The General Data Protection Regulation lays down rules for transferring personal data outside European Economic Area (“EEA”). Chapter V of the GDPR read in light of the EU Charter of Fundamental Rights and the recent CJEU ruling in case C-311/18 sets a high bar for transfers.
Post Schrems II ruling after the invalidation of the Privacy Shield, organisations are expected to conduct case-by-case analyses to ensure that their transfers to third countries do not undermine the level of data protection guaranteed by the GDPR and the EU Charter of Fundamental Rights, and if needed, to implement ‘supplementary measures’ to ensure the equivalent level of data protection enjoyed under the EU law is respected in practice.
The European Data Protection Board has finally issued its highly awaited recommendations on these supplementary measures that contains 6-step guide that organisations are now expected to conduct and document. The recommendations are subject to a public consultation, which closes on November 30, 2020.
Note that PrivacyAnt Software provides you with a detailed view on your international data transfers that automatically updates when you document your processing activities. We can also help you with formulating a questionnaire that can be sent to all your third parties engaged with your processing activities to request information needed to keep your documentation up-to-date.
In its judgement in case C-311/18 (“Schrems II”) the Court of Justice of the European Union (“CJEU”) reminded us all that transferring personal data outside European Economic Area (“EEA”) cannot water down the protection granted under the EU law. This means that essentially the ‘equivalent level of protection’ guaranteed within the EU by the General Data Protection Regulation (“GDPR”) and Charter of Fundamental Rights must accompany the personal data when it travels to third countries outside the EEA. In practice, appropriate safeguards, enforceable rights and effective legal remedies must travel with personal data where ever it is being transmitted.
In case C-311/18 a complaint was lodged with the Irish supervisory authority (“DPC”) claiming that United States cannot offer a sufficient protection since the US national law obliges US based organisations to provide the US intelligence authorities with personal data under the Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and the Executive Order 12 333 (“EO 12333”). The CJEU declared Privacy Shield, the commonly used transfer mechanism for transferring personal data to the United States, invalid, pointing out that the Privacy Shield could not provide equivalent data protection required by the EU law.
While the CJEU upheld the validity of standard contractual clauses (“SCC’s”) as a transfer mechanism that may serve to ensure contractually an essentially equivalent level of data protection, it also pointed out that data exporters and the recipients have an obligation to verify, prior to any transfer, whether the level of data protection is and can be actually respected in the third country concerned.
This has created a significant due diligence burden on companies. As the CJEU stated in its decision, the SCC’s are not capable of binding the public authorities of third countries, since they are not parties to the SCC’s. Therefore relying solely on the SCC’s is not likely to be sufficient to satisfy the obligation to ensure that personal data enjoys ‘equivalent protection’ after it has been transferred to a third country. In plain language, the contract you have in place with your third party is not likely to prevent that intelligence authorities in third countries from accessing your personal data.
To fix this problem, organisations are now expected to implement ‘supplementary measures’ on top of the SCC’s and other transfer mechanisms to prevent US Intelligence authorities accessing personal data. However, since the SCC’s are intended to apply uniformly in all third countries and not just the United States, the obligation to implement these supplementary measures applies to all transfers outside the EEA.
The Schrems II judgement and the EDPB’s guidelines are therefore relevant for all transfers of personal data irrespective of what ‘transfer mechanism’ the organisations are relying on.
EDPB issues its long awaited recommendations on supplementary measures required for transfers
While the CJEU reminded all organisations on their obligation to verify case-by-case if the law or practices of the third country in question impinges on the effectiveness the transfer mechanisms provided by the GDPR and to implement ‘supplementary measures’ if needed, to fill the potential gaps in these mechanisms to ensure the equivalent level of data protection required by the EU law., it did not specify what these measures could be.
On November 11 2020, the European Data Protection Board (“EDPB”) issued its guidance on how to carry out international personal data transfers post Schrems II era. To help the data exporters (be they controllers, processors, private entities or public bodied) with this complex burden of identifying the gaps in third countries’ legal systems and to identify potential supplementary measures that could be used, the EDPB has adopted a six-step roadmap to ensure all personal data transfers are conducted in compliance with the GDPR.
Keeping in mind your accountability obligations under the Articles 5(2) and 24(1), the EDPB and national supervisory authorities expect you to document the following six-step assessment and make sure such documentation is available to the competent supervisory authority upon request.
Step 1 - Know your transfers
Knowing all your international personal data transfers is en essential first step to start fulfilling your obligations under the GDPR. Mapping the transfers can and will be a complex exercise especially for organisations that engage with large numbers of processors and sub-processors.
Naturally you should know the location of all your IT-systems, cloud services and other personal data storages. In addition, since a remote access to your personal data, even if kept within the EU area is considered as a ‘transfer’, you must identify all situations when your personal data can be accessed by your processors or their sub-contractors. Naturally this requires discussions with the third parties you engage with, since their documentation is not likely to provide all the information you need.
Step 2 - Identify the transfer mechanisms you are relying on
After becoming aware of all the situations where your organisation is considered to be ‘transferring’ personal data to third countries, you must ensure that you have a proper transfer mechanism in place. This is the first step in ensuring ‘adequate level of data protection’ is ensured. The suitable transfer mechanisms are listed in the Chapter V of the GDPR.
