November 18, 2020
On November 11, 2020, the European Data Protection Board (EDPB) issued Recommendations 01/2020 that provide much anticipated and needed guidance on how to transfer personal data from the EU, particularly on how to assess the sufficiency of foreign laws in light of the landmark Schrems II judgement. The guidance provides a helpful step-by-step guide with concrete examples of supplementary measures that should help facilitate the efficient cross-border transfer of personal data. These Recommendations are particularly helpful for transfers to the U.S. where U.S. law allows for broad government access to transferred data.
In a key decision on July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, the treaty based scheme used by many companies to facilitate the transfer of personal data from the EU to the United States. The decision in Schrems II (C-311/18),1 was based, in large part, on the lack of legal limits on the U.S. government’s access to and use of personal data.2 This decision, however, upheld the validity of standard contractual clauses (SCCs) as a transfer tool—but not without limits. The judgment made clear that, even where SCCs are used, data exporters (entities that send personal data from the EU) are still required to verify whether the data privacy protections of the data importers’ (entities that receive personal data from the EU) country guarantee an adequate level of protection. This decision requires the data exporter to review the laws governing the data importer to determine if additional contractual, technical or organizational terms beyond those in the SCCs are needed to ensure that an adequate level of protection is provided to the personal data. What the CJEU did not provide was guidance on how a data exporter should conduct that evaluation and what additional contractual, technical or organizational terms may be necessary if the governing laws are found to be inadequate. In the aftermath of Schrems II, data importers situated in the U.S. in particular faced even more questions since private companies in the U.S. have little ability to limit U.S. government access to the personal data being sent. Without the ability to prevent or limit such U.S. government access, it was unclear how any U.S. data importer could provide the level of protection required by GDPR.
The EDPB guidance fills that gap and provides a step-by-step analysis for companies to comply with the “adequate level of protection” required by EU data privacy laws and the Schrems II decision.
European Data Protection Board Recommendations on Supplementary Measures
The EDPB’s Recommendations outline the following six step approach to assess the laws of the data importer country and identify what supplementary measures may be needed. Data exporters are accountable for and must demonstrate compliance with GDPR. Any data transfer assessments performed must be documented and must be performed on a case-by-case basis.
STEP 1: Know Your Data Transfer.
The first step is to know what data transfers will occur and to make a record. To do so, exporters should map out all transfers of the personal data that it will be sending to non-EU (i.e. “third”) countries. This includes mapping transfers to the processor as well as any further transfers that the processor will make to any subprocessor. A data exporter does not necessarily need to start from scratch for mapping these data transfers. Entities can build on the GDPR Art. 30 “records of processing activities” that already exist.
If an international cloud infrastructure is used, this may also be considered a transfer that needs to be recorded. As the EDPB has previously noted in FAQs related to Schrems II, remote access from a third country (e.g., support situations) and/or storage in a cloud situated outside the EEA is also considered a transfer.
As part of this first step, exporters should also verify that the data transferred is adequate, relevant, and limited to what is necessary for the purposes for which it is being transferred to and processed in the third country.
STEP 2: Know Your Transfer Tools.
There are three methodologies that can be followed to conduct a valid data transfer under the Recommendations: (1) the European Commission’s adequacy decisions (GDPR Art. 45); (2) GDPR Art. 46 Transfer Tools; and (3) GDPR Art. 49 Derogations.
If the European Commission has determined a country, region, or sector is “adequate” through one of its adequacy decisions under GDPR Art. 45, data exporters may transfer data to that country, region, or sector, and without any further assessment under these Recommendations. See, European Commission, Adequacy decisions for a list of adequate countries, regions, or sectors https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
Personal data may also be transferred to a third country if the transfer meets the strict conditions listed in Art. 49, which include when the data subject has provided explicit consent to the proposed transfer, and where the transfer is necessary for performance of contract between the data subject and the data exporter. As noted by the Recommendations, use of Art. 49 for data transfers should only occur in exceptional cases.
In most cases, data exporters will need to consider using the transfer tools listed under GDPR Art. 46 to transfer the personal data. The main Art. 46 transfer tools are: (1) standard contractual (data protection) clauses (SCCs); (2) binding corporate rules (BCRs); (3) codes of conduct; (4) certification mechanisms; and (5) ad hoc contractual clauses.
