After a long, four-month wait, we finally have recommendations from the European Data Protection Board (EDPB) on “supplementary measures” in the context of international transfers of personal data – i.e. measures required to ensure that transfers to countries outside of the European Economic Area (EEA) are permitted under the GDPR.
Follow-up on Schrems II
Under the GDPR, transfers of personal data from the EEA to a non-EEA recipient are prohibited unless the sender has a certain degree of confidence – thanks to strong data protection rules in the recipient’s country or thanks to other mechanisms (e.g. contractual obligations) – that the personal data will in fact be protected by the recipient. A very common mechanism used by organisations is the signing by the parties of so-called “Standard Contractual Clauses” or “SCCs”, template clauses adopted by the European Commission. Another one used to be the EU-US “Privacy Shield” framework, a self-certification framework allowing US entities to commit themselves to compliance with various data protection principles.
By its judgment of 16 July 2020 in the Schrems II case, the Court of Justice of the European Union (CJEU) invalidated the "Privacy Shield” framework and decided that additional assessments are required when using the SCCs as transfer mechanism (see our earlier newsflash on Schrems II here). In essence, the CJEU considered that controllers relying on SCCs must verify on a case-by-case basis if the law of the recipient’s country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the EEA.
This caused great uncertainty for many organisations worldwide, because it left two key questions unanswered: (i) how can an organisation determine whether any supplementary measures are required (i.e. in addition to SCCs or another such data transfer mechanism) and (ii) which supplementary measures can be sufficient to ensure an international data transfer is lawful?
The Recommendations published yesterday provide a practical response, in the form of a roadmap of the steps that EU-based data exporters must take to assess whether supplementary measures are required for their intended data transfer(s) as well as specific examples of such measures and conditions to be effective. But is that response sufficient?
Roadmap of steps
The EDPB’s suggested roadmap is not revolutionary but represents an official recognition of a good practice that had become more prominent since the Schrems II judgment, starting with a mapping of data transfers to non-EEA destination countries (“third countries”) and ending with a recurrent reminder to review one’s assessment:
Step 1. Know your transfers
Map all your transfers of personal data to third countries and verify that the data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred.
Step 2. Identify the transfer tool you are relying on
Verify the transfer tool that you rely on. First, if it features among those listed in Article 45 GDPR (“adequacy decision”, whereby the laws of a non-EEA country, territory or sector are deemed to ensure “an adequate level of protection. Such a transfer shall not require any specific authorisation”) or Article 46 GDPR (binding corporate rules, SCCs, codes of conduct etc.), check that it is still up-to-date and valid. If you are exceptionally relying on one of the derogations set out in Article 49 GDPR, check that your justification for doing so is valid.
Step 3. Assess the effectiveness of the transfer tool in question in your case
Where the transfer tool is based on Article 46 GDPR (i.e. SCCs, binding corporate rules etc.), assess if there is anything in the legislation and practice of the third country that may impinge on the effectiveness of the appropriate safeguards of that transfer tool used in the context of your specific transfer. Because one of the key issues in Schrems II was the possibility of access to data by public authorities for surveillance purposes, the EDPB has also now published European Essential Guarantees recommendations for use when assessing the local laws dealing with that form of access. Document your assessment thoroughly.
On the topic of local laws, the EDPB states specifically in relation to the US that if the data importer “or any further recipient to which the data importer may disclose the data” falls within the scope of Section 702 of the US Foreign Intelligence Surveillance Act (FISA), Article 46 GDPR transfer tools “may only be relied upon for such transfer if additional supplementary technical measures make access to the data transferred impossible or ineffective”. For other laws and jurisdictions, the EDPB considers that (i) the data importer should be in the position to provide the data exporter with relevant sources and information and (ii) the data exporter should refer notably to national and European case law (e.g. of the CJEU and of the European Court of Human Rights), reports of intergovernmental organisations and reports from NGOs and academic institutions.
Step 4. Adopt supplementary measures
If your assessment under step 3 reveals that the laws of the third country impinge on the effectiveness of the transfer tool (e.g. if Section 702 of FISA applies, in relation to EU-US transfers), you should identify and adopt supplementary measures that are necessary to bring the level of protection up to the EU standard. The EDPB illustrates with specific examples what measures can be appropriate in what circumstances (see below). If no supplementary measure can ensure the required level of protection, you must avoid, suspend or terminate the transfer. Again, document your assessment of supplementary measures thoroughly.
Step 5. Procedural steps if you have identified effective supplementary measures
Take any formal procedural step necessary for the adoption of your supplementary measure(s). You may need to contact your supervisory authority depending on the Article 46 GDPR transfer tool you rely upon:
- In the case of SCCs: no contact is required with supervisory authorities unless the intended supplementary measures can be considered to contradict (directly or indirectly) the SCCs in their original form;
- In the case of BCRs and ad-hoc contractual clauses: these points are “still under discussion”, says the EDPB, but it is likely that any material impact on the BCRs or ad-hoc contractual clauses will have to be notified to the relevant supervisory authorities.
