iWhen transferring personal information from the European Union to the United States, the European Data Protection Board has recommended that companies undergo a six-step process through which they (1) know the data being transferred, (2) identify the transfer tool that will be relied upon, (3) assess whether the destination country (i.e., the United States) will impede the effectiveness of the transfer tool, (4) consider (and adopt if needed) supplementary measures, (5) consider (and undergo if needed) any procedural steps needed to implement a transfer tool and/or supplemental measure, and (6) re-evaluate the risks to personal information at appropriate intervals.1
When conducting step 3 – assessing whether a destination country will impede the effectiveness of a transfer tool – the EDPB recommends that companies focus on the likelihood that there may be “access to data by public authorities.”2 The EDPB further recommends that companies consider a number of factors when assessing whether government access is likely. Most, but not all, of these factors were memorialized in the new standard contractual clauses released by the European Commission in June 2021. As a result, the consideration of certain factors may be a recommendation in some contexts (i.e., when a transfer mechanism other than the new standard contractual clauses is used) and a contractual requirement in other contexts (i.e., when the new standard contractual clauses are used). Each factor presumably should be evaluated for its impact on whether public authority access to the transferred personal information is more, or less, likely.
|
Factor |
EDPB |
New Standard Contractual Clauses |
|
Legislation. Does the legislation of the destination country (i.e., the United States) permit public authorities to access personal data (with or without the data importer’s knowledge) |
|
|
|
Practices. Do the practices in the destination country (i.e., the United States) permit public authorities to access personal data (with or without a data importer’s knowledge). Note that this element may be of particular importance if there is no relevant legislation. |
|
|
|
Reported precedent. Do the reported precedents in the destination country permit public authorities to access personal data (with or without a data importer’s knowledge). |
|
X |
|
Legislation not interpreted and/or applied in practice. The law is not interpreted and/or applied in practice so as to cover the transferred data and/or the data importer. |
|
(to the extent related to understanding the practices of the destination country) |
|
Comprehensive data protection law. Does the destination country have a comprehensive data protection law? |
|
X |
|
Independent data protection authority. Does the destination country have an independent data protection regulatory authority? |
|
X |
|
International instruments. Has the destination country agreed to adhere to any international instruments providing for data protection safeguards and limiting government intrusion? |
|
X |
|
Purpose of transfer. Does the purpose for which the data is transferred and processed make government access more or less likely? |
|
|
|
Type of entities involved. Whether the entities involved in the processing are public or private, and are controllers or processors. |
|
(generally refers to understanding the type of recipient) |
|
Industry sector. Does the sector in which the transfer occurs make government access more or less likely (e.g., AdTech, Telecommunications, financial, etc.) |
|
|
|
Categories of data transferred. Do the categories of personal data transferred make government access more or less likely (e.g., information relating to children might fall under specific destination country legislation). |
|
|
|
Storage. Whether the transferred data will be stored or only transiently processed (e.g., remote access only to data stored in the EU/EEA). |
|
|
|
Format of data. The format of the data to be transferred (e.g., plain text, pseudonymous, encrypted, etc.). |
|
|
|
Transmission channel. The manner in which the data is transferred across jurisdictional borders. |
X |
|
|
Onward transfer to other jurisdictions. Whether the data will be onward transferred to a second destination country. |
|
(refers to length of the processing chain, number of actors involved, and intended onward transfers) |
|
Quantity of recipients. Whether the data will be transferred to / accessed by a large quantity of onward recipients (controllers, processors, or sub-processors). |
|
(refers to length of the processing chain, number of actors involved, and intended onward transfers) |
|
Judicial redress. Do European data subjects have a mechanism to obtain judicial redress against unlawful government access to personal data. |
|
X |
|
Prior government requests to data importer. The quantity and type of government access requests that have historically been received by the data importer. |
|
|
|
Prior government requests to other companies in importer’s industry. The quantity and type of government access requests that have historically been received by the data importer. |
|
|
The European Data Protection Board has also suggested that companies consult the following sources as part of their evaluation of the above factors (listed in order of priority):[20]
-
Case-law of the Court of Justice of the European Union (CJEU) and of the European Court of Human Rights (ECtHR) as referred to in the European Essential Guarantees recommendations;
-
Adequacy decisions in the country of destination if the transfer relies on a different legal basis;
-
Resolutions and reports from intergovernmental organisations, such as the Council of Europe, other regional bodies, and UN bodies and agencies (e.g. UN Human Rights Council, Human Rights Committee);
-
Reports and analysis from competent regulatory networks, such as the Global Privacy Assembly (GPA);
-
National case-law or decisions taken by independent judicial or administrative authorities competent on data privacy and data protection of third countries;
-
Reports of independent oversight or parliamentary bodies;
-
Reports based on practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, from entities active in the same sector as the importer;
-
Warrant canaries of other entities processing data in the same field as the importer;
-
Reports produced or commissioned by Chambers of commerce, business, professional and trade associations, governmental diplomatic, trade and investment agencies of the exporter or other third countries exporting to the third country to which the transfer is made;
-
Reports from academic institutions, and civil society organizations (e.g. NGOs);
-
Reports from private providers of business intelligence on financial, regulatory and reputational risks for companies;
-
Warrant canaries of the importer itself;
-
Transparency reports, on the condition that they expressly mention the fact that no access requests were received. Transparency reports merely silent on this point would not qualify as sufficient evidence as these reports most often focus on access requests received from law enforcement authorities and provide figures only on this aspect while remaining silent on access requests for national security purposes received. This does not mean that no access requests were received but rather that this information cannot be shared;
-
Internal statements or records of the importer expressly indicating that no access requests were received for a sufficiently long period; and with a preference for statements and records engaging the liability of the importer and/or issued by internal positions with some autonomy such as internal auditors, DPOs, etc.
1 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at 10-25.
2 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 31.
3 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 31.
4 Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(ii).
5 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶¶ 31, 43.1, 43.2.
6 Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(ii).
7 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 31.
8 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 43.3.
9 Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(ii).
10 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 37.
11 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 37.
12 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 37.
13 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 33.
14 Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(i). .
15 European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 33.
[1] Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(i). .
[2] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 33.
[3] Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(i). .
[4] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 33.
[5] Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(i). .
[6] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 33.
[7] Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(i). .
[8] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 33.
[9] Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(i). .
[10] Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “New Standard Contractual Clauses”) at Clause 14(b)(i). .
[11] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 33.
[12] New Standard Contractual Clauses at § 14(b)(i). .
[13] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 34.
[14] New Standard Contractual Clauses at § 14(b)(i). .
[15] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 37.
[16] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 46. Note that the EDPB has indicated that the relevance of the importer’s prior experience may be diminished if the destination country prohibits the importer from providing information on requests for disclosure or on the absence of such requests; also note that the EDPB has stated that the absence of prior instances of requests can “never be considered, by itself, as a decisive factor . . . .”
[17] New Standard Contractual Clauses at § 14(b)(i). .
[18] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 46.
[19] New Standard Contractual Clauses at § 14(b)(ii) fn 12.
[20] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at Annex III.
