On Monday 21 June 2021, the European Data Protection Board released the long-awaited updated Recommendations on the so-called supplementary measures that can be put in place when transferring personal data outside the European Economic Area (EEA, the 27 countries of the European Union [EU] plus Iceland, Liechtenstein and Norway). Such supplementary measures may be required to maintain an essentially equivalent level of data protection when transferring personal data to a non-EEA country (often referred to as a third country) on the basis of one of the appropriate safeguards under Article 46 GDPR. These include the use of Standard Contractual Clauses.
As we explained in this blog post when the consultation draft of the EDPB Recommendations were published back in November 2020, organizations will need to perform a Data Transfer Risk Assessment on a case-by-case basis to assess the level of protection in a third country. If there are indications that legislation may impinge on the fundamental rights and freedoms of data subjects in Europe – for example because of far-reaching government access and surveillance legislation – supplementary measures need to be put in place by the data importer in the third country to protect the personal data coming from Europe. These measures can be of a technical, organisational and/or contractual nature.
As a reminder: the six steps prescribed by the EDPB to conduct a Data Transfer Risk Assessment, are visible in the image below. These six steps have not changed.
We do note the EDPB has made some major changes in the updated version of the Recommendations compared to the consultation draft. Where before the EDPB almost completely ruled out the use of a risk-based approach to international data transfers, it now seems to greenlight it, subject to strict conditions and evidence. In addition, the Recommendations no longer contain scenarios where the EDPB rules out up front that supplementary safeguards are impossible to implement – it now concludes that the EDPB has not been able to identify effective measures.
Possible Outcomes of a Data Transfer Risk Assessment
As part of step 3 of the Data Transfer Risk Assessment, organisations will need to assess on a case-by-case basis whether their data transfer would be at risk from a compliance perspective. This is first and foremost the responsibility of the data exporter (typically the data controller in the EEA). They will need to do so on the basis of the legislation that is applicable in the third country, as well as the country’s international commitments (for example adherence to specific human rights treaties, such as Council of Europe Convention 108+). Also the practices of the country need to be taken into account, which can be beneficial (for example if surveillance legislation in reality is hardly used) or not (for example if the country ignores their own legal framework). These assessments need to be based on information from public sources that should be “relevant, objective, reliable [and] verifiable”. Should the outcome of the assessment be that the legislation in the third country is problematic, there now are multiple options listed in paragraph 43 of the Recommendations.
- The data transfer is suspended, in order to guarantee that the level of protection offered by the GDPR is not undermined.
- The data transfer is continued, but only on the basis of supplementary measures that are agreed by the partners involved in the processing operation.
- The data transfer is continued without putting in place any supplementary measures, because the data exporter considers there is no real risk the negative impact of the problematic legislation will actually occur.
While option 3 seems an attractive option for many organisations and many situations, it is more easily said than done. Using this option requires that the data exporter prepares a full report documenting the conducted assessment, which includes an analysis why the problematic legislation would not be relevant in light of the specific transfer, substantiated by evidence. This could include the experience of other actors in the same sector. Assumptions about the potential events and risks do not suffice, according to the EDPB. When preparing this report, the data exporter needs to involve the data importer (the recipient of the data) in the third country and to give due account of any onward transfers. Finally, using this option does not release the parties from the obligation to ensure the data are well protected both in transit and at rest (e.g. by using strong encryption – the conditions for effective data encryption are listed in §90 of the Recommendations).
Effective Supplementary Measures
When it comes to what are considered effective supplementary measures, the EDPB Recommendations give multiple options, but this is a non-exhaustive list. Relying solely on contractual and/or organisational measures in any case is deemed as insufficient, since those could never protect data against all government interference. Technical measures will therefore always have to be considered. What measures are effective, largely also depends on the format of the data, the nature of the data, the length and complexity of the workflow, the capabilities of the recipient country’s authorities as well as possible onward transfers. Just using encryption for data in transit and at rest is also not sufficient to guarantee an essentially equivalent level of data protection, at least not when access to the data is required in the clear. All in all, it seems likely that if supplementary measures need to be implemented, it will always need to be a combination of technical, organisational and contractual measures.
Relation with the new SCCs
The EDPB Recommendations are particularly important when organisations wish to rely upon the new Standard Contractual Clauses (SCCs), as adopted by the European Commission on 4 June 2021. The use of the SCCs is subject to a Data Transfer Risk Assessment and the documentation of supplementary measures if the SCCs themselves are insufficient to guarantee an essentially equivalent level of data protection. The Board has however not voiced a position on the scope of application of the data transfer mechanisms. As we know, the new SCCs cannot be used if the GDPR has direct application to the processing operation at hand. Whether or not the EDPB considers that direct application of the GDPR in that situation would suffice for compliance, or if a different transfer mechanism should be used, remains unclear.