This week saw two major long-awaited updates from Europe. On 10 November 2020, the European Data Protection Board (EDPB) adopted the first version of their Recommendations on how to deal with data transfers following the Schrems-II judgment of the Court of Justice of the European Union (CJEU) which reviewed certain data transfer mechanisms under the General Data Protection Regulations (GDPR). At the same time, the EDPB adopted an updated version of their earlier guidelines on the European Essential Guarantees: criteria that a third country’s(1) legislation needs to meet in order to justify an interference with the right to privacy and data protection. Two days later, the European Commission released the draft of new standard contractual clauses for consultation.
EDPB Action Plan
The EDPB starts their Recommendations with a process description: what should organizations transferring personal data do following the Schrems-II judgment? In principle, all steps are directed at the data exporter – the organization established in the European Economic Area (EEA) transferring personal data to a third country. However, on multiple occasions the EDPB suggests that the data exporter and the data importer – the recipient in the third country – work closely together in completing the assessments.
The steps to take are as follows:
- Know your data transfers: review all business processes for any potential cross-border data transfers and onward transfers. This information should be included in the GDPR’s Article 30 processing activities register, but may need to be updated.
- Transfer mechanisms: Identify the appropriate data transfer mechanism under Chapter V GDPR. For data transfers to countries with an adequacy decision, nothing changes for the time being – data transfers can continue without supplementary measures. However, the forthcoming review of existing adequacy decisions will need to take into account the higher assessment threshold. The Recommendations are mainly relevant for data transfers using appropriate safeguards, from the standard contractual clauses (SCCs) and ad hoc contracts, to data transfers on the basis of Binding Corporate Rules (BCRs), certifications and/or codes of conduct. All of these have their foundation in a contractual or corporate policy arrangement, which do not relate to or impact the legislation in a third country. Additionally, the Recommendations reinforce that derogations set forth in Article 49 GDPR, such as consent, may be relied on for occasional and non-repetitive transfers.
- If appropriate safeguards are used, identify and document which of the transfer mechanisms is the best option in your situation in light of all circumstances of the data transfer. This includes the nature of the data, the types of data subjects involved, the type of transfer (including who is making it), the type of recipient (data importer), and the country of destination.
- Where relevant, identify and adopt supplementary measures that can ensure your data transfers meet the requirement of ensuring an essentially equivalent level of data protection to that in the EEA. This assessment should be undertaken with due diligence and properly documented, and completed on a case-by-case basis. The EDPB emphasizes a risk-based approach in this case is not sufficient: organizations may not rely on subjective factors, such as “the likelihood of public authorities’ access” to the data in a manner not in line with EU standards.
- Depending on your approach to data transfer mechanisms, such as using ad hoc contract clauses or BCRs, your supplementary measures may need to be formalized in a procedure before the supervisory authority. There is no need, nor an explicit possibility, to consult your supervisory authority when using the SCCs, as long as the supplementary measures do not contradict them.
- Finally, as part of the general accountability obligations, the supplementary measures for data transfers, as well as the data transfers themselves, need to be reviewed and updated on a regular basis.
- Should the conclusion be that no essentially equivalent level of data protection can be offered when transferring the personal data, the data transfer cannot start or, if already started, cannot continue.
Third Country Assessments
The decisive criteria on whether or not to implement supplementary measures is the legislation in the country or countries where the personal data are transferred. At all times, the data exporter needs to ensure that the EU-level of data protection is not lowered – it must remain essentially equivalent. There are multiple reasons why a third country would not be able to offer that level of protection, for example because of a lack of data protection laws, effective oversight or, as was the issue before the CJEU, extensive government access legislation. For all situations, the EDPB explains, government access must “not go beyond what is necessary and proportionate in a democratic society.”
This requirement is not new in the Recommendations, but can be found in the Charter of Fundamental Rights of the European Union(2) and in decades of case law. In short, it means that government access to personal data could be justified, but only under very strict conditions linked to the purpose, the duration and the scope of the access. This could, for example, be the case when an organization is confronted with a government warrant to hand over a specific, limited data set in the course of an ongoing police investigation. [For more on this issue please also see our blog on the Privacy International and La Quadrature du Net cases.]
