that organisations should undertake a data transfer mapping exercise in order to understand exactly what data is being transferred, to which jurisdictions, and to which parties, including sub-processors and onward transfers.
In particular, the recommendations highlight that 'knowing your transfers is an essential first step to fulfil your obligations under the principle of accountability,' and that 'to gain full awareness of your transfers, you can build on the records of processing activities that you may be obliged to maintain as controller or processor under Article 30 of the GDPR.'
The recommendations further emphasise the need to consider onward transfers and highlight the importance of the data minimisation principle, as well as ensuring that the data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.'
Importantly, the recommendations confirm that remote access from third countries as well as storage of data in a cloud services situated outside the EEA offered by a service provider are considered to be data transfers. Further to this, the recommendations highlight that if the data exporter uses international cloud infrastructure, it must assess if data will be transferred to third countries and where, unless the cloud provider clearly states in its contract that the data will not be processed at all in third countries. Notably, however, the wording of the recommendations has been updated to expressly state that such exception only applies 'if the cloud provider is established in the EEA'.
Step two: Identify the transfer mechanism to rely on
The recommendations outline that the second step organisations must take is to identify the transfer tools being relied upon amongst those Chapter V of the GDPR.
The recommendations provide that, if the Commission has declared the country, region, or sector to which the data is being transferred as adequate, through one of its adequacy decisions, further steps will not need to be taken, other than in relation to monitoring whether the adequacy decision remains valid.
Furthermore, the recommendations outline that, in the absence of an adequacy decision, organisations will need to rely on one of the transfer tools listed under Articles 46 GDPR, or one of the derogations provided for in Article 49 of the GDPR.
Transfer tools under Article 46 of the GDPR
The recommendations state that, whichever transfer tool is selected, organisations must ensure that the transferred personal data will benefit from an essentially equivalent level of protection.
The following transfer tools are listed under Article 46 of the GDPR:
- Binding Corporate Rules ('BCRs');
- codes of conduct;
- certification mechanisms; and
- ad hoc contractual clauses.
Notably, the recommendations provide that the above transfer tools mainly contain appropriate safeguards of a contractual nature, and that, in accordance with the Schrems II Judgment, the situation in the third country to which you are transferring data may still require organisations to supplement these transfer tools and the safeguards they contain with additional measures to ensure an essentially equivalent level of protection.
The recommendations provide that, in addition to adequacy decisions and transfers under Article 46 of the GDPR, the GDPR does allow for transfers in certain specific situations based on a derogation listed in Article 49 of the GDPR.
In addition, the recommendations have been updated to state that derogations must be interpreted in a way which does not contradict the nature of derogations, and which does not allow for derogations to become 'the rule' in practice, therefore should be restricted to specific situations.
On this point, Carlo Piltz, Partner at reuschlaw Legal Consultants, commented, ''In the draft version of the recommendation, the EDPB referred to 'processing activities that are occasional and non-repetitive'. [However], in the final version there is still a reference to the Guidelines 2/2018 on derogations of Article 49 under the GDPR (which refers to 'occasional and non-repetitive transfers'), but the EDPB also added parts emphasising the role of Article 49 GDPR as a derogation which cannot be the rule.''
The recommendations highlight that if an organisation cannot legally transfer data based on an adequacy decision or on a derogation, then they will need to continue with Step three of the recommendations.
Step three: Assess whether the adopted transfer mechanism is effective in practice
As a third step, the EDPB recommends an assessment of whether there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools that are relied upon, in the context of the specific transfer. Further to the same, the recommendations highlight that the protection afforded to the transferred personal data in the third country must be essentially equivalent to that guaranteed in the EEA by the GDPR, read in light of the Charter of Fundamental Rights of the EU.
In particular, the recommendations have been updated to specify that the assessment must contain elements concerning access to data by public authorities of the third country of the importer such as:
- elements on whether public authorities of the third country of the importer may seek to access the data with or without the data importer's knowledge, in light of legislation, practice and reported precedents; and
- elements on whether public authorities of the third country of the importer may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents.
Identifying and assessing laws and practices
With respect to laws laying down requirements to disclose personal data to public authorities or granting such public authorities powers of access to personal data, the recommendations elaborate that if these requirements or powers restrict the fundamental rights of data subjects, while respecting their spirit, and being necessary and proportionate measures in a democratic society to safeguard important objectives as also recognised in EU or Member State law, they may not impinge on the commitments contained in the Article 46 GDPR transfer tool that is relied on.
The recommendations have also been updated to clarify when such laws are practices will be considered to impinge on/be incompatible with Article 46 transfer tools, highlighting that this is the case where they:
- do not respect the essence of the fundamental rights and freedoms of the EU Charter of Fundamental Rights; or
- exceed what is necessary and proportionate in a democratic society to safeguard one of the important objectives as also recognised in EU or Member State law such as those listed in Article 23(1) of the GDPR.
