Post Schrems II World: EDPB Adopts Recommendations on Supplementary Measures for International Data Transfers
On June 18, the European Data Protection Board (EDPB) formally adopted Version 2 of its Recommendations on measures that supplement transfer tools, first adopted on November 10, 2020, following the landmark Schrems II decision from the Court of Justice of the European Union.
The first Recommendations were adopted in November and issued for public consultation. Upon receiving numerous helpful comments and suggestions, the EDPB issued Version 2 of the Recommendations, revising the initial Recommendations to incorporate feedback received during the commenting phase. The EDPB focused most of its revisions on guidance related to destination countries:
- Assess a destination country’s practices toward data in addition to its legal standards
- Assess a destination country’s laws toward data and actions it can take without consulting with the data importer
- The data exporter’s reliance on the data importer’s actual experience
- Reliance on the Recommendations to meet compliance requirements for the European Commission’s (EC) revised Standard Contractual Clauses (SCCs) announced June 4, 2021 (which we recently discussed)
Where some of the European Commission’s regulations and guidance remains more difficult to apply in practice, the EDPB’s Recommendations are designed to be easily relied on and used as a framework for exporters to ensure data is guaranteed an essentially equivalent level of protection as under the General Data Protection Regulation (GDPR).
The EDPB’s framework remained similar to that of Version 1, but the details, annexes, and case scenarios provide more relevant and thorough material than in the initial version. The framework is designed for exporters to use as they assess whether and which, if any, supplementary measures are needed for their transfers to ensure adequate protection of data.
Accountability in Data Transfers
- Principle of accountability: an ongoing requirement for controllers and processes to seek compliance with data protection rules and rights per the GDPR. This requirement includes transfers of data to other countries.
- Applying the principle of accountability to data transfers in practice. Document everything- the assessment, the decision to use supplementary measures, which measures are chosen and which are used- in the event the competent supervisory authority requests such evidence.
Framework’s Six Steps
- Know your transfers.
- Record and map transfers, including onward transfers. Remember data minimization.
- Identify the transfer tools you are relying on. Check the EC website to determine if there is an adequacy decision in place for the destination country. If there is, you do not need to take any further steps as described in the Recommendations.
- If there is not an adequacy decision, look at Article 46 GDPR transfer tools or appropriate safeguards:
- Binding corporate rules (BCRs)
- Codes of conduct
- Certification mechanisms
- Ad hoc contractual clauses
2. 1. May need to use transfer tools + supplementary measures = ensure essentially equivalent level of protection.
3. 1. Article 49 Derogations can be considered only after the above measures fail. The requirements are strict and may not be met. Proceed if inadequate.
3. Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer.
4. Adopt supplementary measures.
- Annex 2 of the Recommendations provides a non-exhaustive list of supplementary measures.
- If the supplemental measure + transfer tool = essentially equivalent level of protection à proceed with the transfer
- If supplementary measures are not effective or sufficient to guarantee an essentially equivalent level of protection, any transfers initiated must be stopped and the transfer cannot proceed.
1. Procedural steps if you have identified effective supplementary measures.
- If effective supplementary measures are identified above, follow procedural steps based on which Article 46 GDPR transfer tool you are using or plan to use:
- There is no need for additional authorization so long as they do not contradict the SCCs, and the GDPR’s level of protection is guaranteed.
- Modifications of the SCCs do require the approval of a competent supervisory authority.
- It is the data importer’s and exporter’s responsibility to determine that the adequate level of protection is met when data is transferred to a third country.
- If it is not met, consider which supplementary measures to adopt and whether the destination country’s laws or practices will result in ineffective protection.
- Ad hoc contractual clauses:
- The Schrems II decision applies, meaning that parties cannot guarantee on behalf of destination countries’ public authorities that they will be bound to the parties’ contractual terms.
6. Re-evaluate at appropriate intervals.
- The principle of accountability is an ongoing requirement and compliance does not happen just once; each transfer must be compliant.
Our Privacy, Cybersecurity, and Data Management team will continue to monitor developments in this arena.