knowledge | 20 November 2020 |
EDPB Publishes Recommendations on International Data Transfers Following Schrems II
On 10 November 2020, the European Data Protection Board (the “EDPB”) adopted Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the “Recommendations”). These hotly anticipated Recommendations are a follow-up to the Schrems II decision of the Court of Justice of the European Union (the “CJEU”) earlier this year (see our previous briefing on the decision here). The Recommendations are in draft format and are open for public consultation until 30 November 2020. The EDPB also published Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (the “EEG Recommendations”).
The EDPB has set out a step-by-step approach that organisations should take to ensure that transfers of personal data to third countries are compliant with the requirements of the GDPR, interpreted in light of Schrems II, and provide detailed guidance on ‘supplementary measures’ that could be taken where considered necessary.
- ‘Step 1: Know Your Transfers’ – Organisations should identify all transfers of personal to a third country. The EDPB emphasises that data exporters should consider ‘onward transfers’ in this context (i.e. where a data importer in a third country that receives data from an EU based data exporter further transfers that personal data to a sub-processor in a third country).
- ‘Step 2: Identify the transfer tools you are relying on’ – Organisations must also identify the transfer mechanisms they are relying on, including adequacy decisions under Article 45; transfer tools under Article 46; or derogations for specific situations under Article 49 of the GDPR.
- ‘Step 3: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer’ – Any assessment should focus on relevant third country legislation. The EDPB cautions against relying on subjective factors such as the likelihood of public authorities accessing the data being transferred in a manner not in line with EU standards, but does confirm that the context of the transfers can be taken into account when determining the legislation to be considered. The EDPB emphasises that the assessment should focus primarily, but not exclusively, on the third country’s laws applicable to public authority access to data.
- ‘Step 4: Adopt Supplementary Measures’ – Where an assessment conducted under step 3 has identified potentially problematic laws or practices in the relevant third country, the next step is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence, if possible. This step is only required where an organisation’s assessment under Step 3 revealed that the Article 46 tool relied upon is not effective. The EDPB sets out a non-exhaustive list of possible contractual, technical and organisational supplementary measures at Annex 2, which we will consider in a future briefing. Where a data exporter cannot find or implement such effective supplementary measures, the EDPB states the transfers must be stopped, or must not begin.
- ‘Step 5: Procedural steps if you have identified effective supplementary measures’ – Organisations must take any formal procedural steps needed to adopted any effective supplementary measures required, such as putting in place contractual supplements to the standard contractual clauses, binding corporate rules or ad hoc contractual clauses, or implementing technical or organisational supplementary measures
- ‘Step 6: Re-evaluate at appropriate intervals’ – The EDPB emphasises that accountability is an ongoing obligation, and data exporters must monitor, on an ongoing basis, and where appropriate in collaboration with data importers, developments in the third country to which personal data has been transferred which could affect the initial assessment of the level of protection afforded.
The EEG Recommendations
The EDPB complemented the Recommendations by also issuing additional guidance containing its EEG Recommendations. These recommendations follow the earlier ‘Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees) (WP237)’1, which were adopted following Schrems I and the invalidation of Safe Harbour. The new recommendations further develop the European Essential Guarantees (the “EEGs”) in light of the judgement of the CJEU in Schrems II.
The recommendations build on on principles laid down previously and, according to the EDPB, are to be seen as core elements to be found when assessing the level of interference with fundamental rights to privacy and data protection. The specific EEGs analysed by the EDPB are:
- Processing should be based on clear, precise and accessible rules;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- An independent oversight mechanism should exist; and
- Effective remedies need to be available to the individual.
The EDPB notes that the four EEGs should not be assessed independently, as they are closely interlinked, but on an overall basis. This requires reviewing the relevant legislation in relation to surveillance measures, the minimum level of safeguards for the protection of the rights of the data subjects, and the remedies provided under the national law of the third country.
The EDPB further states that ‘These guarantees require a certain degree of interpretation, especially since the third country legislation does not have to be identical to the EU legal framework.’
Although issued in draft form, the Recommendations are likely to be adopted by the EDPB without significant amendments. Organisations will therefore need to consider putting in place a process to implement the EDPB’s suggested six step process in relation to their transfers of personal data to third countries. This will inevitably involve considering the EDPB’s suggested supplementary measures, which we will be covering in a separate briefing.
Also contributed by Róisín Finn.
- Article 29 Data Protection Working Party, Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees), 16/EN WP237, adopted on 13 April 2016
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.