EU: EDPB recommendations on supplementary measures shed light on post Schrems II data transfers
The European Data Protection Board ('EDPB') announced, on 11 November 2020, that it had adopted, following the Court Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), its Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data1 ('the Supplementary Measures Recommendations') and its Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures2 ('the Essential Guarantees Recommendations').
The Supplementary Measures Recommendations aim to assist controllers as well as processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where the same are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.
On the other hand, the Essential Guarantees Recommendations, an updated version of the ones issued following Maximillian Schrems v. Data Protection Commissioner (C-362/14) ('the Schrems I Case') invalidating Safe Harbor, aim to provide guidance on the elements to examine whether surveillance measures allowing access to personal data by either national security agencies or law enforcement authorities in a third country can be regarded as a justifiable interference or not.
Accountability principle within data transfers
The EDPB recalls that the right to data protection has an active nature. Therefore, data exporters and importers, in order to comply with the principle of accountability, are required to:
- go beyond an acknowledgement or passive compliance with right to data protection;
- seek to comply with the right to data protection in an active and continuous manner by implementing legal, technical, and organisational measures that ensure its effectiveness; and
- be able to demonstrate these efforts to data subjects, the general public, and data protection supervisory authorities.
From a practical standpoint, the Supplementary Measures Recommendations provide a six step roadmap aiding data exporters (both controllers and processors) to find out if they need to put in place supplementary measures to be able to legally transfer data outside the European Economic Area ('EEA').
The six steps roadmap
Step one: Know the transfers
Data exporters must be fully aware of the transfers activities they carry out, which should be completed by recording and mapping all such transfers. The EDPB recommends carrying out the following activities to gain full awareness of the transfers, and notes that data exporters must always keep in mind that the same must be carried out before any transfer is made, and must be updated prior to resuming transfers after any suspension of data transfer operations:
- build on the records of processing activities that organisations may be obliged to maintain as controller or processor under Article 30 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR');
- build on previous actions to fulfil transparency obligations toward data subjects under Articles 13(1)(f) and 14(1)(f) of the GDPR;
- take into account onward transfers between processors and sub-processors; and
- verify that the transferred data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country, in accordance with the principle of minimisation.
In relation to GDPR mechanisms and requirements that organisations should take into account when recording and mapping the transfers, Dr. Carlo Piltz, Partner at reuschlaw Legal Consultants, told OneTrust DataGuidance, "In practice, it will certainly not be easy to always know every data transfer. […] However, […] companies can partly rely on existing GDPR documents. A well-managed record of processing activities is in fact likely to be relevant. [In addition], another good starting point is internal contract management or the procurement department. That is where offers from service providers are obtained and compared and where information of engaged service providers can possibly be found. A further step could be sending questionnaires to individual departments or holding short workshops."
Step two: Identify the transfer mechanism to rely on
The EDPB provides that data exporters must identify the transfer tool among the ones provided by Chapter V of the GDPR:
- adequacy decision: data can flow from the EEA to the third country without any additional measure, and no further steps, as described in the Supplementary Measures Recommendations, need to be taken;
- if no adequacy decision is granted, the data exporter must select one of the below transfer mechanisms under Article 46 of the GDPR, in any case ensuring that, overall, the transferred personal data will have the benefit of an essentially equivalent level of protection:
- Standard Contractual Clauses ('SCCs');
- Binding Corporate Rules ('BCRs');
- codes of conduct;
- certification mechanisms; or
- ad hoc contractual clauses.
- derogations under Article 49 of the GDPR;
Step three: Assess whether the adopted transfer mechanism is effective in practice
The EDPB highlights that data exporters must assess whether the adopted transfer mechanism is effective in practice, where 'effective' means that the transferred personal data must be afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA.
Data exporters must therefore assess, where appropriate in collaboration with the importer, if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer mechanism they are relying on.
In particular, the Supplementary Measures Recommendations provide that data exporters will have to:
- verify if data subjects rights in the context of international transfers (such as access, correction and deletion requests for transferred data) can be effectively exercised in practice and are not thwarted by law in the third country of destination; and
- verify the presence of any relevant laws, such laws providing requirements to disclose personal data to public authorities or granting such public authorities powers of access to personal data, in order to verify that these requirements or powers:
- are limited to what is necessary and proportionate in a democratic society; and
- may not impinge on the commitments contained in the transfer tool the exporter is relying on.
