On 11 November 2020, the European Data Protection Board (EDPB) released recommendations on supplementary measures for international transfers (here) and recommendations on the European Essential Guarantees for surveillance measures (here), following the Schrems II decision (see our previous blog here).
As a result of the Schrems II decision, data exporters who use certain transfer mechanisms as an appropriate safeguard for personal data during international transfers, such as Standard Contractual Clauses (SCCs), are required, on a case by case basis, to assess whether the law of the third country provides a level of protection that is essentially equivalent to that guaranteed in the European Economic Area (EEA). If such protections are not equivalent, data exporters should consider whether any supplementary measures can be implemented to fill the gaps in protection.
Supplementary transfer measures
The EDPB’s recommendations on supplementary transfer measures aim to assist both controllers and processors in their role as data exporters with their duty to identify and implement appropriate supplementary measures where appropriate. The EDPB has laid out a ‘roadmap’, comprised of six steps, which should be taken by data exporters when determining whether supplementary measures must be put in place for a certain data transfer:
- Know your transfers;
- Verify the transfer tool your transfer relies on;
- Assess the law or practice of the third country, in the context of your specific transfer;
- Identify and adopt the necessary supplementary measures, if necessary;
- Take any formal procedural steps for the adoption of the necessary supplementary measures identified; and
- Re-evaluate, at appropriate intervals, the level of protection of the data transfer.
The EDPB’s recommendation also includes examples of supplementary measures (technical measures, organisational measures and contractual measures) and factors that must be taken in account in relation to each measure to ensure it is effective and appropriate.
But how will a data exporter be able to assess third country laws? The EDPB’s view is that the data importer should be able to provide the data exporter “with relevant sources and information relating to the third country in which it is established and the laws applicable to it”. In addition, data exporters should also refer to additional materials, such as the Court of Justice of the European Union case-law, adequacy decisions, national case-law or reports from academic intuitions.
The recommendations are open for consultation until 30 November 2020.
European Essential Guarantees
The EDPB has also released recommendations on the European Essential Guarantees for surveillance measures, which are complementary to the recommendations on supplementary measures. These provide data exporters with a framework to determine whether the surveillance laws of the third country where data is exported will interfere with the right to privacy in a manner that is justifiable in accordance with the European Union standards. The EDPB mentions four European Essential Guarantees:
- Processing should be based on clear, precise and accessible rules;
- Any limitation on a data subject’s fundamental rights and freedoms must be subject to the principles of necessity and proportionality;
- Any interference with a data subject’s right to data protection should be subject to an independent oversight mechanism; and
- Effective remedies need to be available to the data subject.
These ‘core elements’ must be considered by data exporters when assessing the level of interference of surveillance laws with the fundamental rights to privacy and data protection in third countries. The EDPB also stressed that these elements should not be reviewed individually, but together. What this means in practice remains to be determined.
The EDPB hopes that its recommendations will help ensure consistency across the EEA in the application of the international transfer obligation under GDPR, in the context of the Schrems II decision. However, conducting an assessment of a third country’s surveillance laws and determining what, if any, supplementary measures can be taken to ensure a level of protection essentially equivalent to that in the EEA is no mean feat and needs to be approached using the right resources.