June 29, 2022

Volume XII, Number 180

Advertisement
Advertisement

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

EDPB Sheds Post-Schrems II Light on Supplementary Measures for Data Transfers

The EDPB recently published recommendations on additional security steps to take when transferring personal data out of the EU. As outlined in our previous series of posts, the EU found this summer that the EU-US Privacy Shield was an invalid mechanism for transferring personal information from the EU to the US. As an alternative for companies wishing to transfer personal information to the US from the EU, the EU pointed to standard contractual clauses. At the time, though, they caveated that controllers relying on the SCCs may have to use supplementary measures to protect outbound personal data. There was confusion, however, around what such additional measures should be. In this recent guidance, the EDPB recommends that companies exporting data out of the EU in reliance on SCCs take six steps. These are useful for review by exporting companies in the EU, as well as entities in the US. The latter can expect to be asked questions by their EU counterparties that relate to these steps:

  1. Map out all transfers out of the EU. While difficult, the EDPB noted, it stated in the guidance that knowing the destination of data is an important step to understanding the levels of data it is provided. A related step is limiting the amount of information transferred to that which is actually needed.

  2. Understand the basis for the transfer (SCCs, etc.). This, too, is an important fundamental step according to the EDPB.

  3. Determine if the recipient’s country has laws that would negatively impact safeguard measures. These might include “the likelihood of public authorities’ access to your data in a manner not in line with EU standards.” When thinking about the legal context in the recipient country, the EDPB recommends that companies look to the context of the transfer, such as the reason for the transfer, industry sector, and format of the data being transferred (is it encrypted, for example?).

  4. Put additional security measures in place that will ensure the same level of protection as afforded in the EU. This is relevant to the extent that the exporter concludes that the recipient’s country’s laws would negatively impact security measures. An example of supplementary measures is using encryption and keeping the keys under the EU exporter’s control. Or, adding provisions to the contract like transparency obligations, restrictions on onward sharing, requirements for internal policies, or data minimization requirements. The EDPB points out, though, that there may be times when there are no appropriate supplementary measures.

  5. Take appropriate formal steps, if needed, depending on the basis of the transfer. For example, if a company decides to modify the SCCs in a way that “contradicts” (i.e., substantively modifies the provisions of) the clauses, then supervisory authority authorization would be needed.

  6. Regularly evaluate and monitor the security afforded to the data that is exported. This includes staying current on the legal developments in the recipients’ countries for things that might negatively impact the security of the data being exported.

The guidance is open to public comment until November 30, 2020. Companies interested in comment may want to consider this EDPB document in conjunction with the proposed modification to the Standard Contractual Clauses, issued by the European Commission and open for comment until December 10, 2020.

Putting it into practiceBusinesses relying on Standard Contractual Clauses for exporting data from the EU (including import into the US) may find these steps useful to better understand what the EDPB views as appropriate supplementary measures. US companies can expect more questions from their EU partners about the status of US laws, and may find EU companies asking for additional provisions above the SCCs.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 322
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Snehal Desai, attorney, Sheppard Mullin
Attorney

Snehal Desai is an associate in the Intellectual Property Practice Group in the firm's San Francisco office. She is a member of the Privacy and Cybersecurity Team, the Advertising Team and the Technology Transactions Team.

Areas of Practice

Advertising: Snehal advises clients in conducting advertising campaigns, contests and sweepstakes, and brand marketing campaigns. 

Technology and Commercial Transactions: Snehal drafts and negotiates...

415-774-2960
Advertisement
Advertisement
Advertisement