In this regard, the Surveillance Measures Recommendations, which provide elements to be assessed to determine whether the legal framework governing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference (and therefore as not impinging on the commitments taken with the adopted transfer mechanism) or not, should be considered.
In relation to the assessment of third country legislation, Eduardo Ustaran, Partner at Hogan Lovells International LLP, highlighted, "One of the most difficult steps [for organisations] will be to assess the law in the data importer's country as it applies to the specific circumstances of each transfer. This may be a tall order in certain jurisdictions where undertaking a sufficiently detailed legal analysis will require a good understanding of the local framework."
In practice, the EDPB provides that the evaluation must be done in the context of the specific transfer, taking into account all the actors participating in the transfer. Specifically, the following circumstances of the transfer will have to be considered:
- purposes for which the data are transferred;
- types of entities involved in the processing;
- sector in which the transfer occurs;
- the categories of personal data transferred;
- whether the data will be stored in the third country or if there is only remote access;
- format of the data to be transferred; and
- possibility of onward transfers.
Step four: Adopt supplementary measures
The EDPB provides that, if the above assessment reveals that the transfer mechanism under Article 46 of the GDPR is not effective, the data exporter will need to consider, where appropriate in collaboration with the importer, if supplementary measures exist, which, when added to the safeguards contained in transfer tools, could ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that guaranteed within the EU.
The EDPB notes that supplementary measures must be identified on a case by case basis and may have, in principle, a contractual, technical, or organisational nature. In order to understand the most appropriate supplementary measure to put in place, the following factors may be considered:
- format of the data to be transferred;
- nature of the data;
- length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them; and
- possibility that the data may be subject to onward transfers, within the same third country or even to other third countries;
In relation to the availability of supplementary measures, Ustaran noted, "The most useful aspect of the guidance is the emphasis on the availability of a range of options in terms of supplementary measures. […] The EDPB has been fairly creative, although it is important to understand that not all measures will be suitable for all cases. [In fact], in the world of international data transfers post Schrems II, a one-size-fits-all model will not cut it, [as] the EDPB is essentially telling us that it is a matter of finding the right combination of measures to protect the data wherever it is."
On the same, Piltz outlined, "It should be clear that these safeguards can be of any kind. [However], it should also be noted that contractual agreements between companies have no effect vis-à-vis national security authorities. […] Therefore, it is certainly advisable not to rely solely on contractual measures. [In addition], the strength of the respective measures is to be determined according to the individual case."
Furthermore, and in relation to supplementary measures for the transfer of data to the US and other third countries when using SCCs, Renzo Marchini, Partner at Fieldfisher (London), highlighted, "If the data importer falls under the Foreign Intelligence Surveillance Act or 1978 ('FISA'), then SCCs may only be relied upon 'if additional supplementary technical measures make access to the data transferred impossible or ineffective.' [Accordingly], this must be true for any system in the world where surveillance laws do not meet the European 'necessary and proportionate in a democratic society' standard. [Therefore], contractual and organisational measures are never going to be enough alone, [and the exporter] will always need technical measures that render the access 'impossible or ineffective.' The key question remains: did the EDPB in practice mean the above? The lengthy discussion of other (non-technical) measures suggests not, but that is hard to reconcile with the passage quoted above. Perhaps this type of inconsistency will be removed during the consultation. However, if not, and if the tenor of this reading […] remains in the final document, the consequences will be seismic."
Step five: Procedural steps related to the specific transfer mechanism
The EDPB addresses, after the identification of effective supplementary measures, the procedural steps to be adopted in relation to the specific transfer mechanism, which will depend on the chosen transfer tool:
- SCCs: In relation to procedural steps to be adopted in case of SCCs Piltz outlined, "Additions to SCC are permitted and do not directly lead to an approval requirement by data protection authorities. According to the view of the EDPB, there is no need to request an authorisation from the competent authority, as long as the identified supplementary measures do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined.
- BCRs: the EDPB recalls that the Schrems II judgement is relevant for transfers of personal data on the basis of BCRs, since third countries laws may affect the protection provided by such instruments. In this regard, the precise impact of the Schrems II judgment on BCRs is still under discussion, and the EDPB will provide more details as soon as possible as to whether any additional commitments may need to be included in the BCRs in the Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules3.
