EU: EDPB recommendations post-Schrems II Part 1: Supplementary measures
The European Data Protection Board ('EDPB') adopted its highly anticipated recommendations following the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'). The documents are available for public consultation and OneTrust DataGuidance has produced several resources to understand and navigate these, including this two-part series breaking down the recommendations.
The EDPB adopted two recommendations:
- Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data ('the Supplementary Measures Recommendations'); and
- Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures ('the Essential Guarantees Recommendations').
Part one of our series provides an overview the Supplementary Measures Recommendations, whilst part two addresses the Essential Guarantees Recommendations.
A six-step roadmap
Whilst upholding the validity of the use of Standard Contractual Clauses ('SCCs'), the CJEU highlighted that controllers and processors are under an obligation to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'
In order to assist organisations with their assessments of third countries, as well as the types of measures that may be taken (technical, organisational, and contractual), the EDPB's Supplementary Measures Recommendations provides a roadmap of steps that businesses can follow:
- Know your transfers
- Identify the transfer tools you are relying on
- Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
- Adopt supplementary measures
- Procedural steps if you have identified effective supplementary measures
- Re-evaluate at appropriate intervals
As a first step, the EDPB recommends that organisations undertake a data transfer mapping exercise, which can often be significantly complex, in order to understand exactly what data is being transferred, to which jurisdictions, and to which parties, including sub-processors and onward transfers.
The EDPB recalls that 'knowing your transfers is an essential first step to fulfil your obligations under the principle of accountability,' and that 'to gain full awareness of your transfers, you can build on the records of processing activities that you may be obliged to maintain as controller or processor under Article 30 of the GDPR.'
In addition, the EDPB also highlights the importance of the data minimisation principle, and ensuring that 'the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.'
Importantly, the EDPB also reminds organisations that remote access from third countries as well as storage of data through cloud services outside the EEA are considered to be data transfers.
The EDPB goes on to discuss the need to identify the most appropriate mechanism, as provided by the GDPR, for the relevant transfer. These mechanisms include:
The European Commission has the power to determine, on the basis of Article 45 of the GDPR whether a country outside the EU offers an adequate level of data protection. The EDPB highlights that the effect of such a decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary.
The EDPB also notes, however, that organisations must monitor such decisions in case they are revoked, and that 'adequacy decisions do not prevent data subjects from filing a complaint. Nor do they prevent supervisory authorities from bringing a case before a national court if they have doubts about the validity of a decision, so that a national court can make a reference for a preliminary ruling to the CJEU for the purpose of examining that validity.'
The following jurisdictions have thus far been recognised as providing adequate protection for personal data (i.e. are party to an adequacy decision):
- Canada (commercial organisations)
- Faroe Islands
- Isle of Man
- Japan (private sector)
- New Zealand
- Switzerland (under review)
Adequacy talks with South Korea are currently ongoing and discussions of a potential adequacy decision for the UK have been part of Brexit negotiations.
Article 46 GDPR transfer tools
- Binding Corporate Rules ('BCRs');
- codes of conduct;
- certification mechanisms; and
- ad hoc contractual clauses.
The EDPB highlights that supplementary measures may still need to be adopted in order to ensure an essentially equivalent level of protection when utilising the transfer tools above (see step four below).
In keeping with prior guidance issued on usage of the derogations provided for under Article 49 of the GDPR, the EDPB notes that these are of 'an exceptional nature', must be interpreted 'restrictively', and mainly relate to 'processing activities that are occasional and non-repetitive.'
If transfers cannot be legally based on an adequacy decision, nor on an Article 49 derogation, organisations need to move to step three of the EDPB's roadmap.
Step three: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
The EDPB emphasises that a transfer tool or mechanism under Article 46 of the GDPR may not be able to ensure ongoing adequate protection for personal data in and of itself. Therefore, an assessment must be conducted once an Article 46 tool has been selected in order to determine where and how such essentially equivalent protection can be guaranteed. The responsibility for this assessment largely resides with the data exporter.
