On 11 November 2020 the European Data Protection Board (“EDPB”) has published its much awaited recommendations on international data transfers (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data) following the recent judgment C-311/18 (Schrems II) of the Court of Justice of the European Union (CJEU), applicable immediately following their publication, yet open for public consultation until 30 November 2020 (the “Recommendations”).
The Recommendations provides for a step-by-step roadmap to help data exporters assess a third country’s legal order and identify appropriate supplementary measures in order to protect data flows.
In addition, please note that on 12 November 2020, the European Commission has issued a new draft decision on standard contractual clauses for the transfer of personal data to third countries, open for feedback until 10 December 2020.
Step-by-step roadmap key takeaways
Step 1 – Mapping and recording all data transfers
Data exporters are advised to have full oversight of their transfers, including what data is being transferred, to where (the recipient country) and to whom. In order to gain full awareness of the transfers, data exporters are guided to rely on the records of processing activities that they may be obliged to maintain as controller or processor under Article 30 GDPR. When doing so, the GDPR’s data minimization and purpose limitation principles should also be respected and verified, meaning that data exporters need to ensure they are only transferring adequate, relevant and the minimum amount of personal data necessary for such purpose.
Step 2 – Identify the data transfer mechanisms
Data exporters shall identify for each personal data transfer (i) whether the recipient country has been granted an adequacy decision, and if not (ii) which appropriate GDPR Article 46 safeguards (for example, SCCs or Binding Corporate Rules (BCRs)) or Article 49 derogations (for example, consent or performance of a contract) they will rely on to legitimize the transfer.
Step 3 – Assessment of the transfer tool effectiveness
Effective means that the transferred personal data is afforded a level of protection in the third country
that is essentially equivalent to that are guaranteed in the EEA. Thereby, if the data exporter relies on appropriate safeguards, it shall assess to what extent the law or practice of the third country may infringe on the effectiveness of the appropriate safeguards in the context of the transfer.
The assessment should be focused on the legislation, or if that is not available, other relevant factors to the transfer and appropriate safeguards that may undermine the level of protection. The data exporter is recommended to seek guidance from, and contractually require, the data importer (located in the third country) to provide guidance on relevant applicable laws.
In this context, EDPB issued a second document – the Recommendations 02/2020 on the European Essential Guarantees for surveillance measures – outlining the elements to be taken into account when evaluating foreign laws and essentially provide that third country legislation that complies with the following guarantees would offer an essentially equivalent level of protection: (i) lay down clear and precise rules governing the scope and application of the measure in question and impose minimum safeguards; (ii) demonstrate that the interference with data protection rights is necessary and proportionate with respect to the legitimate (public interest) objective pursued; (iii) provide for an independent oversight mechanism (for example, an administrative body or court); and (iv) provide for effective remedies for the individual (redress rights).
Step 4 – Identify and implement supplementary protection measures
The fourth step, as the EDPB outlined, is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.
However, the fourth step is only necessary if the above assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 transfer tool that is being relied upon (for example, SCCs or BCRs).
The Recommendations have provided a non-exhaustive list of examples of: (i) technical measures, which include state-of-the-art encryption and pseudonymization; (ii) contractual measures (with the data importer); and (iii) organizational measures (which are especially relevant for intra-group transfers). The EDPB highlights that the data exporter (and importer) bear the responsibility for ensuring that the measures are effective, and this may mean, for instance, that several measures will need to be combined or that no measure can ensure an essentially equivalent level of data protection (in which case the transfer shall be suspended).
Step 5 – Implement appropriate safeguards
The fifth step entails that the data exporter and importer comply with all procedural formalities to put in place the appropriate safeguards, for example, execute SCCs, any requirement to notify the relevant supervisory authority etc.
Step 6 – Monitor and re-evaluate transfer approach on a regular basis
Data exporters should also monitor the legal and regulatory developments applicable to their personal data transfers, as well as the third country’s legal regime, to ensure an essentially equivalent level of data protection (especially in this fast-evolving regulatory landscape). This also applies to adequacy decisions, as these may be re-evaluated by the European Commission from time to time.
In its effort to provide recommendations and concrete examples for data exporters to address a EU data protection standards for worldwide data transfers, EDPB also highlights that EU data protection authorities (“DPAs”) will continue monitoring and enforcing the GDPR and will consider the actions data exporters take to ensure their transfers are afforded an essentially equivalent level of protection. The EDPB also states that DPAs will also suspend or prohibit transfers where an essentially equivalent level of protection may not be ensured. Not least, the EDPB confirms that together with the DPAs will continue to develop guidance for data exporters and coordinate actions to try to ensure consistent application of EU data protection legislation.