Schrems II: The next chapter – EDPB issues recommendations on supplementary measures for transfers of personal data to the US, European essential guarantees for surveillance measures

Laptop code

Data Protection, Privacy and Security Alert

By:

The Schrems II decision of the Court of Justice of the European Union (CJEU), rendered on July 16, 2020, invalidated the EU-US Privacy Shield and created new obligations, notably for businesses transferring personal data pursuant to standard contractual clauses (SCC). On November 10, 2020, the European Data Protection Board (EDPB) issued recommendations on measures that businesses can adopt to supplement transfer tools, such as SCC, in order to ensure compliance with EU data protection law.

Importantly, these recommendations have been published as a draft for public consultation; comments may be submitted through November 30, 2020.

The EDPB has also issued recommendations regarding the essential guarantees afforded by EU law in respect of surveillance measures, to serve as a guide for assessing the laws of countries where personal data is transferred.

In Schrems II, the CJEU affirmed that the protections of EU law for personal data must follow the data when transferred outside the EU; the protection provided in the destination country must be essentially equivalent to EU laws. The CJEU specifically tasked exporters with assessing transfers case by case, and putting into place supplementary measures whenever necessary to ensure essential equivalency.

More information on the Schrems II decision can be found in our July alert

Recommendations for supplementary measures

In its recommendations, the EDPB has laid out a six-step process to help data exporters conduct assessments of whether the rights and protections in place for transferred data are essentially equivalent to those in the EU.

The Annex to the recommendations provides specific use cases of supplementary measures that may be adopted where the destination country does not provide sufficient guarantees; those measures are variously technical, organizational or contractual in nature.

Assessments

The recommendations provide a six-step process to assess transfers of personal data outside the EU: 

  • Step 1:  Identify and map the data transfers, including any onward transfers. The purpose of this step is to understand data flows and specifically the destination countries. The EDPB reminds us that remote access and use of cloud storage solutions located outside the EU are both considered a transfer.
  • Step 2: Identify the mechanism relied upon for transferring data – for example, GDPR Article 45 (adequacy decision issued by the European Commission), GDPR Article 46 (appropriate safeguards such as SCCs, or binding corporate rules) or GDPR Article 49 (derogations). The recommendations reiterate that the derogations can only be relied on in limited circumstances.

    Transfers that rely on GDPR Article 46 must be further assessed, starting with Step 3.
  • Step 3: Assess whether the circumstances of the transfer ensure a level of protection guaranteed by EU law. This involves a substantive legal assessment to understand if the law or practice of the destination country impinges on the effectiveness of the appropriate safeguards of the transfer. Part of this assessment will require specific consideration of whether the European Essential Guarantees (the EEGs, set out in the companion EDPB recommendations) are satisfied. In conducting this assessment, it is relevant to look at aspects of the transfer that may have a bearing on how local law in the destination country treats the data:
    • the purposes for which the data are transferred and processed
    • the types of entities involved in the processing
    • the sector in which the transfer occurs
    • the categories of personal data transferred (for example, whether certain data categories may fall within the scope of specific legislation in the destination country)
    • whether the data will be stored in the destination country or whether there is only remote access to data stored within the EU/EEA
    • the format of the data to be transferred (such as in plain text, pseudonymized, or encrypted) and
    • the possibility that the data may be subject to onward transfers from the destination country to another country.
    If the assessment at Step 3 concludes that the laws of the destination country do not provide essentially equivalent protection, then it is necessary to move to Step 4 and consider the impact of supplementary measures.
  • Step 4: Analyze and adopt supplementary measures (technical, contractual and organizational). The recommendations in Annex 2 include a non-exhaustive list of measures that may be adopted to provide essentially equivalent protection. If appropriate measures cannot be adopted, the transfer should not proceed without notification to the competent supervisory authority.
  • Step 5: Carry out any further procedural steps if needed to proceed with the transfer, such as authorization from a supervisory authority if ad hoc transfer terms are used.
  • Step 6: Continue to monitor transfers to ensure effective protections remain in place, including reevaluation of the level of protection afforded to personal data that is transferred, which may impact the initial assessment.

Supplementary measures

Annex 2 to the recommendations contains a non-exhaustive list of example supplementary measures that may be sufficient to ensure essential equivalency, grouped as technical, contractual or organizational safeguards.

The EDPB provides observations on the adequacy of each of the measures, noting that contractual and organizational measures alone are unlikely to be sufficient to overcome deficiencies in the destination country. This position has potentially significant practical implications for businesses that routinely transfer data without supplementary technical measures such as encryption or pseudonymization.

Among the supplementary measures discussed in Annex 2 are:

  • Technical measures:
    • Encryption
    • Pseudonymization
    • Recipients that are exempt from government access
    • Split or multi-party processing, meaning the data importer receives personal data that it cannot reconstruct or attribute to a specific data subject
  • Contractual measures:
    • Obligations on the data importer to implement specific technical measures
    • Additional transparency obligations on the data importer, such as proactive disclosure of law enforcement requests or government access to data
    • Obligations on the data importer to take specific actions, such as review and challenge government access requests, or inform the relevant public authority of a request’s incompatibility with SCCs or BCRs
    • Empowering data subjects to exercise rights, such as consent
  • Organizational measures:
    • Policies and procedures regulating internal data transfers
    • Transparency and accountability measures, such as publication of transparency reports
    • Organizational methods and data minimization, such as rules on data access and confidentiality
    • Adoption of standards and best practice, such as codes of conduct or ISO standards

EEG recommendations

The EEG recommendations supplement the recommendations on supplementary measures and provide specific guidance on how to assess in Step 3 whether a destination country’s surveillance laws that interfere with the right to privacy (including government access to data) are justifiable in accordance with EU law.

However, the recommendations underscore that the EEGs are only part of the transfer assessment; the EEGs do not define all the elements that must be considered when determining whether the destination country affords adequate protection.

The recommendations establish four EEGs that must be considered as part of the overall assessment:

  • Processing should be based on clear, precise and accessible rules
  • Necessity and proportionality with regards to the legitimate objectives pursued by the laws need to be demonstrated
  • Existence of an independent oversight mechanism
  • Effective remedies available to the individual

What next?

The recommendations on the supplementary measures are subject to public consultation (ending November 30, 2020), and, given their far-ranging implications, should draw a significant volume of comment during the consultation period.

The recommendations also make clear that the EDPB is still discussing the impact of Schrems II on other Article 46 safeguards, such as binding corporate rules and ad hoc contracts, and we can expect further guidance. 

But fundamentally, if contractual and/or organizational measures alone are unlikely to be sufficient to overcome deficiencies in the EEGs, the practical implications of the recommendations will be challenging for transfers to a destination country, such as the US, which do not satisfy the EEGs. The potential for significant impacts on international data transfers, particularly those between Europe and the US, which drive over a trillion dollars in trade every year, cannot be understated.

Learn more about this development, and about providing comments during the public consultation period, by contacting PrivacyGroup@dlapiper.com.