The European Data Protection Board (EDPB) published its long-awaited final Recommendations on measures that supplement data transfer tools (the Recommendations), following the Schrems II decision of the CJEU (on 18 June 2021).
Under the GDPR, organisations may transfer personal data outside the EEA to the countries without adequacy status from the European Commission on the basis of transfer tools – i.e. approved standard contractual clauses (SCCs), ad hoc contracts approved by a national supervisory authority, binding corporate rules (BCRs), codes of conduct or certification mechanisms. Following interpretation of the GDPR by the CJEU in Schrems II decision, organisations relying on transfer tools must also ensure that the level of protection for the personal data in the destination country is essentially equivalent to that guaranteed in the EEA. This requires an assessment of the level of data protection law and practice in the destination country in the context of specific transfer, and may require putting in place supplementary measures in addition to the transfer tool.
The final Recommendations address the steps organisations need to take before a transfer can take place; explain how to conduct the required assessment; and identify the supplementary measures necessary to achieve the required level of protection. The final version provides a more practical view of compliance with the transfer obligations and introduces a risk-based approach to this compliance. However, the risk-based assessment requires thorough analysis of any subjective elements (i.e. experience of the importer with data access requests), proper documentation of the decision-making process and substantiation of the findings by multiple sources.
The main changes in the final Recommendations, as compared to the November 2020 draft, are summarised below:
- when mapping all international transfers of personal data, organisations must specifically consider potential transfers to sub-processors and remote access to data from a third country;
- the EDPB confirms that transfers may be made on the basis of derogations, but no longer states that such transfers are not allowed to be “regular and repetitive”, as in the draft Recommendations, pointing out instead that transfers based on derogations cannot become “the rule” in practice and need to be restricted to specific situations;
- when assessing the law and practice in the destination country to determine if it prevents the transfer tool from achieving the required level of protection, the Recommendations list new elements that should be addressed in the assessment, including:
- the sensitivity of data (whether special categories of data or data about criminal offences are involved and any envisaged onward transfers of these sensitive data);
- when data exporters and importers assessing the powers of public authorities to access the transferred data on basis of the European Essential Guarantees, they are expected to limit the scope of the assessment to the legislation and practices relevant to the protection of the specific data being transferred (unlike the general and broad adequacy assessments the European Commission);
- guidance on possible assessment scenarios and outcomes is included (e.g. when a third country’s legislation formally meets the EU standards but the day-to-day practices in that third country do not; or when the third country lacks legislation on access to privately held data by public authorities);
- the Recommendations now expressly recognise that exporters may proceed with a transfer even to an importer in a third country with “problematic legislation” if exporters have no reason to believe that relevant and problematic legislation will be applied in practice to their transferred data and/or the importer (and therefore will not prevent the importer from fulfilling obligations under selected transfer tool). This assessment should be demonstrated and documented in detailed report. The recipient’s experience is one relevant factor, but must be corroborated;
- a list of potential sources for assessment is extended to include e.g. reports from private providers of business intelligence on financial, regulatory and reputational risks for companies, reports based on practical experience with prior instances of requests for disclosure from public authorities (or the absence of such requests) from entities active in the same sector as the importer, business associations, governmental diplomatic, trade and investment agencies of the exporter or independent bodies such as the Global Privacy Assembly, and transparency reports, internal statements or records of the importer expressly stating that no access requests were received for a sufficiently long period;
- in relation to supplementary measures to bring the protection for the personal data up to the required level, the Recommendations clarifies certain aspects of technical measures related to encryption. The EDPB refers organisations to ENISA’s technical guidance to support assessment on the strength of encryption, interpret what “state of the art” means in IT and identify best practices for information security measures. The EDPB warns that protection from cryptographic algorithms may decline over time, and the exporter must consider that public authorities may attempt to access encrypted data (e.g. data in transit) and store it until their resources are sufficient for decryption. The supplementary measure can only be considered effective if such decryption and subsequent further processing at that time would no longer constitute an infringement of the rights of data subjects;
- where the recipient needs access to data in the clear, the EDPB maintains its previous position that no effective technical measures that would protect data from access by public authorities can be identified at this moment;
- the requirement to notify the relevant DPA if exporter wants to proceed with transfer for which no supplementary measures have been identifies is deleted from the final Recommendations, however, the EDPB presumes that organisations will not proceed with such a transfer; and
- the EDPB confirms that the Schrems II judgement is relevant for intra-group transfers relying on BCRs. The same requirements for country assessments apply to transfers based on BCRs and, where necessary, supplementary measures might need to be put in place. The EDPB will issue the updated referrals WP256 and WP257 to clarify which commitments company groups will need to implement in their existing and future BCRs in order to comply with Schrems II.
The final Recommendations are available here.