If a data exporter relies on an Art. 46 transfer tool, then it must continue to step 3.
STEP 3: Assess the Third Country Law and All Circumstances of the Transfer.
Personal data that is transferred must be afforded a level of protection in the third country “that is essentially equivalent to that guaranteed in the EEA.”3 Even if the transfer tool used (e.g., standard contractual clauses) provides for an essential equivalent level of protection to the personal data, if the data importer is prevented from complying with those obligations due to the laws of the third country, the data transfer tool will not be adequate to guarantee the necessary protections to the personal data. While the Recommendations state that the level of protection need not be “identical,” to the data protection regime present in the EEA, the “essentially equivalent” standard is the key threshold for determining whether a cross-border data transfer is permissible or if additional safeguards are required.
In order to make this assessment, the data exporter must review the law and practice of the third country where the personal data is being transferred to determine if those laws or practices prevent the data importer from complying with its obligations under the transfer tool. This review of the law or practice should be done in collaboration with the data importer. Data exporters should ensure the assessment includes the data transfer practices of all parties involved (e.g., controllers, processors, and sub-processors).
In this review, there are several factors that must be considered pursuant to the Recommendations, including the purpose of the data transfer/processing, the categories of personal data transferred, whether data is subject to “onward transfers” from the importer country to another third country, and the state of the third country or region’s rule of law. Special attention should be paid to any relevant laws in third countries that require disclosure of personal data to public authorities “for instance for criminal law enforcement, regulatory supervision and national security purposes.” The assessment should not only include what access is given to the personal data but also what protections the individual may have to prevent such public authority access to their personal data, e.g., do they have recourse through courts or similar venues to prevent the public authority’s access to their personal data.
If the legislation or practice of the third country does not meet the essentially equivalent requirement, then the data importer cannot meet its obligations under the transfer tool and supplementary measures will be needed for the transfer to occur.
STEP 4: Identify and Adopt Supplementary Measures.
If under Step 3 the transfer tool is not effective, then supplemental measures must be adopted. The supplemental measures must be designed to ensure that the “essentially equivalent” standard is met and should be done on a case-by-case basis. The Recommendations identify three general categories of supplemental measures that may be used alone or in combination to meet the essential equivalent standard: contractual, technical or organizational.
Importantly for data transfers to the U.S., implementing contractual and organizational measures will not be enough to meet the essentially equivalent standard, since these measures alone cannot prevent access by U.S. authorities to the personal data being transferred. Instead, it may be that the only true means to prevent such access is through technical measures.
The Recommendations emphasize that, for supplementary measures to be effective in the meaning of Schrems II, the exporter must implement supplementary measures that address the specific deficiencies identified in the exporter’s assessment of the third country’s legal situation.4 The Recommendations provide a non-exhaustive list of examples of technical, contractual and organizational supplemental measures that can be considered.
A. Technical Measures. These measures are generally technology-based solutions. Technical measures are identified by the Recommendations as the best method to prevent third countries’ public authorities from gaining unfettered access to personal data.
Annex 2 to the Recommendations outlines seven use cases, each of which contains additional instructions necessary to ensure that technical measures provide “an effective supplementary measure” as long as certain conditions thereunder are satisfied. These use cases include:
i. Use of a hosting service provider in a third country to store personal data;
ii. Transfer of pseudonymized data;5
iii. Encrypted data merely transiting third countries;
iv. Transfers of personal data to a data importer in a third country specifically protected by that country’s law;6
v. Split or multi-party processing;
vi. Transfer to cloud services provider or other processor in third country who processes the data according to exporter’s instructions; and
vii. Remote data access for business partners or entities for business purposes.
Each of the above examples provide a roadmap that can be used should your data transfer flow fall into one of the enumerated scenarios. If not, in most cases it appears that using encryption or pseudonymization that fits within the scope of the what the Recommendations require, if these are available methods, should be effective supplemental technical measures. Companies that act as data importers should discuss Annex 2 and its requirements with either internal or external IT support to determine what may be the best or most cost effective solution for its systems.