The data exporter will need to assess if its data transfer would indeed be subject to any laws that may lead to government access beyond what is necessary in a democratic society. To do so, the EDPB had developed after the first Schrems case a series of guarantees that need to be in place, which now have been updated in the light of recent developments. The guarantees are not all that the data exporter will need to review, but they give a firm ground rule when assessing third country laws. The four guarantees are:
- Processing should be based on clear, precise and accessible rules;
- Necessity and proportionality with regards to the legitimate objectives pursued need to be demonstrated;
- An independent oversight mechanism needs to exist; and
- Effective remedies need to be available to the individual.
When it comes to the supplementary measures organizations could put in place to address any shortcomings in the data transfer contract, the EDPB makes a distinction between technical, contractual and organisational measures, which has been suggested by others before as well. The annex in which the measures are listed is not considered to be exhaustive – other options are available, but will in any case always need to be properly documented.
The technical measures described are all scenario-based. For some scenarios, the EDPB confirms that – as long as all the listed conditions are met – it is indeed possible to find effective supplementary measures to allow the data transfer to continue. This is for example the case for data storage for backup purposes that do not require access in the clear, as long as the data are fully and effectively encrypted, or for the transfer of pseudonymised research data, as long as the key to re-identify the data remains in Europe. However, for two of the most commonly used business processes, the use of non-EEA cloud service providers or remote access to data for business purposes, including to employee data, the EDPB at this time cannot envisage any technical safeguards that would allow for the data transfers to continue.
For the contractual and organisational measures, the EDPB list includes transparency requirements, for example the publication of transparency reports, the notification of data exporters and data subjects of received access requests, or the use of so-called Warrant Canaries, when allowed. This is a regular cryptographically signed message informing the data exporter that no government requests have been received; if the message is not sent, this could indicate a request has been received. Also commitments to challenge any requests received and establishing a team based in the EEA to analyse such requests could be part of the contractual commitments.
The new Standard Contractual Clauses
More detail on the expectations for contractual safeguards going forward can be found in the consultation version of the new GDPR-aligned SCCs. The European Commission has not only included a series of clauses that link back directly to the Schrems-II judgment, but has also listened to frequent criticism from users of the SCCs that they were not flexible enough. The draft takes a modular approach, with some clauses applying in all situations and others only applying in one or more of four scenarios:
- Controller to Controller;
- Controller to Processor;
- Processor to Processor; and
- Processor to Controller.
These four scenarios provide better coverage to industry needs, while remaining closely aligned, both in language and requirements. A notable difference with the existing clauses are the possibility to have multiple data exporters and/or importers join in a single set of SCCs. In addition, the SCCs now include extensive obligations to assess the legislation of the country or countries of destination, including the need for all signatories to warrant they have no reason to believe the laws in the third country would pose any challenge to the level of data protection provided. Data importers will need to agree to notify data exporters of any government access request, to the extent possible under their local laws, and to publish regular transparency reports. The Commission underscores that supplemental measures in order to ensure personal data is receiving an essentially equivalent level of protection may still be required. This depends on the outcome of the third country legislation assessment.
The EDPB has made the draft Recommendations on the supplementary measures subject to their consultation procedure. Until 30 November 2020, anyone can provide feedback on the draft paper. Once all responses have been analysed, a final version of the Recommendations will be prepared and published, likely at the start of 2021. In the meantime, the draft Recommendations do take full effect. Given that they consist of a common interpretation of legislation already in force, as well as recent case-law, organizations will need to start working on compliance with the novel approach to data transfers. The EDPB has also made clear there is no enforcement grace period following the Schrems-II decision, nor following the adoption of these Recommendations. Non-compliance could therefore lead to a DPA investigation, a forced suspension of data transfers and ultimately a fine.
The new draft SCCs are open for consultation until 10 December 2020. The final versions should be adopted in the following weeks. Once that is done, organizations will have one year to update their contracts with the new SCCs, in order to ensure their contract-based data transfers continue to be legal.
(1) A third country is a country outside the European Economic Area. The European Economic Area comprises the countries of the European Union plus Iceland, Liechtenstein and Norway.
(2) Article 52. Charter of Fundamental Rights of the European Union. OJ C 326, 26.10.2012, p. 391–407.