Five months after the Schrems II decision, the EDPB has added long awaited clarity to the CJEU’s language regarding ‘supplemental measures’
The European Data Protection Board (EDPB) has just issued recommendations for international data transfers following the Schrems II decision invalidating the EU-US Data Privacy Shield.
The EU General Data Protection Regulation (GDPR) was designed to facilitate the free flow of personal data (PD) within the European Economic Area (EEA), while preserving the fundamental rights and freedoms of individuals - specifically the protection of PD. On 16 July 2020, deciding on Case 3C-311/18 (Schrems II), the European Union Court of Justice (CJEU) invalidated the US - EU Data Privacy Shield, resulting in tremendous uncertainty, not just with respect to how GDPR-covered PD could be exported to the US but, to any third country that has not received an equivalency status by the European Commission (EC). The CJEU reiterated that the protections granted to PD in the EEA must travel with PD wherever it goes; and the transfer of PD to third countries cannot be a means to undermine or dilute PD protections that exist in the EEA. The CJEU made clear that while the level of protection in third countries need not be identical to that guaranteed within the EEA it must be equivalent.
In Schrems II, the CJEU upheld the validity of standard contractual clauses (SCCs) as an additional safeguard that can contractually create EU-equivalent protections for outbound PD transfers. However, SCCs and other additional safeguards under GDPR Art. 46 (eg binding corporate rules and approved codes of conduct) do not operate in a vacuum. The CJEU indicated that appropriate safeguards, such as SCCs, together with supplemental measures can compensate for deficiencies in the PD protections in third countries; however, it did not elaborate on what constitutes such supplemental measures.
The CJEU did specify that controllers or processors that export PD must verify, on a case-by-case basis, if the law or practice of a third country, where PD is to be exported, undermines the effectiveness of the appropriate safeguards articulated in Art. 46 of the GDPR. The CJEU also maintained that PD exporters must adhere to their accountability obligations under GDPR Art. 5.2.
Five months after the Schrems II decision, the EDPB has clarified the CJEU’s language regarding ‘supplemental measures’ to be used by PD exporters. On 10 November 2020, the EDPB adopted Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data (the Recommendations), which contains recommendations to help PD exporters assess third countries and identify appropriate supplemental measures. On the same day, the EDPB also adopted Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures (the Guarantees for Surveillance), which should be read in conjunction with the Recommendations.
The Recommendations provide a roadmap of the steps to follow to determine if a data exporter must use supplemental measures to legally transfer data outside the EEA. The EDPB-recommended steps are generally as follows:
1. PD exporters should map all PD transfers to third countries, even if complex. Awareness of where PD moves helps ensure it receives the required level of protection wherever it is processed. In line with the GDPR, PD exporters must also verify that transferred PD is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.
2. PD exporters should verify the appropriate safeguard upon which a transfer relies, among those listed under GDPR Chap. 5. If the jurisdiction to which PD is to be transferred received an adequacy decision by the EC, no further steps or measures are necessary, other than ensuring the adequacy decision remains valid. If the jurisdiction has not received an adequacy decision from the EC, PD exporters must rely upon one of the transfer methods available under GDPR Art. 46 for transfers that are regular and repetitive. If PD transfers are occasional and non-repetitive, a PD exporter may be able to rely upon a specific situation derogation under GDPR Art. 49.
3. PD exporters should assess if anything in the law or practice of the third country can act to undermine the effectiveness of the safeguards on which the PD exporter is relying (in the context of each specific transfer) under GDPR Art. 46. The Guarantees for Surveillance should be considered in assessing the law of a third country where public authorities may access PD for surveillance purposes. PD exporters should carefully consider risk where third country legislation that governs access to PD by public authorities is ambiguous or not publicly available. In such instances, PD exporters must be cautious about making any such transfers and PD exporters should investigate other relevant and objective factors and not rely upon subjective factors such as the likelihood of public authorities’ access to the PD in a manner that contravenes EU standards. Any such assessments should be conducted with thoroughly documented due diligence to comport with the GDPR’s accountability standards; PD exporters will be held accountable for any decisions to export PD based on this kind of assessment.
4. PD exporters should identify and adopt such supplemental measures as are necessary to augment the level of data protection to that equivalent to the EU standard. The EDPB recommends this step if an assessment shows that third country legislation will undermine the effectiveness of the appropriate safeguard that will be relied upon by an exporter to transfer PD. Annex 2 of the Recommendations contains examples of supplemental measures with some of the conditions they would require to be effective. As with appropriate safeguards found in GDPR Art. 46, some supplemental measures may be effective in some jurisdictions but not others. PD exporters are responsible and will be accountable for assessing the effectiveness of the supplemental measures they choose to use to support PD transfers. In some cases, PD exporters may need to combine several supplemental measures. PD exporters may ultimately find that no supplemental measure(s) can ensure an essentially equivalent level of protection for a specific PD transfer. Consequently, where no supplemental measure(s) are deemed suitable, a PD exporter must avoid, suspend, or terminate a PD transfer to avoid compromising the level of protection of the PD. PD exporters should also use well-documented due diligence in conducting such assessments of supplemental measures to remain in compliance with their accountability requirements under the GDPR to show supervisory authorities in the event there is an inquiry.
5. PD exporters should take any formal procedural steps to adopt necessary supplemental measures depending on which GDPR Art. 46 safeguard tool it will rely. The Recommendations specify these formalities; however, in some cases a PD exporter may need to consult a competent supervisory authority.
6. PD exporters must regularly reassess the level of PD protection in each third country to which PD has been transferred and monitor if there have been or will be any developments that may negatively affect the security of the PD. The GDPR principle of accountability requires continuous vigilance with respect to the level of protection of PD.
Supervisory authorities will observe the actions exporters take to ensure that PD transferred to third countries is protected to GDPR-equivalent levels and will suspend or prohibit PD transfers where, following an investigation or complaint, they find that an essentially equivalent level of protection cannot be ensured.
While the Recommendations provide a guide to determine if a data exporter must use supplemental measures to legally transfer PD outside the EEA, the ultimate responsibility for any PD exports lies solely with data exporters, with assistance from the recipient(s) in the third country, to assess whether PD can safely be exported to that third country. A data privacy professional is essential to assist data exporters to assess and manage risk.
The author is one of a small handful of IAPP certified CIPP/E (GDPR specialist) holders in greater China and a senior transactional advisor on Hill Dickinson’s Corporate and Commercial team.
Hill Dickinson, founded in 1810, has lawyers with decades of experience dealing with a full range of regulatory, corporate and commercial matters. Our combination of technical expertise, commercial acumen and excellent service together with the quality of our team, market knowledge and commitment to achieving client success makes us Hill Dickinson.
View the Guarantees for Surveillance
This article is for general information purposes only and does not constitute legal advice.