The EDPB does not mention whether a similar reasoning will apply to the new set of SCCs the European Commission is working on, but given the range of requirements the EDPB foresees, those new SCCs are unlikely to be a silver bullet.
Step 6. Re-evaluate at appropriate intervals
Monitor if there have been or will be any developments that may affect the level of protection afforded to the data you transferred to non-EEA countries and adopt the supplementary measures when/where required.
The EDPB's roadmap of steps may also be useful in the near future when assessing personal data transfers from EEA-based companies towards the UK after the end of the Brexit transition period, in the absence of an adequacy decision.
Supplementary measures: specific examples and use cases
By means of various examples and scenarios, the EDPB clarifies which additional technical, contractual and organisational measures may be appropriate and upon which conditions such measures can be effective.
It is not surprising that the EDPB considers encryption at rest and in transit as well as pseudonymisation as potentially effective technical measures. However, not all forms of encryption or pseudonymisation are equal.
For instance, in relation to encryption, the EDPB stresses that the encryption algorithm and its parameterization (how many bits for the key length; which mode of operation is chosen) must “conform to the state-of-the-art and […] be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them”. In practice, if you select a lower key length or a faster mode of operation, ensure that it is not an easy target. Ensure legal and information security teams are working together.
The EDPB also imposes additional requirements for encryption, notably as regards who holds the keys (in practice: an entity located in an EEA country or a country benefiting from an adequacy decision), the moment of encryption (before transmission – not during/after), reliable management of keys etc.
The EDPB illustrates these points also by using the example of intragroup sharing of HR data: even if state-of-the-art encryption is used on a shared IT system, the fact that the data importer is in possession of the key and has access to the data “in the clear” renders this an ineffective “supplementary measure”.
Similarly, with pseudonymised data, the EDPB’s requirements illustrate the fact that good pseudonymisation requires careful planning. In practice, the pseudonymisation must be such that public authorities in the third country are unable to re-link the data in question to a data subject, even if they happen to have (or have access to) troves of data they can use to attempt re-identification. The EDPB does not give any pointers on how far a data exporter has to go in this respect, which could be viewed as creating unrealistic obligations for data exporters: how in practice can a data exporter know that public authorities are indeed unable to re-identify data subjects?
Put differently, encryption and pseudonymisation can be effective supplementary measures, but only if they are meaningful in the context of the transfer and are implemented properly – and even then, the EDPB’s requirements regarding pseudonymisation suggest the EDPB does not strongly believe in it. Challenge internal teams and external vendors who claim this is the perfect solution, and work towards an effective and relevant approach.
As to additional contractual measures, the contract may need to include specific obligations for the data importer, such as transparency obligations with regard to information on access to data by public authorities (including in the field of intelligence), obligations to take specific actions with regard to disclosure orders or even a commitment to assist data subjects in exercising their rights in the third country jurisdiction through ad hoc redress mechanisms and legal counselling. Such obligations can for instance help the data exporter become aware of new developments affecting the protection of the data transferred.
Do bear in mind that purely contractual measures are generally not capable of binding the authorities of a third country. As a result, one must combine contractual measures with technical and organisational measures to provide the level of data protection required. For instance, a contractual obligation to put in place certain technical measures is a good option to consider.
An example of an organisational measure is putting in place internal policies for governance of transfers (especially within groups of enterprises) with a clear allocation of responsibilities, reporting channels and standard procedures in the event of covert or official requests from public authorities to access the data.
The EDPB emphasises repeatedly, notably through use cases, that selecting and implementing one or several of the suggested measures may not be sufficient and will not always render the intended transfer lawful. A case-by-case assessment and application remain required.
Grace period?
A recurrent theme for organisations since Schrems II was the question of immediate or delayed enforcement. The CJEU’s judgment did not specify any grace period, and authorities have tended to be silent on the topic.
In a similar vein, the EDPB does not say whether the supervisory authorities in general will tolerate a transitional period, but the implicit message is “no”: “[s]upervisory authorities will continue exercising their mandate to monitor the application of the GDPR and enforce it. Supervisory authorities will pay due consideration to the actions exporters take to ensure that the data they transfer is afforded an essentially equivalent level of protection”.
While understandable, it is likely that organisations will consider this unhelpful, especially given that it has taken four months for the EDPB to adopt recommendations.
Closing comments
These recommendations will likely prove to be of great assistance in determining the best course of action for data transfers, but much is still left to the data exporter individually (assessing third countries’ laws etc.). Fortunately, the academic world has spearheaded certain initiatives (e.g. the “European Essential Guarantees” website) with the aim of helping organisations come to their own conclusions and it is likely such initiatives will grow in visibility and importance.
These EDPB Recommendations 01/2020 (“on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”), which are available online, are published for the purpose of public consultation and are thus open for feedback until 30 November 2020. The final version may therefore include certain adaptations.
No public consultation applies to the EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, on the other hand, such that the text available online appears to be final.