EDPB Releases Final Recommendations on Supplementary Measures for International Transfers
On June 21, 2021, following a public consultation, the European Data Protection Board (“EDPB”) published the final version of its recommendations on supplementary measures in the context of international transfer safeguards, such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”).
The EDPB released its first draft of the Recommendations in November 2020, following the Schrems II judgement. In that case, the Court of Justice of the European Union required organizations relying on appropriate safeguards, such as the SCCs, under Article 46 of the EU General Data Protection Regulation (“GDPR”) to transfer personal data outside the European Economic Area (“EEA”) to verify, on a case-by-case basis, whether the law of the destination country ensures a level of protection for the personal data that is essentially equivalent to that in the EEA. If the level of protection is not essentially equivalent, organizations must assess whether supplementary measures should be implemented.
The final Recommendations retain the six-step process set forth in the first draft of the Recommendations, as described below:
Map Data Transfers
Organizations should map their data transfers, keeping in mind that access from a third country (e.g., storage in the cloud outside the EU) constitutes a transfer, and verify that the data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred. The mapping exercise should include onward transfers made by processors to whom data is disclosed.
Identify Data Transfer Mechanisms
Organizations should identify the data transfer mechanism relied on under Chapter V of the GDPR, if necessary. Mechanisms such as the SCCs and Binding Corporate Rules should be used for regular, repetitive transfers. While the first draft of the Recommendations stated that the derogations under GDPR Article 49, such as consent or contractual necessity, should only be used for occasional and non-repetitive transfers, and interpreted restrictively, the final draft Recommendations provides a slightly broader scope. The Recommendations state that the derogations must be used: “in a way which does not contradict the very nature of the derogations as being exceptions from the rule…Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.”
Assess Legal System of Recipient Country
It is important to assess whether the transfer mechanism is effective in protecting data in the context of the specific data transfer and the law or practice of the destination country, in particular whether any law would prevent the data importer from complying with its obligations under the relevant transfer mechanism (e.g., to process personal data only in accordance with the instructions of the data exporter).
Organizations should also consider any onward transfers that may be made, and the final Recommendations add that the assessment should address the effectiveness of the mechanism both while the data is in transit and on arrival in the destination country.
Further, the final Recommendations add that an organization’s assessment must consider access to data by public authorities in the destination country, including whether authorities may seek access to the data with or without the importer’s knowledge, and whether access may be sought through telecommunication providers/communication channels in light of authorities’ powers and resources (as well as reported precedent of such access). The assessment should examine the applicability of these laws and practices in the context of the specific data transferred.
In an important softening of the EDPB’s original position, the final Recommendations note that where the powers of authorities under the importing jurisdiction’s laws “restrict the fundamental rights of data subjects while respecting their essence and being necessary and proportionate measures in a democratic society to safeguard important objectives,” they might not impinge on the protections under the transfer tool relied on. Exporting organizations must verify whether the relevant laws of the destination country impinge on the ability of data subjects to exercise their rights under the transfer mechanism in practice. Organizations also should use the EU Charter of Fundamental Rights as a reference when establishing whether authorities’ powers to access data exceed what it necessary and proportionate, and whether data subjects have effective redress.
The final Recommendations also identify instances in which examining the practices of public authorities in force in the destination country will be particularly important, such as where the practices of public authorities clearly indicate that they do not normally comply with legislation that formally meets EU standards on fundamental rights in principle. Where the importing jurisdiction has potentially problematic laws in place but the data exporter does not expect such laws to be applied to the transferred data in practice and therefore continues with the transfer, the exporter will need to document this assessment.
When assessing the risk related to the relevant transfers, organizations must use relevant, objective, reliable, verifiable and publicly available information. Organizations may also take into account the documented practical experience of the data importer with respect to prior requests for access, although the absence of such requests alone should not be considered decisive in establishing the effectiveness of an Article 46 transfer mechanism.
Consider Supplementary Measures
If the legal assessment concludes that the third country’s legislation impinges on the effectiveness of the Article 46 GDPR transfer safeguards relied upon, organizations should implement supplementary measures to ensure a level of protection that is essentially equivalent to that under EU law. Possible measures include technical measures (such as encryption), contractual measures (such as reinforced power for the data exporter to conduct audits of the data importer) and organizational measures (such as adoption of internal policies with clear allocation of responsibilities for data transfers).
Organizations should take any formal procedural steps that the adoption of supplementary measures may require, such as seeking authorization from the competent supervisory authority if the organization intends to modify the SCCs.
Keep Data Transfer Arrangements Under Review
The final Recommendations also outline the important of re-evaluating data transfer arrangements at appropriate intervals and monitoring any developments that may affect them.
Maintaining the free-flow of data between the EU and U.S. has become more difficult following the Schrems II case. While the final Recommendations still require organizations to analyze applicable laws in the importing jurisdiction and to assess the data flows in some detail, they helpfully permit organizations to apply a subjective approach to the assessment of whether the level of protection is essentially equivalent. This does not remove the need for careful analysis, but does permit exporters to take into account the actual experience of particular data importers in assessing whether they are subject to government access requests.