Viewpoints from Data Day: the EDPB’s Recommendations on Data Transfers After Schrems II
21 December 2020
Authors: Emma Swahne and Liisa Vaaraniemi
In November 2020, the European Data Protection Board (the “EDPB”) issued guidance on personal data transfers to third countries following the Court of Justice of the European Union’s (the “CJEU”) landmark decision in the Schrems II case (C-311/18). This was also one of the burning topics discussed in the most recent webinar of Hannes Snellman’s Data Day Webinar Series, in which we were joined by the Finnish Data Protection Ombudsman.
The judgement was issued on 16 July 2020, and we have analysed it in detail here, but the main points are the following:
- The EU-US Privacy Shield, a transfer mechanism based on which personal data could be lawfully transferred outside the European Economic Area (the “EEA”), was invalidated.
- The Standard Contractual Clauses (the “SCCs”) were upheld subject to certain conditions, as the CJEU stressed that the SCCs do not automatically provide for lawful transfers but require separate assessment of the need for supplementary measures to ensure a level of protection essentially equivalent to the one ensured in EU legislation, mainly the GDPR.
The concept of “supplementary measures” was introduced by the CJEU for the first time in the judgement. While the CJEU did not clarify the meaning of the concept, it stated that the responsibility of assessing the need for supplementary measures was to lie with the controllers. If the controller is unable to provide the necessary supplementary measures to ensure an adequate level of protection, the controller has to cease the transfer of personal data to third countries.
Towards Common European Practices
In the discussions during Data Day, it was highlighted that the data protection authorities aim to unify the application of the GDPR and sanction practices within the EU. In this regard, it was relieving to hear that the Ombudsman is of the opinion that the current Finnish practices fit in the common European framework, which we hope will dispel fears of radical change in the current sanction practices.
In the future, the Ombudsman’s office will further strengthen international cooperation, which is a natural outcome of cooperation required and enabled by the GDPR but also of the habituality of cross-border processing of personal data. As data transfers outside the EEA very often relate to activities in several Member States, reaching common ground and effective cooperation between the authorities is important for businesses trying to find practical solutions in complying with the requirements imposed by the EDPB’s recommendations to be able to continue international data transfers, especially to the United States.
The EDPB’s Recommendations
In November 2020, the EDPB issued two recommendations dealing with the practical implications of the Schrems II decision: Recommendations 01/2020 on the supplementary measures to ensure compliance with the EU level protection of personal data and Recommendations 02/2020 on the European Essential Guarantees for surveillance measures
The recommendations aim to facilitate the assessment of the sufficiency of foreign protection when personal data is transferred outside the EEA. The recommendations contain a six-step process, which is tailored to help data exporters with the task of assessing third countries and identifying needed supplementary measures. Pursuant to the recommendations, when making international data transfers, organisations should:
- Map the transfers. The first step for organisations is to know your transfers. In practice, you should map the transfers of personal data to third countries that you are carrying out, keeping in mind that access from a third country constitutes a transfer, which means that, for instance, storing information in a cloud outside the EEA will fulfil this requirement. Do not forget to take into account onward transfers, for instance, if your processors outside the EEA transfer the personal data you entrust to them to a sub-processor in another third country.
- Identify the data transfer tools. The second step is to identify your data transfer tools. If the European Commission has declared the country, region, or sector to which the personal data is transferred as adequate, through a valid adequacy decision, no further steps are required. However, if there is no adequacy decision, the only option is generally to rely on the transfer tools listed in Article 46 of the GDPR.
- Assess the effectiveness of the transfer tool in practice. The third step is to assess whether your transfer tool is effective in practice. The effectiveness of the transfer tool you are relying on may be affected by the law and practice of the third country. In practice, you should assess whether the laws of the country to which you are transferring data will prevent compliance with the transfer mechanism obligations in the context of each specific transfer. The EDPB’s second document relating to the European Essential Guarantees for surveillance measures establishes the elements that are to be taken in account when assessing foreign laws.
- Identify and adopt supplementary measures. The fourth step is to adopt necessary supplementary measures in order to bring the level of protection of the exported data up to EU standards. Measures are only necessary if the assessment in the third step reveals that the third-country legislation affects the effectiveness of the transfer tools that are relied on. If this is the case, supplementary measures must be identified and adopted to ensure a level of protection equivalent to the one guaranteed in the GDPR. The supplementary measures are likely to be of a technical, organisational, and procedural nature, such as encryption and key management, and/or contractual obligations. Annex 2 of the EDPB’s recommendations further lists examples of supplementary measures that may be taken, but it is stressed that the list is not exhaustive. Therefore, companies may take any supplementary measures that are considered effective.
- Take formal procedural steps. The fifth step recommends that formal procedural steps be taken for adopting the chosen supplementary measures, if needed.
- Re-evaluate at regular intervals. The sixth step suggests monitoring and reassessing the chosen approach on a regular basis to secure the required level of protection, as developments and changes may impact the chosen transfer mechanism.
Takeaways in Practice
Although the SCCs were upheld by the CJEU, data exporters were given new responsibilities in this respect, as they were deemed to be ultimately responsible for making the concrete assessment in the context of the transfer, the third country law, and the transfer tool they are relying on. Going forward, data exporters will need to (i) determine the laws applicable to the specific characteristics of each transfer, (ii) identify and assess any deviances from EU standards in the laws of the receiving country, and (iii) address and mitigate any deviances by adequate, yet unspecified, supplementary measures, without which the transfer cannot be lawfully performed.
The EDPB’s guidance is rather academic and heavy to implement, which also raises concerns about significant additional costs that will be caused to companies by complying with them, as a considerable amount of time and effort will need to be spent on the assessment of third-country legislation, which is likely to exceed the capabilities of most data exporters. Furthermore, it hardly seems appropriate that the assessment of the adequacy of third-country legislation is in the hands of the exporters, as such issues are traditionally dealt with at a national level. If all transfers of data from the EEA to countries outside the EEA were to be assessed on a case-by-case basis, this could become a deadlock considering the number and frequency of international data transfers required to keep European business working.
However, the businesses must act, as the new requirements include concrete action steps and are to be complied with without a grace period and as non-compliance may not be justified by unclear situation. Based on our recent experiences, there are solutions to overcome the hurdle (at least to a certain extent), but it requires careful assessment of international data transfers against the requirements of the CJEU, as specified by the EDPB, and commitment to start implementing supplementary measures to ensure the level of protection of personal data required by EU law, including re-arranging or localising certain processing activities.
In Hannes Snellman’s webinar, the Ombudsman drew attention to the fact that if there is uncertainty as to whether the level guaranteed in the GDPR may be ensured, you should contact the competent supervisory authority for approval, the criteria of which should be set in cooperation with the EDPB. Hopefully, we will eventually have more practical rules for data transfers outside the EEA, which will also support the implementation of the long-awaited new SCCs that are currently pending for the Commission’s adoption after a recently closed feedback period.