EDPB's final Recommendations on Supplementary Measures confirm a subjective approach to assessing personal data transfer risks

Nearly a year after the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case, on June 21, 2021, the European Data Protection Board (EDPB) published its final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

By explicitly acknowledging the validity of assessing the risk in practice of transferring data from the EEA to the US, these long-awaited Recommendations will come (almost) as a relief for many US data importers struggling to comply with Schrems II. For other US importers, the Recommendations will further complicate GDPR compliance.

In all cases, US data importers should expect to devote further time and resources to documenting their assessments of the risks posed by transferring to the US personal data that is subject to GDPR.

Background

In the Schrems II case, the CJEU specifically analyzed Section 702 of the US Foreign Intelligence Surveillance Act (FISA) and determined that the surveillance programs operated thereunder do not afford required minimum safeguards for individuals under the EU principle of proportionality, or provide remedies for improper surveillance of sufficient nature and scope. The CJEU invalidated the EU-US Privacy Shield on these grounds. The CJEU also examined the validity of the EU Standard Contractual Clauses (SCCs) for transfers.

Although the CJEU upheld the validity of SCCs, the decision stated that data exporters and importers must assess whether there is adequate protection of the transferred data in light of the laws of the destination country, and determine if it may be necessary to supplement the SCCs with additional safeguards.

In Draft Recommendations dated November 10, 2020, the EDPB issued a roadmap for conducting case-by-case assessments of transfers and adopting supplementary measures as additional safeguards. The Draft Recommendations explicitly excluded the possibility for data exporters and importers, when assessing the protection of transferred data, to “rely on subjective [factors] such as the likelihood of public authorities’ access to [personal] data.”

Given that the CJEU had determined that FISA Section 702 does not comport with essential guarantees under EU law, the Draft Recommendations would have required all transfers to the US to be made only with the protection of supplementary measures. However, the EDPB took an extremely narrow view of which measures could be deemed adequate, with the result that a significant number of US data importers found themselves unable to comply with the Draft Recommendations within any reasonable time frame, if ever.

In December 2020, the European Commission took a different approach than the EDPB; its draft “new” SCCs, intended to align with GDPR and with the Schrems II case law, permitted a subjective assessment of the risks to transferred data. The Commission’s final Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, published on June 7, 2021, reaffirmed this subjective approach to transfer assessments.

The Recommendations permit subjective assessments of transfer risks, and contemplate transfers to the US without supplementary measures…

As presaged by the European Commission’s new SCC, and in a significant departure from the Draft Recommendations, the EDPB has admitted the possibility of taking into account subjective factors when assessing the risks of transferring personal data to the US. Specifically, the Recommendations contemplate that when transferred data, or the data importer, fall or might fall within the scope of legislation (like FISA Section 702) that does not satisfy EU standards – referred to throughout the Recommendations as ‘problematic legislation’ – transfers may proceed without supplementary measures where the parties are able to demonstrate that there is no reason to believe that the legislation will be interpreted and/or applied in practice to the data and/or importer.

…but the level of accountability is extremely high

The Recommendations emphasize numerous requirements when assessing risks of transfer, including:

• taking account of all actors in the ecosystem, including all onward transfers (which, in the US, often leads to an electronic communication service (ECS) or a remote computing service (RCS) that is specifically subject to FISA Section 702)
  
• focusing on the specific data that is transferred, the specific circumstances of transfer, and the applicable law and practice; notably, the Recommendations make clear that actual practice may undermine the protections afforded by the law of the destination country, or it may demonstrate that the law is not applied to the types of data transferred
• referring to the standards set forth by the so-called European essential guarantees (explained in EDPB Recommendations dated November 10, 2020
• relying on sources of information that are relevant, objective, reliable, verifiable and publicly available or otherwise assessable.

It is interesting to note that the new SCCs set out yet more, and somewhat different, requirements for assessing documenting transfer risks, which come in addition to the Recommendations.