Adequacy decisions by the EU Commission under the Article 45
The European Commission has the power to determine, on the basis of the Article 45 of the GDPR whether a third country or an international organisation offers an adequate level of data protection. Adequacy decisions may cover a whole country or be limited to a part of it and cover all transfers or be limited to a certain type of transfers.
The European Commission publishes the list of its adequacy findings here. If the third country, region or sector is covered by an adequacy decision, your organisation does not need to take further steps regarding the transfer mechanism. However, you must still keep in mind your accountability obligations. In addition, the EDPB recommends you to still monitor if adequacy decisions and revoked or invalidated in the future.
Appropriate safeguards in Article 46
The Article 46 of the GDPR lists a series of transfer mechanisms as “appropriate safeguards” that organisations may use to transfer personal data to third countries, especially in the absence of an adequacy decision by the EU Commission. These appropriate safeguards are:
- Standard Data Protection Clauses (“SCC’s”)
- Binding corporate rules (“BCR’s”)
- Codes of conducts & certification mechanisms
- Ad hoc contractual clauses
Keep in mind that these the appropriate safeguards may not be enough in the light of the recent CJEU ruling. As the transfer mechanism must ensure that the level of data protection guaranteed by the GDPR is not undermined by the transfer, you must ensure the transfer mechanism is effective in practice. Considering you’d need to prevent Intelligence agencies from accessing your data, this may not be achievable depending on the business needs for your data.
Derogations under the Article 49
In the absence of adequacy decisions by the EU Commission or the appropriate safeguards under the Article 46, the Article 49 of the GDPR provides a third avenue for allowing international personal data transfers in certain situations.
It is worth mentioning that the derogations are meant for ‘exceptional cases’ and mainly occasional and non-repetitive processing activities and must be therefore interpreted as ‘restrictively’. The EDPB has already issued guidelines on these derogations which can be found here. Before any transfer where you rely on the derogations, you must ensure whether such transfers meet the strict conditions set forth for each of them.
Step 3 - Assess whether the appropriate safeguards under the Article 46 are effective
As stated earlier, the appropriate safeguards may not be enough in the light of the recent CJEU ruling and therefore you must assess whether they are effective in practice. In theory, this step requires a case-by-case exercise whether the legal system of a third country is capable of ensuring adequate level of data protection.
Effective means that the transferred personal data still enjoys the adequate level of data protection in that third country where it is being transferred. Depending on the complexity of your processing activity, you must take into consideration all the actors participating in such transfer (e.g. controllers processors and sub-processors) since these may be subject to ‘surveillance laws’ and therefore obliged to disclose personal data to intelligence agencies.
In practice, you would need to look into the characteristics of the domestic laws applicable in the recipient countries and determine whether any of them impinge on the commitments contained in the transfer mechanisms you rely on. The EDPB encourages you to pay close attention to any laws laying down requirements to disclose personal data to public authorities.
Step 4 - Adopt supplementary measures to the appropriate safeguards to make them ‘effective’
If your assessment under the Step 3 reveals that your transfer mechanism may not be effective, you will need to identify whether you could apply any ‘supplementary measures’ that would supplement your transfer mechanisms in a way that would make them ‘effective’.
In principle, these measures may be contractual, technical or organisational and combining these may contribute to reaching the strict EU standards. However, the EDPB reminds that contractual and organisational measures alone will generally not overcome access to personal data by the public authorities of a third country (where this affects the equivalent level of data protection). In these cases, there are only technical measures that would render the access by the intelligence authorities ineffective.
The EDPB provides a list of example supplementary measures that organisations could use. Naturally, the list is not exhaustive and the EDPB points out that they may be relied upon only when they can effectively guarantee the expected level of data protection in practice.
More importantly, the guidelines contain also a section for scenarios in which no effective supplementary measures could be found. Unfortunately these scenarios are also quite common in practice.
Transfers to cloud service providers or other processors which require to have access to the personal data in the clear in order to perform or execute their tasks. Having an access to the data in the clear is likely to be the case with the majority of today’s cloud services.
Remote access to personal data available for entities located in third countries when data is needed in the clear for performing different tasks, e.g. communicating with data subjects.
In the given scenarios, where unencrypted personal data is technically necessary for the provision of services by a third party, transport level encryption together with data-at-rest encryption even taken together, do not constitute an effective supplementary measure.
Step 5 - Don’t forget to apply necessary procedural steps to implement the supplementary measures
After identifying whether there are any supplementary measures available to make your transfer mechanisms effective in practice, the EDPB reminds organisations on their obligations to ensure transfer mechanisms are put in place in compliance with the GDPR.
For example, for as long as your supplementary measures do not contradict, directly or indirectly, with the SCC’s, there is no need to request an authorisation from a competent supervisory authority. However, if your supplementary measures are construed in a way that they place restrictions to the rights and obligations ensured in the SCC’s or in any way lower the level of data protection guaranteed by the SCC’s, you must seek an authorisation with the competent supervisory authority in accordance with the Article 46(3) of the GDPR. This could happen e.g. when you use SCC’s as an appendix to your main agreement and when parts of your main agreement overrides some of the clauses in the SCC’s.
Step 6 - Re-evaluate your transfer mechanisms at appropriate intervals
Naturally the situation in third country concerned could change over time. Organisations must monitor, on an ongoing basis the developments in third countries that could affect the initial assessment on the level of data protection.