The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses.
On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on international personal data transfers (the Guidance) in the wake of the CJEU Schrems II decision. The EDPB simultaneously issued updated recommendations on the European Essential Guarantees for surveillance measures, which are referred to in the Guidance. The Guidance sets out the EDPB’s proposed step-by-step process for data controllers or data processors that export personal data outlining how to assess their data transfers and implement General Data Protection Regulation (GDPR)-compliant mechanisms to protect data flows. One day later, the European Commission released draft updated Standard Contractual Clauses (SCCs) for the transfer of personal data. The draft updated SCCS are explicitly designed to address Schrems II requirements, and cross-refer extensively to the Guidance in the draft implementing decision.
The EDPB’s recommendations are applicable immediately, including in the United Kingdom, though they are also open for public consultation (until 30 November 2020). Commentators expect significant lobbying given the strict approach the recommendations reflect. While the Guidance is not legally binding on organisations, it gives a clear indication of EU regulators’ expectations. The Guidance raises a number of difficult questions and challenges for businesses, particularly those transferring data to the United States, which are examined below.
The EDPB recommends that all data exporters, within the scope of the GDPR, use the following roadmap to assess current and future personal data transfers outside of the European Economic Area (EEA):
- Step 1: Map the flow of personal data transfers, including any onwards transfers. Organisations may build on any existing records of processing activities for this step.
- Step 2: Identify applicable data transfer mechanisms. If an organisation is relying on an adequacy decision (under Article 45 GDPR), the only further step is to monitor the validity of the adequacy decision. If an Article 49 GDPR derogation can be relied on, the organisation does not need to take any further steps. If the organisation is relying on an Article 46 GDPR mechanism (such a SCCs or Binding Corporate Rules (BCRs)), it must move onto Step 3.
- Step 3: For SCCs and BCRs (and other Article 46 mechanisms), assess whether the transferred personal data is afforded a level of protection in the recipient country that is essentially equivalent to standards provided for by EU law. (In its assessment of the 2016 Privacy Shield decision, the CJEU in Schrems II found this was not the case for the United States, which the Guidance relies upon now.) If the legal regime of the recipient country undermines the commitments in the relevant Article 46 transfer mechanism, supplementary measures are required in order to mitigate those effects (see Step 4).
- Step 4: If the Step 3 assessment indicates that supplementary measures are required to ensure adequate protection, identify and implement appropriate supplementary measures. The Guidance includes a non-exhaustive list of potential technical and non-technical measures (the technical measures being problematic for many business models – see below for details). The Guidance states that non-technical measures, such as organisational or contractual measures, generally will not overcome any issues of public authorities’ access to personal data, and, therefore, such non-technical measures should generally be used to compliment technical measures.
If the viable supplementary measures are not sufficient to ensure adequate protection for the transferred data, the EDPB states that the personal data must not be transferred, and any existing data transfers should be stopped and the data returned or destroyed.
- Step 5: Certain procedural steps may need to be taken to formalise any supplementary measures. The Guidance confirms that supplementary measures to SCCs do not require prior authorisation from the supervisory authority, provided the supplementary measures do not contradict the SCCs.
- Step 6: Re-evaluate the transfer mechanism and supplementary measures at appropriate intervals. The Guidance reiterates that accountability is a continuing obligation under the GDPR. The Guidance encourages exporting organisations to implement mechanisms to ensure transfers are promptly suspended or terminated if an importer breaches or is unable to honour commitments under the Article 46 mechanism, or if the supplementary measures implemented are no longer effective.
Assessing Legal Regime Essential Equivalence
The Guidance states that all transfers that rely on the SCCs or BCRs (or other Article 46 bases) should be assessed to determine whether the transferred personal data is afforded a level of protection in the recipient country (including onwards transfers) that is essentially equivalent to that prescribed by EU law, in respect of the specific transfer in question. In light of Brexit, this assessment would also be required for relevant data transfers from the EEA to the UK from 1 January 2021, unless and until an adequacy decision is made in favour of the UK. All relevant data transfers are expected to be assessed in the same way.
The proposed assessment of the essential equivalence of the recipient country’s legal regime under the Guidance involves, firstly, identifying the laws and practices applicable to the specific transfer (including legal principles and doctrine, legislation, case law, reported practice, data protection structures, reports from intergovernmental, civil society, or academic institutions). Secondly, the identified legal regime must be assessed to determine whether it impinges on the SCC/BCR protections, including whether individuals can effectively exercise their data subject rights. The Guidance expects particular attention to public authorities’ power to access personal data — and requires exporting organisations to assess whether those powers meet the EU law obligations regarding necessity and proportionality in relation to the protection of fundamental rights in light of the EDPB’s recommendations on European Essential Guarantees and the Charter of Fundamental Rights.