FISA on my mind

The Recommendations include an expanded and much more detailed example of how to assess FISA Section 702 risk for data transferred to the US.[1] Some aspects of the example will be helpful to US data importers; for one, the example reiterates a focus on the application in practice of FISA Section 702 to a particular transfer, and lists reliable sources of information for determining Section 702’s application in practice, eg, Rules of Procedure of the Foreign Intelligence Surveillance Court (FISC), declassified FISC opinions and decisions, and case law of US courts among others.

The example also contemplates documenting answers to questions such as: whether publicly available information shows that there is a legal prohibition on informing the exporter about a specific request for access to transferred data i.e., an anti-tipping off provision (to which the answer will inevitably be “yes”); whether there are wide restrictions on providing general information about requests for access to transferred data (arguably “no”); and whether there is “an absence of requests received” [sic].

The Recommendations are not clear as to the implications of anti-tipping off requirements, further stating that the “documented practical experience of the importer with relevant prior instances of requests for access received from public authorities” may be taken into account only if the legal framework of the third country – here, FISA Section 702 – “does not prohibit the importer to provide  information on requests for disclosure from public authorities or on the absence of such requests.” .

The Recommendations also note that the absence of prior instances of requests received by the importer can never be considered, by itself, as a decisive factor permitting a transfer to proceed without supplementary measures, thus encouraging data importers and exporters to scrutinize a broader range of factors when assessing transfer risk.

The particular case of data in transit

Although the encryption of data in transit is ubiquitous, the Recommendations make clear that even when ‘problematic legislation’ will not apply in practice, supplementary measures must be applied to personal data in transmission if data may be accessed at the moment of transfer or even in the absence of the data importer’s intervention. For US data importers, this will certainly be the case by reason of the interception of telephone and Internet traffic authorized under FISA Section 702.

Other notable takeaways

1. In addition to listing sources for analyzing FISA Section 702’s application in practice, the Recommendations include a long list of other possible sources to assess the destination country’s legislation, in order of preference. This ranges from “case-law of the Court of Justice of the European Union” to “internal statements or records of the importer expressly indicating that no access requests were received for a sufficiently long period; and with a preference for statements and records engaging the liability of the importer and/or issued by internal positions with some autonomy such as internal auditors, DPOs, etc.”
   
   
2. The supplementary measures themselves are for the most part unchanged, and for US importers (particularly those that have already implemented such measures), the priority now should be fully documenting assessments of transfer risks.
   
   
3. Unlike the Draft Recommendations, the Recommendations no longer explicitly state that GDPR Article 49 derogations (such as relying on explicit consent, or contract performance, to transfer data to the US) should be limited to “occasional and non-repetitive transfers”. However, the EDPB reiterates that the Article 49 derogations cannot become “the rule” in practice, but need to be restricted to specific situations. 
   
   
4. The Recommendations confirm that additional commitments, which may need to be included in BCRs as a result of the Schrems II ruling, will be forthcoming in updated referentials for BCRs. Multinationals relying on BCRs as transfer tools should prepare to align their existing and future BCRs to the future referentials.

Looking ahead

The Recommendations’ acceptance of a subjective approach to assessments is a significant and welcome development for many US data importers. The Recommendations’ detailed guidance on the required level of assessment, information sources and worked (albeit high-level) example of FISA Section 702’s impact on transfers will be useful to businesses and privacy practitioners as they conduct or update their transfer assessments. But the scope and detail of those assessments, and in particular the documentation necessary to justify a US importer’s decision not to implement supplementary measures, will require a sustained effort. US importers in higher-risk sectors or handling more sensitive data should expect an additional round of due diligence by their EEA customers, partners and affiliates.

Looking beyond the US, the requirement to consider not only the legislation but the practices in the destination country will be difficult to satisfy in some circumstances, particularly for jurisdictions with less mature legal systems, and may lead to some difficult decision-making ahead for EEA data exporters.

Learn more about the implications of the EDPB Recommendations for your business by contacting PrivacyGroup@dlapiper.com.