- ad hoc contractual clauses: the Schrems II judgement is relevant for transfers of personal data on the basis of ad hoc contractual clauses, since third countries laws may affect the protection provided by such instruments. In this regard, the precise impact of the Schrems II judgment on ad hoc clauses is still under discussion, and the EDPB will provide more details as soon as possible.
Step six: Monitor and re-evaluate the assessment at appropriate intervals
The EDPB reminds data exporters that they must monitor, where appropriate in collaboration with data importers, developments in the third country to which they have transferred personal data that could affect the initial assessment of the level of protection and the decisions that they may have taken accordingly. In the following cases the transfer must be suspended or ended:
- the importer has breached or is unable to honour the commitments it has taken as part of the chosen transfer mechanism; or
- the supplementary measures are no longer effective in the third country.
On the same, Marchini highlighted, "The EDPB do expect exporters to be aware of legal changes in the destination regime. [Therefore], an exporter can (read should) get a contractual commitment from the importer if the chosen legal transfer mechanism does not already have such an obligation (such as the one contained in Clause 5(b) of the controller-to-processor SCCs). [In practice], the most sophisticated organisations with good privacy accountability frameworks will want to quickly review the possibility of legal changes and document that they have done so. There is no hard and fast rule, but just as governance may point towards a privacy audit of key suppliers every year or two, then the legal landscape could be checked at the same time."
Examples of supplementary measures
Annex 2 of the Supplementary Measures Recommendations presents a non-exhaustive list of examples and use cases of supplementary measures data exporters could consider when addressing step four above. In particular, the EDPB specifies that any supplementary measure may only be deemed effective wihin the meaning of the Schrems II judgment and that, if, ultimately, the data exporter cannot ensure an essentially equivalent level of protection, the data must not be transferred.
Supplementary measures are divided in:
- technical measures;
- contractual measures; and
- organisational measures.
In relation to the examples of supplementary measures, Marchini stated, "The main issue raised by the EDPB is that there must be an absolute assurance of no access to data by government authorities (when their do not meet the EU standards). This requires a technical solution and in that regard the examples have a big focus on encryption (with the key being out of actual and potential reach of the data importer). If data is encrypted to that degree, then the data exporter will have met the Schrems II challenge. It is not only encryption though. The technical measures ought to preclude infringing access by preventing the authorities from identifying the data subjects, singling them out, or inferring information about them, including by associating the transferred data with other datasets they may possess. In other words, if the data is sufficiently de-identified (at least in the hands of the government authorities who might get access), then that will certainly suffice, even if the data remains 'personal data' elsewhere. [Therefore], key-coding or applying other pseudonymisation techniques, where the key is not accessible to authorities, may be sufficient, as provided under Use Case No. 2 of Annex II of the Supplementary Measures Recommendations."
On the other hand, Marchini also recalled, "When encryption (or such a level of 'de-identification') is not possible (either because data 'in the clear' is needed out of the EU, or because the data and the key (whilst remaining in Europe) are still potentially within reach of the non-EU authorities, then there is little if any comfort to be taken from the many examples. [In this regard], Use Case No. 6, within the list of 'scenarios in which no effective measures could be found' of the Annex of the Supplementary Measures Recommendations is the key problem. [In fact], 'in the clear' data will never be sufficiently protected from agencies with those powers."
The Supplementary Measures Recommendations concludes reminding that the Schrems II judgment underscores the need to ensure, when transferring data, the continuity of the level of protection afforded under the GDPR to personal data transferred to a third country, as well as that the competent supervisory authorities have the power to suspend or end transfers of personal data to the third country if the protection of the transferred data that EU law requires, in particular under Articles 45 and 46 of the GDPR and the EU Charter of Fundamental Rights, is not guaranteed.
Lastly, the EDPB announced that the Supplementary Measures Recommendations, although applicable immediately following their publication, will be available for public comments until 30 November 2020.
Matteo Quartieri Privacy Analyst
Comments provided by:
Carlo Pitz Partner
reuschlaw Legal Consultants
Eduardo Ustaran Partner
Hogan Lovells International LLP
Renzo Marchini Partner
1. Available at: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
2. Available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf
3. Available at: https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=49725