The European Data Protection Board (EDPB) adopted final Recommendations on Supplementary Measures (Recommendations) for data transfers to third countries, published in response to the CJEU ruling in Schrems II. The Recommendations contain a six-step methodology to assess transfers of personal data from the EEA to those countries outside the EEA that have not been approved by the European Commission as providing adequacy. The Recommendations also contain various supplementary measures that can be used if the transfer tools an organisation has selected does provide an equivalent level of protection to that offered under the GDPR and individual’s rights and freedoms under the EU Charter of Fundamental Rights. The Recommendations contain practical guidance where there is “problematic legislation” in an importing country such that public and governmental authorities would be able to access individuals’’ personal data.
The EDPB published draft recommendations for public consultation in November 2020. There are some key changes between the draft and the final Recommendations. The final draft places a particular focus on the specific circumstances of the transfer in the data transfer assessment. It also calls organisations to review not only laws but also practices of a third country’s surveillance measures by public authorities. The final Recommendations also emphasise that use of the GDPR derogations are meant to be an exception to rule barring transfers of personal data from the EEA to third countries not otherwise deemed adequate.
The Recommendations emphasize that it is the obligation of both data exporters and data importers to ensure the level of protection set by the EU laws when they transfer data to third countries. To comply with the accountability principle under the GDPR, controllers or processors acting as data exporters must ensure that data importers collaborate with them in ensuring protection travels with the data and jointly monitor the measures taken are effective in achieving that aim.
The Recommendations retain the previous ‘roadmap’, comprised of six steps, which should be taken by data exporters when determining whether supplementary measures must be put in place for a certain data transfer:
- Know your transfers;
- Verify the transfer tool your transfer relies on;
- Assess the law or practice of the third country, in the context of your specific transfer;
- Identify and adopt the necessary supplementary measures, if necessary;
- Take any formal procedural steps for the adoption of the necessary supplementary measures identified; and
- Re-evaluate, at appropriate intervals, the level of protection of the data transfer.
The Recommendations continue to emphasise technical measures over contractual and organisational measures, stating that “there will be situations where only appropriately implemented technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes”. However, these measures are not expected to be standalone solutions and when these measures are presented in combination with each other, are when they are truly effective.
The biggest changes are in step three on the assessment of the surveillance laws in third countries. Data exporters are now able to take into account the practical experience of the data importer, such as previous request for access to data from public authorities, industry sector and whether problematic legislation applies to the specific personal data types due to be transferred.
- Laws and practices: An assessment of whether a third country has a law equivalent to the GDPR but the practices are incompatible, or where there is problematic legislation that may “impinge on the transfer tools’ contractual guarantee of an essentially equivalent level of protection [by not meeting EU standards on fundamental rights, necessity and proportionality] and 2) does not respect the essence of the fundamental rights and freedoms recognised by the EU Charter of Fundamental Rights or exceeds what is necessary and proportionate in a democratic society…”.
- Practical experience of the data importer: The data exporter may also consider documented practical experience of the data importer, which may include any relevant prior experience the importer has with public authority access requests. The absence of prior requests cannot itself be a conclusive ‘decisive factor’ and the experience of the importer must be verified and not contradicted by objective, reliable and publicly accessible information such as through the experience of other data importers in the same sector or other independent oversight bodies.
- ‘Problematic legislation’: If the laws and practices of the third country contain ‘problematic legislation’, the data exporter may (a) suspend the transfer, (b) implement supplementary measures or (c) proceed with the transfer without implementing supplementary measures as long as the ‘problematic legislation’ will not apply in practice to the data transfer in question or the types of personal data concerned. Data transfer assessments must be clearly documented in a detailed report to demonstrate accountability.
- Updated sources of information: Other sources can be referred to in the assessment as long as they are “relevant, objective, reliable, verifiable and publicly available or otherwise accessible”, which are set out in Annex Three and includes the ability to consider reports from private providers of business intelligence, transparency reports by international organisations and internal reports of the data importer on access requests from public authorities.
- Structure of the data transfer assessment report: The EDPB suggests that the report should contain:
- “Comprehensive information on the legal assessment of the legislation and practices”
- “Their application to the specific transfers”
- “The internal procedure to produce the assessment (including information on actors involved in the assessment- e.g. law firms, consultants, or internal departments)”
- “Dates of the checks” and
- Contain endorsements by the legal representative of the data exporter.
These changes have a potential in expanding the scope of possible data transfers compared to the draft version of the Recommendations originally published. This does not diminish the burden on organisations to carry out thorough data transfer assessments with further attention to detail of specific transfers.
Interestingly enough, the EDPB clarified in its final version of the Recommendations that data transfers between the data subject and the organisation in third country are not considered to be data transfers. At the same time, it emphasized that remote access by an entity from a third county to data in the EEA is deemed a data transfer. Additionally, the EDPB confirmed that a data transfer is a processing operation in and of itself. Therefore, a data transfer will require a legal basis for processing under the GDPR.
It is important to note that these Recommendations are not legally binding nor are they a decision or opinion issued by the EDPB. They are, however, likely to carry weight and reflect the common interpretation of the data protection supervisory authorities in the EEA who will be interpreting and enforcing this. Of equal note is that there is no threshold risk level contained in the recommendations, which means that it is for each importer to assess a transfer in keeping with the self-regulatory model of the GDPR.
In addition to the EDPB Recommendations, some of the Member State supervisory authorities may also issue guidance, such as that issued by the CNIL (in French). As part of its guidance, the CNIL has issued a colour-coded map of countries and the status of their data protection legislation compared with the EU standards.
We at Reed Smith have created a Data Transfer Assessment Tool which can assist you with your data transfer impact assessments and automate the process for creating and substituting the new SCCs. Please feel free to contact the team to learn more!