Per the European Data Protection Board’s (EDPB) draft recommendations on data transfers following the Schrems II decision, data exporters and importers must work together to determine whether the importer country’s law ensures an essentially equivalent level of protection for personal data to that in the EU. If they conclude that it does not, they must assess whether they can implement supplementary measures to meet this standard. The draft recommendations include two parts: an overview of the assessment process and examples of supplementary measures, and specific guidance on how to assess the surveillance laws of non-EEA countries). The EDPB is accepting public comments on the drafts through November 30.
Draft Recommendations on Supplementary Measures
The first set of guidance outlines specific steps for exporters to determine whether they need supplementary measures for data transfers. They also include examples of such measures and the conditions that must be satisfied for them to be effective. The recommended steps are:
1 – Data Mapping: Data exporters must map all transfers to third countries, taking into account onward transfers that the importer may make, such as to subprocessors. They must also verify that the data transferred is adequate, relevant, and limited to what is necessary in relation to the purposes of the transfer.
2 – Identify the Appropriate Transfer Mechanism: Data exporters should identify the appropriate transfer mechanism, which may include adequacy decisions, Article 46 GDPR transfer tools (including the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs)), or derogations under GDPR Article 49. However, the EDPB emphasized that use of Article 49 derogations for transfers should only be used for occasional, non-repetitive transfers, whereas SCCs and BCRs are more appropriate for regular, repetitive transfers.
While waiting for the final EDPB guidance to be issued, companies, especially those that engage in a significant number of regular and ongoing data transfers, should begin mapping those transfers, as well as the associated data and transfer tools.
3 – Assess Importer Country’s Law: When relying on SCCs or BCRs, data exporters should assess whether applicable laws in the importer’s country could impede the effectiveness of the transfer tool selected. If a transfer could result in access to data by public authorities in the importer’s country, the EDPB’s second set of guidelines discussed below provide specific standards for determining whether powers granted to those public authorities are consistent with EU data protection law.
Contrary to the hope of many, the EDPB does not appear to permit a risk-based assessment approach. In fact, the draft recommendations explicitly state that exporters should not rely on “subjective factors such as the likelihood of public authorities’ access” to data. Instead, companies must rely on “objective factors” such as national case-law, intergovernmental organization resolutions, or other evidence that an importer country’s authorities will seek the importer’s data without its knowledge, through direct interception of the data in transit, or from the importer itself.
4 – Consider Supplementary Measures: If the assessment under step 3 reveals that the third country’s laws are not essentially equivalent to those in the EU (which will be the case for transfers to all U.S. entities eligible to receive disclosure orders under Section 702 of the Foreign Intelligence Surveillance Act (FISA)), supplementary measures will be required. Such measures may be contractual, technical, and/or organizational, and will depend on several factors, including the type of data transferred and the possibility of onward transfers. Annex 2 of the draft recommendations sets out detailed examples of supplementary measures, with an emphasis on technical measures such as encryption and pseudonymization.
Unfortunately, the proposed supplementary measures are unlikely to resolve concerns regarding all transfers to countries like the U.S., as in many cases the guidance prescribes stringent technical measures that reduce or eliminate the ability of the importer to use the data. And, despite proposing a combination of contractual, organizational, and technical measures, the recommendations state that, generally, only technical measures will suffice when the importer’s government has broad rights to access data.
5 – Take Necessary Procedural Steps: Data exporters should take any procedural steps they consider appropriate to implement effective supplementary measures. For example, seeking authorization from an EU data protection authority may be required if there is a need to modify the SCCs.
6 – Continual Review: Data exporters and importers should periodically re-evaluate the level of protection afforded to their data transfers, and carefully monitor legal developments.
Recommendations on European Essential Guarantees
The second set of guidance identifies four European Essential Guarantees (EEGs) designed to ensure that any government access to transferred data does not violate EU law. The EEGs are:
- Processing should be based on clear, precise, and accessible rules;
- Measures adopted must be necessary and proportionate with regard to the legitimate objectives pursued, and the necessity and proportionality of such measures must be demonstrated;
- An independent oversight mechanism must be in place; and
- Individuals whose data is processed must have access to effective remedies.
In other words, as part of the assessment process discussed in the first set of guidelines, exporters must conclude that any laws allowing government access to transferred data are consistent with these EEGs.
Ultimately, the draft recommendations add more burden and risk to the data transfer process. To comply with the law as the EDPB understands it, exporters will need to conduct well-documented and potentially lengthy assessments into other countries’ laws and surveillance activities. Given that many exporters will consider this to be an impossible task, we believe it is likely that industry groups and similar organizations will publish model assessments of the laws in particular countries, which exporters may then adopt, without the need to perform these assessments solely on their own.