The assessment should primarily focus on the laws, regulations, and practices of the recipient jurisdiction, and particularly whether there are any risks that may affect the safeguards of the Article 46 transfer tool, such as unrestricted access to personal data by public authorities. Where appropriate, the EDPB recommends that the data importer may be able to assist in conducting the assessment.
Several factors are expected to be taken into account when conducting an assessment, including the nature of the transfer itself. For example, the EDPB highlights that the following should be considered:
- all actors, such as processors or sub-processors, involved in the transfer;
- purposes for which the data are transferred;
- types of entities involved in the processing (public/private, controller/processor);
- sector in which the transfer occurs (health, financial, etc.);
- the categories of personal data transferred;
- whether the data will be stored in the third country or if there is only remote access;
- format of the data to be transferred (pseudonymised, encrypted, etc.); and
- the possibility of onward transfers.
The above transfer factors may have an impact on the legal context that will also need to be assessed. When analysing laws and regulations of a third country, the EDPB notes that consideration should be made as to whether:
- commitments to data subject rights can continue to be effectively applied;
- the safeguards of an Article 46 transfer tool can be effectively applied, including a right of redress for data subjects in case of access to their data by public authorities in the third country; and
- there are effective limits on requirements to disclose or allow access to personal data by public authorities.
The EDPB stresses that EU standards must be used as a reference when conducting an assessment, and that the European Essential Guarantees for surveillance measures 'provide elements which have to be assessed to determine whether the legal framework governing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference (and therefore as not impinging on the commitments taken in the art 46 GDPR transfer tool) or not. In particular, this should be carefully considered when the legislation governing the access to data by public authorities is ambiguous or not publicly available.'
Furthermore, the EDPB advises that in some cases the relevant legislation may not be sufficient to provide required information. In such instances, the EDPB recommends that assessment is conducted on other relevant object factors with due diligence. These factors may include, for instance, reported precedents of public authorities accessing data.
Where assessments find that essentially equivalent protection may not be provided it is the responsibility of the data exporter to utilise supplementary measures or to not transfer personal data.
Where assessments find that essentially equivalent protection is provided, re-evaluations and monitoring should continue to occur as described in step six.
Beyond the resources that may be provided by a data importer to assist in assessments, the EDPB suggests the following non-exhaustive list:
- case-law of the CJEU and of the European Court of Human Rights ('ECtHR');
- adequacy decisions in the country of destination if the transfer relies on a different legal basis;
- resolutions and reports from intergovernmental organisations, such as the Council of Europe, other regional bodies, and UN bodies and agencies (e.g. UN Human Rights Council, Human Rights Committee);
- national case-law or decisions taken by independent judicial or administrative authorities competent on data privacy and data protection of third countries; and
- reports from academic institutions, and civil society organisations (e.g. NGOs and trade associations).
Where a step three assessment indicates that essentially equivalent protection may not be maintained through the Article 46 transfer tool, additional supplementary measures should be considered. Such measures will need to be agreed with the data importer and be sufficient to provide essentially equivalent protection.
Supplementary measures should be considered on a case-by-case basis, be checked against the findings from steps one to three, and may include a combination of technical, organisational, or contractual measures. The EDPB highlights that 'contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country (where this unjustifiably interferes with the data importer's obligations to ensure essential equivalence).' In such instances, the EDPB notes that technical measures may be of use to prevent access from public authorities and may work in conjunction with organisational and contractual measures.
Assessing supplementary measures
The EDPB notes that the following factors may be considered in collaboration with the data importer, where appropriate, in order to assess the most effective supplementary measures:
- format of the data;
- nature of the data;
- length and complexity of data processing workflow (number of actors involved in the processing and their relationships); and
- possibility that the data may be subject to onward transfers, within the same third country or to other third countries.