Additionally, the recommendations highlight that the data exporter should verify if the data importer's commitments enabling data subjects to exercise their rights as provided in the Article 46 GDPR transfer tool can be effectively applied in practice, and are not thwarted by the laws and/or practices in the third country of destination. In this regard, the recommendations emphasise that EU standards, such as Articles 47 and 52 of the EU Charter of Fundamental Rights, must be used as a reference, in particular to assess whether access by public authorities is limited to what is necessary and proportionate in a democratic society and whether data subjects are afforded effective redress.
On the above, Piltz outlined, "In line with the new SCC, the EDPB recalls that laws and practices and powers of authorities in the third country have to be assessed. Such laws, practices and powers are only incompatible with Article 46 GDPR if they do not respect the essence of rights and freedoms of the EU Charter of Fundamental Rights, or if they go beyond what is necessary and proportionate in a democratic society to safeguard an important objective, such as those named in Article 23(1) of the GDPR. In paragraph 40 of the final recommendations it is shown once more that assessments needed relating to data transfers are often partly focused on fundamental rights even though companies are making such assessments. In this context, the EDPB highlights the importance of Article 47 and 52 for evaluating what is necessary and proportionate in a democratic society and for the afforded effective redress."
Though the recommendations provide that the assessment must be based on legislation publicly available, they also add that examining the practices of the third country's public authorities would allow the data exporter to verify if the safeguards contained in the Article 46 GDPR transfer tool can be a sufficient means of ensuring, in practice, the effective protection of the personal data transferred.
In relation to the practices of the country to which data is being transferred, Dumont and Léonard, noted, ''One of the main changes compared to the draft version of the recommendations is that the EDPB indicates that data exporters must (or may) take into account the practices of public authorities in the country where the data importer is located when assessing the effectiveness of the transfer tool that they rely on to legitimise the data transfer. The final recommendations further recognise that data exporters may, under certain conditions, take the data importer's practical experience with government access requests into account for their transfer risk assessment.''
In particular, the recommendations outline that examining the practices in force in the third country will be especially important for the assessment when:
- legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice;
- there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking; and
- your transferred data and/or importer fall or might fall within the scope of problematic legislation.
With respect to the first two situations, the recommendations provide that transfers must be suspended unless adequate supplementary measures are implemented, whist, in relation to the third situation, the data exporter, in light of uncertainties surrounding the potential application of problematic legislation to the transfer, may also decide to proceed with the transfer without implementing supplementary measures if it considers and is able to demonstrate and document that there is no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer.
In relation to possible sources of information for the assessment, the recommendations provide that the data importer should provide the data exporter with the relevant sources and information relating to the third country in which it is established and the laws and practices in force applicable to the transfer. In this regard, Annex 3 of the recommendations includes a number of potential sources of information relevant to the assessment.
Commenting on the impact of the above additions to the recommendations, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy, Fox Rothschild LLP explained, "For the glass-half-full's among us, the extensive revisions of step 3 signal a small ray of light for transfers to third countries that have, what will from here on in be referred to as 'problematic legislation'. The revisions expand upon the ability to transfer even if a 'problematic law' exists, provided that it doesn't inappropriately affect the rights 'in practice'. This seems to be the EDPB's very narrow interpretation of a 'risk-based' approach. Others may see this as a glass half empty because controllers, especially small and medium enterprises, are being sent to conduct comprehensive assessments, not only of the laws of the third countries, but also of the practices, de-facto, of public authorities in the third countries."
Step four: Adopt supplementary measures
As a fourth step, the recommendations provide that if the assessment under step three has revealed that the Article 46 transfer tool is not effective, then organisations will need to consider, where appropriate in collaboration with the importer, if supplementary measures exist, which could ensure that the data transferred is afforded a level of protection which is essentially equivalent to that guaranteed within the EU.
The recommendations outline that organisations must identify on a case-by-case basis which supplementary measures could be effective. Notably, the recommendation have been updated to state that organisations 'do not need to repeat the assessment every time they conduct the same transfer of a specific type of data to the same third country'. Furthermore, the recommendations recognise that while some of the data may require supplementary measures, other data may not. As such, organisations will be able to build on previous assessments and conclusions.
In addition, the recommendations state that contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country. Instead, they may complement technical measures and strengthen the level of data protection, for example by introducing checks and eliminating automatisms.
The recommendations provide the following non-exhaustive list of factors to identify which supplementary measures would be most effective in protecting the data 'based on problematic legislation applied in practice':
- the format of the data to be transferred (plain text/pseudonymised/encrypted);
- the nature of the data;
- the length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them;
- the technique or parameters of practical application of the third country law concluded in step three; and
- the possibility that the data may be subject to onward transfers, within the same third country or even to other third countries (e.g. whether sub-processors of the data importer will be engaged).