B. Contractual Measures. The Recommendations outline several forms of contractual measures that must be implemented even if appropriate technical measures are implemented. These include (i) Contractual obligations to implement the specific technical measures agreed upon and the timing of such implementation; and (ii) Contractually-imposed transparency obligations on the data importer to use best efforts to report on access to personal data by public authorities. There are other categories of contractual measures outlined in Annex 2 that may be required and that should be assessed in each case.
C. Organizational Measures. These are primarily internal policies and procedures that help the data importer comply with its contractual obligations, to support compliance with the technical measures implemented, or to ensure that it can show accountability for the measures being implemented. Each data exporter will need to ensure that it has effective policies in place to evaluate the requirements of the Recommendations and to ensure appropriate implementation of those measures.
STEP 5: Formal Procedural Steps.
Once an exporter identifies the supplementary measure or combination of measures required to meet the “essentially equivalent” standard, there are different procedural steps to implement those measure(s) depending on the transfer tool being used. Focusing on the two most likely tools being used:
- Standard Data Protection Clauses. Any supplementary measures cannot restrict any rights or obligations found in the SCCs and the supplementary measures will need to be evaluated to ensure this does not occur. If you document your supplementary measures through additional clauses added to the SCCs, you must seek Supervisory Authority approval of this revised document as this is a technical refusal to rely on the SCCs. If additional clauses are contained in a separate document from the SCCs, you do not need to seek approval from a Supervisory Authority, assuming the supplementary measures do not restrict any rights or obligations found in the SCCs.
- Binding Corporate Rules. Under GDPR Art. 46(2), BCRs are a permissible transfer tool which may be used to help meet the “essentially equivalent” standard. Like the concerns with contractual and organizational measures stated above, the Schrems II judgment clearly provides that because third countries’ public authorities are not bound by BCRs, BCRs alone generally cannot provide an adequate level of protection. To that end, the guidance also states that the “precise impact of the Schrems II judgment on BCRs is still under discussion” and that “[t]he EDPB will provide more details as soon as possible as to whether any additional commitments may need to be included in the BCRs.”7 Notwithstanding this forthcoming recommendation, the CJEU in Schrems II made clear that “it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in [a] third country.”8 As a result, it is also an importer’s and/or exporter’s obligation to adopt supplementary measures to meet the required standard if the third county does not provide an adequate level of protection.
STEP 6: Re-Evaluation at Appropriate Intervals.
Under GDPR Art. 5(2)’s accountability principle, a data exporter, in collaboration with its data importers, has a continuing obligation to ensure an adequate level of protection for the data it collects. This continuing obligation primarily consists of monitoring third countries’ developing and evolving data privacy laws and renewing assessments of data privacy controls, including decisions concerning supplementary measures, at regular intervals. The EDPB strongly encourages parties to adequately comply with the continuing accountability obligation.
The guidelines in Recommendations 01/2020 are the first since the Schrems II decision, and are immediately effective as of November 11, 2020. However, the EDPB is accepting public comments on the Recommendations until November 30, 2020. Although the Recommendations are far from perfect, the “step-by-step” analysis of the requirements parties must meet in order to comply with GDPR provide much needed clarity on cross-border data transfers. Entities subject to GDPR should begin making the necessary changes to their data transfer workflows and related contractual obligations as soon as possible.
1 CJEU judgment on July 16, 2020 (C-311/18), Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, (hereinafter Schrems II).
2 On September 8, 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) invalided the Swiss-U.S. Privacy Shield. Although FDPIC independently determined that U.S. law fails to provide an adequate level of protection for personal data transferred from Switzerland to the United States, it followed the reasoning of the CJEU’s Schrems II decision. See Switz. Fed. Data Protection and Info. Comm’r, Policy Paper on the Transfer of Personal Data to the USA and Other Countries Lacking an Adequate Level of Data Protection Within the Meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection (Sept. 8, 2020), https://www.newsd.admin.ch/newsd/message/attachments/62791.pdf.
3 Eur. Data Protection Board, Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data (R01/2020) (Nov. 11, 2020), Para. 29, https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf [hereinafter EDPB R01/2020].
4 Id. at para. 70.
5 Pseudonymization must meet certain required criteria under GDPR.
6 The definition of “protected recipients” will vary by country. In the United States for example, the importer of data transferred “for the purpose to jointly provide medical treatment for a patient, or legal services to a client” will qualify as a “protected recipient.”
7 Id. at para. 59.
8 Id. at para. 60.