The EDPB Announces Recommendations for Data Transfers Post-Schrems II

On November 11, 2020, the European Data Protection Board (EDPB) announced that it had adopted recommendations on measures that supplement transfers tools to ensure compliance with the EU level of protection of personal information and recommendations for surveillance measures. These recommendations were adopted in response to the Schrems II ruling in which the EU-US Privacy Shield was invalidated in July 2020 as an acceptable mechanism for transferring personal data outside of the EU. Up to this point, many organizations have been relying on Standard Contractual Clauses (SCCs) and other transfer tools mentioned under Article 46 of the EU General Data Protection Regulation (GDPR) as the means to transfer data outside of the EU. However, the EDPB’s press release states that controllers relying on Standard Contractual Clauses (SCCs) are required to verify, where appropriate and in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA). Moreover, it states that the Court of Justice of the European Union (CJEU) had allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient. The recommendations by the EDPB present a roadmap of steps data exporters must take to find out if they need to put in place supplementary measures to be able to legally transfer data outside of the EU. Refer to the links below to read the Supplementary Transfer Measures Recommendations and the Surveillance Recommendations from the EDPB:

Below is a 6-step process that data exporters may consider following to understand whether they have adequate legal basis for transferring data outside of the EU:

  1. Know your Transfers
    In this first step the EDPB advises that data transfers to third countries are identified by carrying out a records of processing activities (RoPA) exercise. The EDPB recognizes that it can be difficult but organizations must understand where the personal data goes and ensure transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.
  2. Identify Data Transfer Mechanisms
    The second step consists of verifying the transfer tool the data exporter relies on. Data exporters will not need to take additional steps where the European Commission has already declared the recipient country as adequate. In the absence of adequacy decisions, the recommendation states that exporters may use the transfer tools under Article 46 of the GDPR (e.g. SCCs and Binding Corporate Rules (BCRs)). Additionally, data exporters may use the derogations provided by Article 49 of the GDPR only in some cases of occasional and non-repetitive transfers and if conditions are met.
  3. Assess whether the adopted transfer mechanism is effective
    This third step is to assess the third country’s legal order. Exporters should focus on the third country’s legislation and rules to determine if they provide the appropriate safeguards. Assessments should be carried out with due diligence and documented as the data exporter will ultimately be accountable for the decision taken.
  4. Adopt supplementary measures
    This fourth step is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is key as it is only applicable if the legal assessment reveals that the transfer tool used under Article 46 GDPR is not effective. The recommendation in Annex 2 of the Supplementary Transfer Measures Recommendations provides a non-exhaustive list of examples of supplementary measures, including:
    • Technical measures
    • Additional contractual measures
    • Organizational measures
  5. Address the procedural steps related to the specific transfer mechanism
    The fifth step is to take any formal steps that the adoption of supplementary measures (determined in step 4) may require.
  6. Monitor and re-evaluate the assessment at appropriate intervals
    The sixth and final step requires data exporters to re-evaluate at appropriate intervals the level of protection afforded to the data transfer to third countries and to monitor if there have been or there will be any developments that may affect it. While the recommendations do not define the frequency at which these reviews should occur; as a best practice, organizations should assess the level of protection to the data transferred on an annual basis, or when a change occurs that could impact the initial assessment of the level of protection.

Furthermore, the EDPB complemented the practical guidance on international data transfers by issuing the “Surveillance Recommendations” which identify the European Essential Guarantees for surveillance measures. The guarantees must be taken into account when transferring personal data in order to ensure that interferences with the rights to privacy and protection of personal data through surveillance measures do not go beyond what is necessary and proportionate in a democratic society:

  • Processing should be based on clear, precise, and accessible rules
  • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
  • An independent oversight mechanism should exists
  • Effective remedies need to be available to the individual

Conclusion

The EDPB recommendations come at a time when many organizations are continuing to determine their transfer mechanisms post-Schrems II. The recommendations are aimed to help data exporters with the complexity of assessing third countries and identifying appropriate supplementary measures. The EDPB recommendations provide data exporters a framework when dealing with transfers to third countries and ensuring data transfers are adequate. Although this article has listed the recommendations from the EDPB, organizations should carefully review and interpret the applicability of the recommendations to the organization. While many organizations may have already implemented some of the steps recommended such as data map, it is important for data exporters to revisit their privacy programs to ensure proper alignment with the recommendations. For example, ensuring data maps are up to date, policies and procedures that govern the program are in place, ensuring compliance with BCR commitments, etc. Our team of experts can help you operationalize the recommendations adopted by the EDPB and increase the maturity of your privacy program.

Interested in talking more about privacy services? Get in touch with us.