As many organizations continue to struggle with the fallout from the July 2020 Schrems II decision from the European Court of Justice (“CJEU”), in November, the European Data Protection Board (“EDPB”) published two pieces of interrelated and eagerly-anticipated guidance regarding the export of personal data from the European Economic Area (“EEA”) to countries that have not been deemed to provide adequate protection for personal data and the rights and freedoms of data subjects under the GDPR. The guidance is subject to public consultation through December 21, 2020.
In the Schrems II case, the CJEU addressed whether the ability of U.S. national intelligence agencies' ability to conduct surveillance activities conflicted with the requirement that the data transfer mechanisms described in the GDPR provide an adequate level of protection for personal data when transferred to the United States. While the CJEU only invalidated the EU-U.S. Privacy Shield mechanism, it suggested that other transfer mechanisms also failed to provide the required “essentially equivalent” level of protection and suggested that some unspecified additional protections would be necessary to possibly make such transfers acceptable. The EDPB’s guidance is meant to provide organizations with a step-by-step framework to assess the sufficiency of the transfer mechanism for such transfer and describe additional protections that may (but are not guaranteed to be) acceptable to E.U. regulators.
The EDPB Guidance
The first piece of guidance describes four essential guarantees (“Essential Guarantees”) that must be satisfied when personal data is transferred to another country and processed in a way that could conflict with the privacy guarantees described in the GDPR (such as processing for national security purposes). In addition to analyzing the law in the third country, the EDPB recommends that the following four specific Essential Guarantees be assessed together as a whole because they are closely interlinked:
- Processing should be based on clear, precise and accessible rules (e.g., the legal basis for processing must be based on applicable law);
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated (e.g., these objectives need to exist in applicable law to help reduce the risk of interference with fundament privacy rights);
- An independent oversight mechanism should exist (e.g., via an independent and impartial oversight system provided by a judge or another independent body, such as administrative authority or parliamentary body); and
- Effective remedies need to be available to the individual (e.g., legal remedies to effectively satisfy privacy rights).
While helpful, the Essential Guarantees do not provide organizations with a quick or easy answer to address whether the third country’s law will interfere with an E.U.’s citizen’s fundamental privacy rights. It will take time to assess how the third party country’s law applies to an organization’s operations and how such law compares to the GDPR. For example, organizations transferring personal data to the United States will need to determine whether Section 702 FISA and Executive Order 12,333 apply to the organization in the United States and whether these requirements would potentially interfere with an E.U. citizen’s fundamental privacy rights and whether the four Essential Guarantees discussed above are satisfied. In sum, organizations will need to assess the privacy laws in all countries where they receive E.U. citizen’s personal data to determine the best practical solutions to comply with these complex EDPB recommendations.
The second piece of guidance provides a six-step framework for organizations to determine whether the data existing transfer mechanisms described in GDPR (including binding corporate rules, standard contractual clauses, and any codes of conduct and certifications approved in the future) can meet the Essential Guarantees described above and ensure compliance with the “essentially equivalent” level of protection for personal data defined by the CJEU in the Schrems II decision. The guidance requires that organizations evaluate the following:
- Conduct and document a data mapping of the proposed transfer. Map all transfers of personal data outside of the EEA. Data exporters must know where the data is going to know if the data is adequately protected, including all additional onward transfers of data that the transferee may conduct outside of the EEA. The transferred data is limited to that data which is “adequate, relevant and limited to what is necessary . . . to the purposes for which it is transferred . . . and processed”. This data mapping exercise must account for all access to the data, including processes such as remote backup, support, and workforce members that may be located outside of the EEA.
- Choose transfer tools. Unless the transfer is to a third country with an adequacy determination, data exporters must choose between Standard Contractual Clauses (“SCCs”), binding corporate rules, codes of conduct, certification methods, or ad hoc contractual clauses.
- Assess the third country’s data protection laws. Do the laws of the third country impinge on the effectiveness of the transfer tools’ protections and safeguards? Effectiveness means that the third country affords the data a level of protection equivalent to that provided by the GDPR. This step may require the parties to analyze whether such laws actually impede the effectiveness of the safeguards by considering the Essential Guarantees, which lays out a process by which a transferor may evaluate “whether surveillance measures . . . by public authorities in a third country . . . can be regarded as a justifiable interference or not.”
- Adopt supplemental measures. The data exporters are responsible for assessing the effectiveness of the transfer tools on an ongoing and case-by-case basis. If the assessment reveals that the transfer tools do not provide a level of protection equivalent to that enjoyed in the EEA, data exporters may adopt supplemental measures in the form of technical, contractual, or organizational measures.
- Required Formalities. If it is necessary to adopt supplementary measures in the form of modified SCCs or supplemental measures that contradict the SCCs, data exporters must have the supervisory authorities review and approve.
- Ongoing review. Re-evaluation and continuous monitoring of the level of protection must occur at routine intervals to evidence accountability.
In addition to the six-step assessment process described above, the EDPB also suggested that companies adopt, and require the receiving organization to adopt, following technical, procedural, and administrative controls to provide the required level of protection:
- Use of encryption. The EDPB guidelines all but make encryption a mandatory tool to safeguard personal data from the EEA, provided that there is no legal obligation to provide the encryption key to a government authority.
- Pseudonymization. This method of protection is specifically mentioned in GDPR Article 32 as a measure to adequately protect personal data. However, it may only be useful where the receiving party does not need to know the identity of the data subject to properly process the personal data. Organizations should also consider the possibility that the recipient could re-identify the data subject by looking at the pseudonymized data.
- Transparency and due diligence. Data importers should commit to fully understanding its national surveillance laws and their potential impacts on the proposed transfer of personal data. The guidance also suggests that data importers should commit to providing as much notice about any requests from government authorities as legally permitted and any restrictions/procedures it will follow if it receives such a request.
- Audit requirements. The EDPB guidance suggests that data exporters should require data importers to submit to privacy audits to verify whether or not the data importer provided E.U. personal data to government authorities. This is likely to be impractical for most large U.S. cloud service organizations as it's more likely that organizations will only be willing to provide the results of independent third party audits.
- Use of a Warrant canary method. The EDPB guidance suggests that organizations publish a cryptographically signed message to the data exporter on a regular basis for as long as the organization has not received a request from a governmental authority for access to personal data. However, the use of this “canary” may prove to be impossible when the order prevents the disclosure of the existence of the order, such as the gag restrictions provided for in FISA orders.
The EDPB guidance is detailed and contains additional recommendations and guidance that organizations should consider reading in full. As the dust continues to settle after Schrems II, organizations should continue to review guidance from supervisory authorities and conduct regular audits for compliance with data security obligations. Organizations transferring data from the European Union (either through SCCs, binding corporate rules, or otherwise) will be under increased pressure to ensure compliance with those transfer mechanisms' applicable terms and any implemented supplemental measures. Organizations should also be mindful that the European Commission is revising the SCCs, which may impose additional obligations on both data exporters and data importers.