The EDPB further states that organisations should conduct their risk assessments with due diligence and document them thoroughly. The Guidance explicitly confirms that organisations will be held accountable for their data transfer decisions based on these assessments.
The legal regime assessment described in the Guidance is likely to be enormously onerous in practice, even for those organisations with well-resourced legal and compliance support. An assessment of equivalence is a complex legal analysis and in our view it is not practical to expect small businesses to be able to undertake it. Commercial and market factors will also come into play in the context of transfers to vendors, and may require the potential re-negotiation of long-standing vendor arrangements. The draft Guidance position effectively leaves the vast majority of organisations with a choice between a highly burdensome compliance exercise, or keeping the data in/returning the data to the EEA (which may not be feasible in many circumstances).
If an organisation’s Step 3 assessment concludes that the recipient country’s legal regime does not meet the essentially equivalent standard, the exporting organisation must implement supplementary measures to ensure adequate protection for the personal data being transferred. The EDPB explicitly states that any measures must address the specific deficiencies identified in the recipient country’s legal regime. This may be challenging (potentially near impossible in some cases) in practice.
In terms of the recommended supplementary measures, the Guidance emphasises technical measures over contractual and organisational measures, with the EDPB stating that “…there will be situations where only technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes”. The recommended technical measures focus on encryption as a tool to prevent public authorities from accesseing data.
While the Guidance promotes the use of encryption as a potential technical solution, the EDPB makes its view clear that, in order to be effective, the encryption arrangements must be such that the data recipient never has access to, or the ability to access, the unencrypted data or the encryption keys. The Guidance relies upon the CJEU’s decision in Schrems II to conclude that, based on the US surveillance regime (particularly Section 702 of the Foreign Intelligence Surveillance Act, the United States does not meet the essentially equivalent standard. This conclusion appears intended to preclude any effective supplementary measures for the majority of US-based cloud services arrangements or global, intra-group data sharing with a US nexus where there is a need for data access in the US to operate the relevant business or its services (at least in the context of today’s most commonly available encryption technology).
Is There Still Room for a “Subjective” Assessment of Risk?
In relation to the Step 3 assessment, the EDPB states that assessments should be objective and that organisations should not rely on what the EDPB describes as “subjective” factors, such as the likelihood of public authorities accessing the transferred data. The EDPB does not make this same objective/subjective distinction in relation to the Step 4 assessment of the efficacy of supplementary measures. Moreover, the draft updated SCCs make clear that the assessment of the specific circumstances of the transfer must take due account of, amongst other factors, “any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred”.
This inconsistency may be clarified in any updated version of the Guidance. In the meantime, organisations may choose to rely on subjective factors in their Step 4 personal data transfer risk assessments. Arguably, a genuine case-by-case assessment of the practical risk to the personal data, and the adequacy of the data transfer safeguards, must take into account important factors such as the actual likelihood of access by relevant authorities.
Alternative Data Transfer Mechanisms
Absent an adequacy decision under Article 45, SCCs or BCRs, Article 49 GDPR contains a number of bases on which personal data may nonetheless be transferred, including explicit consent and performance of a contract. These Article 49 bases are not subject to the essential equivalence and supplementary measures requirements, and may therefore be seen as an increasingly attractive alternative to SCCs. However, Article 49 is not unlimited, and reliance on these legal bases may not be viable in practice in many circumstances.
While one of the specific transfer bases in Article 49 (namely, transfer based on compelling legitimate interests) is expressed in strictly limited terms (e.g., if the transfer is non-repetitive, concerns a limited number of individuals, etc.), the Guidance appears to suggest that all of the data transfer bases under that Article should be subject to these strict limitations. The basis for this restrictive interpretation is unclear and is unsupported by Article 49. The Guidance seems to imply that transfers that an organisation has previously justified using an Article 49 basis may now need to be re-evaluated based on the stricter approach suggested by the Guidance (which, in itself, may not properly respect the fundamental rights and freedoms protected under EU law). Commentators hope that the EDPB will clarify the position in the final Guidance.
Given the significant ramifications of the draft Guidance for global data transfers, we remain hopeful that the likely significant lobbying during the consultation period will result in changes reflected in the final guidance. For example, we would hope that the final guidance will at least make it clear that assessments should take into account the types of data involved and the extent of any risk of allegedly excessive access to data, and outline more realistic technical measures for companies to try to adopt. In the meantime, organisations should start to map their personal data transfers, as a first step in scoping the potential compliance exercise. Organisations currently relying on, or seeking to implement, SCCs, may look to the updated SCCs (once approved) for the concrete requirements for assessing the adequacy of the protection of the transferred personal data, in the context of the specific data transfer.