The recommendations provide that organisations may proceed with transfers if they have put in place effective supplementary measures, which, when combined with the selected Article 46 transfer tool, provide an essentially equivalent level of protection. However, the recommendations conclude that where effective supplementary measures have not been implemented, data transfers to the third country in question must not take place. Moreover, the recommendations confirm that the competent supervisory authority may impose any other corrective measure if data transfers start or continue in lieu of demonstrating an essentially equivalent level of protection.
Annex 2 provides examples of technical, contractual, and organisational measures that could be considered, where not already included in the chosen Article 46 GDPR transfer tool. In particular, Annex 2 outlines examples of situations for which some technical measures could potentially offer an effective solution and others for which no technical measures to ensure an essentially equivalent level of protection were identified.
In relation to the examples provided, Kagan highlighted, ''Transfers to entities subject to Foreign Intelligence Surveillance Act ('FISA') 702 is not outright impossible, but the example provided in the recommendations says that even if your importer is in scope for FISA 702, a transfer may be possible depending on the scope of application in practice of FISA 702 to your particular transfer.''
In addition, Use Case Six and Seven cover scenarios in which a data exporter transfers personal data to cloud service providers or other processors/entities for shared business purposes in a third country where the data is not, or cannot, be pseudonymised, as described in Use Case Two, or encrypted as described in Use Case One, because the processing requires accessing data in the clear. Noting that, in the provided scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.
Further to this, Kagan, highlighted that, ''Use Case Six and Seven may not be in complete brain death but the viability of their extraordinary life support measures are in the hands of the controllers and processors assisting them. These cases are still classified cases where 'no effective measures are identified'. The only potential ways out are: pseudonymisation or encryption per the revised recommendations, or the determination that the law doesn't apply 'in practice' in accordance with the elaborated process provided by the recommendations [as laid out in step three].''
Step five: Procedural steps related to the specific transfer mechanism
As a fifth step, the recommendations stipulate that, depending which Article 46 transfer tool is selected, further procedural steps may be required. In addition to the SCCs, the recommendations highlight that the Schrems II judgment applies to other transfer tools under Article 46 of the GDPR, including BCRs, or other ad-hoc contractual clauses, as these are 'basically of contractual nature, so the guarantees foreseen and the commitments taken by the parties therein cannot bind third country public authorities.'
The recommendations note that there is no requirement to seek authorisation from a competent supervisory authority when supplementary clauses or safeguards are being added to SCCs so long as the measures 'do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined'.
However, the recommendations also emphasise that it is the responsibility of the data exporter and importer to ensure that additional clauses 'cannot be construed in any way to restrict the rights and obligations in the SCCs or in any other way to lower the level of data protection'. Furthermore, the recommendations outline organisations should be able to demonstrate that protections are sufficient, that there are no relevant restrictions, and that clauses are not ambiguous.
In addition, the recommendation note that competent supervisory authorities have the power to review these supplementary clauses.
The recommendations stipulate that where the SCCs themselves are to be modified, or where supplementary measures directly or indirectly contradict the SCCs, authorisation must be sought from the competent supervisory authority.
The recommendations highlight that the Schrems II judgment is also relevant for transfers of personal data on the basis of BCRs, since third countries laws may affect the protection provided by such instruments.
Notably, the recommendations have been updated to state that 'all commitments that need to be included will be referred to in the updated WP256/257 referentials to which all groups relying on BCRs as transfer tools will have to align their existing and future BCRs.'
The EDPB also outlines that data exporters and importers will need to assess whether there is essentially equivalent protection provided to personal data in third countries when utilising BCRs, and employ any supplementary measures where applicable.
Ad hoc contractual clauses
Similarly, in relation to ad hoc contractual clauses, the recommendations note that the Schrems II judgment has an impact and that essentially equivalent protection should be ensured.
Step six: Monitor and re-evaluate the assessment at appropriate intervals
The recommendations place emphasis on the fact that accountability is a continuing obligation under the GDPR, therefore outline the importance of monitoring, on an ongoing basis, and where appropriate in collaboration with data importers, developments in the third country to which personal data has been transferred, that could affect the initial assessment of the level of protection and the decisions that were taken.
Finally, the recommendations outline that mechanisms should be in place which allow the following transfers are suspended:
- where the importer has breached, or is unable to fulfil the commitments it has taken in the Article 46 GDPR transfer tool; or
- where the supplementary measures are no longer effective in that third country.
Angela Potter Lead Privacy Analyst
Alexis Galanis Privacy Analyst
Comments provided by:
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia
Dr. Carlo Piltz Partner
reuschlaw Legal Consultants, Berlin
Jimmy Orucevic Data Protection & Privacy Consultant