knowledge 8 December 2020 |

Schrems II - Spotlight on Supplementary Measures for International Data Transfers

The Recommendations provide a non-exhaustive list of ‘supplementary measures’ that are necessary to ‘fill the gaps’ and bring the level of protection of the data transferred up to the EU standard of essential equivalence, if possible. These include technical, contractual and organisational measures which are likely to have varying degrees of relevance to organisations from a practical perspective.

1. Technical Measures

1. Specific protective, robust and state of the art encryption, flawlessly implemented by properly maintained software may provide an effective supplementary measure. Encryption will only suffice as an effective supplementary measure, however, where the cryptographic keys are retained solely under the control of the data exporter, or other entities entrusted with this task within the EEA or a third country which has been the subject of an adequacy decision by the European Commission.

2. The pseudonymization of data may provide an effective supplementary measure, subject to certain conditions:

   • The data exporter must pseudonymize the data prior to the transfer in such a manner that the personal data can no longer be attributed to a specific data subject;

   • Any additional data is held exclusively by the data exporter and kept separately within the EEA or in a third country which has been the subject of an adequacy decision by the European Commission; and

   • The data exporter retains sole control of the algorithm or repository that enables re-identification using the additional information.

3. A data exporter may implement a system under which personal data is processed jointly by two or more independent processors located in different jurisdictions (i.e. ‘split or multiparty processing’) without disclosing the content of the data to them. Prior to the transfer the data exporter should split the data in such a way that no part received suffices to reconstruct the personal data.

Whilst it is useful that the EDPB has acknowledged that encryption and pseudonymisation are potential solutions, the implementation of these solutions is unlikely to be trivial and may not be viable in many situations.

2. Contractual Measures

Contractual measures may include provisions:

1. Requiring the use specific technical measures;

2. Obliging the data importer to inform data exporter on the extent to which public authorities may access personal data;

3. Ensuring the data importer certifies that it has not purposefully created back doors or similar programming that could be used to access personal data and that it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems by third parties;

4. Enabling the data exporter to conduct audits or inspections to verify if data was disclosed to public authorities;

5. Compelling the data importer to inform the data exporter of any change to local law which would impact the maintenance of an ‘essentially equivalent level of data protection’;

6. Providing for a “Warrant Canary” method, whereby the data importer commits to regularly inform the data exporter that it has received no order to disclose personal data;

7. Obliging the data importer to assess, under local law, the legality of any order to disclose data;

8. Stipulating that personal data may only be accessed the express or implied consent of the exporter and/or the data subject; and

9. Requiring the data exporter and data importer to assist data subjects in exercising their rights in the third country.

The potential contractual solutions proposed by the EDPB provide some potential flexibility to controllers who wish to make transfers of personal data.  However, the process of negotiating these types of protections with third parties is likely to be time consuming and requires the co-operation of the third parties.

3. Organisational Measures

Additional organisational measures may consist of internal policies, organisational methods and standards that data exporters may put in place in its own business as well as imposing on data importers.

1. Internal policies governing data transfers (especially with groups of enterprises) with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for access requests from public authorities;

2. Documentation and record keeping of requests for access from public authorities and the response provide, alongside the legal reasoning and the actors involved;

3. Regular publication of transparency reports or summaries regarding requests for access by public authorities;

4. Strict and granular data access and confidentiality policies and best practices, based on a need-to-know principle, monitored with regular audits and enforced through disciplinary measures;

5. Procedures to ensure the Data Protection Officer, legal and internal auditing services are involved on matters related to international personal data transfers;

6. Adoption of strict data security and data privacy policies, based on EU certification or codes of conducts or on international standards and best practices; and

7. Other measures such as a regular review of internal policies to assess the suitability of the implemented supplementary measures, as well as commitments from the data importer to not engage in onward data transfers where an equivalent level of protection cannot be guaranteed in the third county.

As noted by the EDPB, these organisational measures are most likely to be relevant to intra-group transfers.  They are also likely to be most palatable to organisations, but with that comes the risk that they may not be sufficiently robust on their own to facilitate transfers.

Although in principle the recommendations on supplementary measures are likely to be welcomed by organisations, it is unlikely that those entrusted with making decisions in relation to transfers to third countries will find any easy answers in the suggested measures.

Also contributed by Róisín Finn.