Until this summer, the European Economic Area (EEA) had taken a simple three-prong approach to allowing personal data to be transferred to (or accessed from) countries outside the EEA – called third countries. These approaches are adequacy decisions, the use of safeguards, or derogations.
- Adequacy decisions – a decision by the European Commission that the safeguards in a third country are essentially the same as those in the EEA. This required an extensive assessment of that country’s legislation, considerations by the European Data Protection Board (EDPB) and national regulators, negotiations on possible additional safeguards, and eventually a determination that an essentially equivalent level of data protection would be offered. Once an adequacy decision is made, data can flow freely without further formalities. Only twelve countries currently have an adequacy determination.
- Transfers on the basis of appropriate safeguards, generally captured in contracts or formal documents. These transfers include the use of standard contractual clauses (SCCs), ad hoc contractual agreements subject to approval by the supervisory authority, as well as binding corporate rules (BCRs), certifications and codes of conduct.
- If neither of the two above apply, then personal data may be transferred using specific derogations, including consent. The use of derogations is bound to strict rules, and can not be used for any massive, continuous or structural data transfers.
The three tiers seemed to imply that the lower the administrative burden on the data controller to start a data transfer would be, the higher the initial assessment threshold should be. Clearly, the level of protection of natural persons guaranteed by the General Data Protection Regulation (GDPR) shall not be undermined (Article 44 GDPR).
In the Schrems II decision in July, the Court of Justice of the European Union somewhat changed the dynamic of the three options for data transfers, by requiring that appropriate safeguards should also result in a level of data protection that is essentially equivalent to that in the EEA.
The Court opines that without an essentially equivalent level of protection, the guarantees under the GDPR could be undermined. And while the Court came to this conclusion in a discussion on data transfers from Ireland to the United States, in particular because of the extensive U.S. surveillance laws and the limited protection offered to Europeans in those laws, the decision has a global impact. The obvious conclusion following this judgment was that going forward organizations will need to perform a Transfer Risk Assessment on a case-by-case basis. If the conclusion is that the laws of the third country yield risks, the organization must implement supplementary safeguards to mitigate those risks.
Following the publication of the draft EDPB Recommendations on data transfers post-Schrems-II and the draft revised standard contractual clauses by the European Commission, the situation may have changed. Based on these drafts, we explain what is and what is not possible when transferring personal data out of the EEA. Comments are being accepted on both drafts at this time and organizations are encouraged to submit comments, including scenarios to provide context for why certain requirements would or would not be feasible for managing personal data. The final versions issued will likely vary from the versions discussed below.
A notable part of the EDPB guidance is that third country assessments can not be risk-based. The EDPB states that data exporters may not rely on “subjective [factors] such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards” (§42). By choosing this formulation, the EDPB seems to step away from the risk-based approach that is foundational to the GDPR. When looking at the suggested supplementary safeguards and the listed scenarios, the EDPB also seems to imply that it would not be acceptable to have any residual data transfer risks for your processing operations, even if they are only theoretical.
However, for the similar third country assessment under the new SCCs, the European Commission seems to accept a risk-based approach after all. Especially when looking at draft Clause 2 under (b), the assessment of the legislation in the third country needs to take into account the specific circumstances of the transfer, as well as the laws of the country in light of those specific circumstances. In other words, the Commission seems ready to accept that small-scale or low-risk data transfers – one could for example envisage employee data to fall in this category – might be possible in combination with supplementary safeguards, whereas large-scale or high-risk data transfers would not be possible.
The two approaches are not compatible. The discrepancy between the EDPB and the Commission on whether or not to allow for a risk-based approach to assess third country laws and specific data transfers must be resolved. Ideally, the risk-based approach would be upheld. Even though a risk-based approach will limit the number of data transfers that could take place in light of the Schrems-II decision, it would allow organizations to continue many of their operations.
One of the main outcomes of the Schrems-II case is that data controllers may need to implement supplementary measures in order to ensure compliance with the newly required essentially equivalent level of protection (§133). Immediately following the judgment, privacy professionals around the world started listing possible measures that could be implemented, either of a technical, a legal or contractual and of an organizational nature. The most confidence is in technical measures – surely proper (end-to-end) encryption could ensure personal data could not be subject to government interference?
The EDPB comes to a different conclusion. In their scenario-based overview of technical measures, encryption is considered an acceptable technical measure only if there is no way personal data will be decrypted in a country of destination. In other words: only if data remain encrypted while outside of the EEA, and then only under strict conditions related to the effectiveness of the encryption, this would be deemed an effective technical measure, acceptable both for back-up purposes, or if a data flow is routed via a non-adequate third country. Also the transfer of pseudonymous data is an option, as long as the data can never be re-identified outside the EEA (even when combining data sets).
For two of the most common business processes – the hosting of personal data with a cloud service provider in a way that the data can also be accessed in the clear (i.e. accessed in a way that you can work with the data), as well as accessing data hosted in Europe from a non-EEA location – no suitable technical measures have been identified. If the organization is not able to come up with supplementary measures that could be sufficient, it means that the data transfers cannot take place. This is problematic for many organizations, from very large conglomerates to small and midsize companies all across Europe which use cloud service providers outside the EEA.
Organizational and Contractual Measures
The organizational and contractual measures are more aligned with expectations. These supplementary safeguards include implementing specific technical measures, committing to oppose government access requests and to provide maximum transparency – to the extent legally allowed – towards business partners, data subjects and the general public. Also commitments to implement additional internal policies, for example to operationalise the contractual safeguards, are listed.
What is missing
When looking at the Recommendations, there are also some elements missing from the draft. Most importantly, the EDPB has not included a definition of what constitutes a data transfer, whereas other terms are indeed defined. Although many will have a ‘feel’ for what is and what isn’t a data transfer, it would be challenging to reconcile the expectation that organizations must rely upon objective criteria for their data transfer assessments without having a clear definition of the term.
Another question is to what extent the EDPB, or individual supervisory authorities, will support organizations in undertaking the third country assessments. Although in the end all assessments will need to be made on a case-by-case basis, it is not unthinkable that the regulators would come up with lists of countries and/or sectors within countries to which personal data may (not) be transferred. Potentially the EDPB intends to prepare third country reports, but this is not clear from the Recommendations. Organizations, however, are instructed to properly document their own assessments, since they will be made part of any data transfer review undertaken by a supervisory authority. At what scale the authorities will undertake such reviews, especially taking into account their existing workload and often raised lack of resources, remains unclear.
What happens next
Finally, even though the Recommendations and the draft new SCCs were published within 24 hours of each other, it seems the two documents are not fully aligned. It is clear from the Commission documents that the new SCCs alone will not be sufficient to meet the essentially equivalent standard, and that supplementary safeguards may need to be implemented. The question if the Commission and the Board will work towards a better, and more legally certain, solution in the longer run remains unanswered.
Following comment submission, the EDPB and the Commission will re-issue their respective documents, likely in 2021. However, the EDPB issued these Recommendations as adopted. Organizations are expected to start their assessments without delay and to follow the outlined six-step approach. Not doing so may result in sanctions from the supervisory authority, should the organization come under investigation for their transfer practices.
For additional information, visit the TrustArc Privacy Shield Ruling Resources page.