Examples of supplementary measures
The EDPB provides a detailed consideration of potential supplementary measures as well as conditions for their effectiveness in Annex 2 of its Recommendations. In relation to technical measures, the EDPB considers several use cases where such measures may or may not be effective. Within these use cases, the EDPB discusses, among other things, state-of-the-art encryption, appropriate handling of cryptographic keys, pseudonymisation, separating information, and thorough preparation against cryptanalysis.
The EDPB also examines additional contractual and organisational measures, including:
- contractual obligations for technical measures, transparency, specific actions, or data subject rights;
- internal governance policies, especially within enterprise groups;
- accountability measures, such as transparency reports;
- data minimisation;
- adoption of standards and best practices;
- regular reviews; and
- data importer commitments.
The effectiveness of all of the above supplementary measures will need to be demonstrable, and the EDPB sets out specific conditions for this effectiveness. Whether any of these measures, alone or in combination, may be considered effective in providing essentially equivalent protection will be dependent on the specific case.
Measures are effective
Where supplementary measures are able to ensure essentially equivalent protection of personal data, the transfer should be viable. In some cases, in particular where there are modifications of SCCs, there may be further procedural requirements, as discussed in step five below.
Measures are not effective
Where supplementary measures are not able to ensure essentially equivalent protection of personal data transfers should not start on the basis of the Article 46 transfer tool being relied upon. Where a transfer has already started, it must be suspended or ended. Furthermore, the EDPB notes that, 'Pursuant to the safeguards contained in the Article 46 GDPR transfer tool you are relying on, the data that you have already transferred to that third country and the copies thereof should be returned to you or destroyed in their entirety by the importer.'
If an organisation chooses to continue the transfer, they should inform the competent supervisory authority as per the relevant requirements under Article 46 of the GDPR. The supervisory authority will then suspend or prohibit transfers it does not deem as providing essentially equivalent protection.
Depending which Article 46 transfer tool is selected, further procedural steps may be required. These specifically apply if SCCs, BCRs, or other ad-hoc contractual clauses are used.
The EDPB notes that there is no requirement to seek authorisation from a competent supervisory authority when supplementary clauses or safeguards are being added to SCCs so long as the measures 'do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined'.
However, the EDPB also emphasises that it is the responsibility of the data exporter and importer to ensure that additional clauses, 'cannot be construed in any way to restrict the rights and obligations in the SCCs or in any other way to lower the level of data protection'. Furthermore, organisations should be able to demonstrate that protections are sufficient, that there are no relevant restrictions, and that clauses are not ambiguous.
In addition, the EDPB notes that competent supervisory authorities have the power to review these supplementary clauses.
Where the SCCs themselves are to be modified, or where supplementary measures directly or indirectly contradict the SCCs, authorisation must be sought from the competent supervisory authority.
The EDPB highlights that the Schrems II judgment applies to other transfer tools under Article 46 of the GDPR as these are 'basically of contractual nature, so the guarantees foreseen and the commitments taken by the parties therein cannot bind third country public authorities.'
In relation to BCRs, the EDPB notes, 'The precise impact of the Schrems II judgment on BCRs is still under discussion. The EDPB will provide more details as soon as possible as to whether any additional commitments may need to be included in the BCRs in the WP256/257 referentials.'
The EDPB also outlines that data exporters and importers will need to assess whether there is essentially equivalent protection provided to personal data in third countries when utilising BCRs, and employ any supplementary measures where applicable.
Ad hoc contractual clauses
The EPDB comments similarly on ad hoc clauses as it does on BCRs, noting that the Schrems II judgement has an impact and that essentially equivalent protection should be ensured. The EPDB states, 'The precise impact of the Schrems II judgment on ad hoc clauses is still under discussion. The EDPB will provide more details as soon as possible.'
The EDPB highlights that that monitoring should be conducted on an 'ongoing basis'. Such monitoring should address any relevant developments in the third country and, where appropriate, may include collaboration with data importers.
Furthermore, the EDPB outlines that mechanisms should be in place to promptly suspend or end transfers where:
- the importer has breached commitments; or
- supplementary measures are no longer effective.