Unfortunately, the draft guidelines provide no panacea for companies engaged in international data transfers of personal data from the EEA to third countries. Instead, organizations face 55 pages of guidance that provide few workable solutions for international data transferors—apart from a lengthy protocol for conducting risk assessments.
In this update, we analyze the EDPB’s view on how companies should approach international transfers of personal data in the future and outline its six-step process for assessing the risk associated with the international transfer and putting in place mitigation measures. We consider the non-exhaustive list of potential safeguards to help data exporters ensure that transferred personal data is afforded an “essentially equivalent” standard” of protection to that guaranteed under the GDPR.
The guidance is immediately applicable but open for public consultation until November 30, 2020. While the guidance may change considering responses to the consultation, it would likely be overly optimistic to hope for significant changes to alleviate the pain.
There is some good news contained in the guidance. The EDPB has set out a straightforward six-stage process that it expects data exporters and data importers to follow when assessing and documenting their international data transfers and the risks to data subjects associated with them.
In short – it’s complicated. While the six-stage process is straightforward, the EDPB emphasized that transfers should be individually assessed, and the analysis needs to be documented in line with the accountability principle under the GDPR. Also, data exporters may be asked to produce their documented analyses to supervisory authorities – and possibly commercial partners – to address potential questions.
The EDPB notes that, as a general rule, transfers to U.S. entities subject to section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a) and Executive Order 12.333 can only be made in a manner compatible with the GDPR if technical measures are in place to preclude the disclosure of personal data to U.S. security authorities (page 14). According to the EDPB, this essentially requires that any data transferred to U.S. entities subject to these laws is unreadable by those entities in the absence of encryption keys or additional data to which such recipients must be denied access.
The use cases set out by the EDPB are of concern, as these flag two very common sets of data transfers as examples of scenarios where the EDPB is unable to identify suitable technical measures to prevent access by foreign intelligence services, namely:
Many organizations held off on making significant operational changes post-Schrems II in the hope that the guidance published by the EDPB and national data protection authorities would provide some much-needed pragmatism. Unfortunately, the guidance as drafted, has not provided much relief.
What is clear from the EDPB’s guidance is that transferring personal data outside the EEA is more complex than simply identifying a valid transfer mechanism. Where previously both data exporters and data importers have often relied heavily on the contractual protections afforded by the Standard Contractual Clauses or approved binding corporate rules, this is unlikely to be enough going forward. Organizations must now assess, document and implement a combination of technical, organizational and additional contractual measures to mitigate the risk of processing in a manner incompatible with EU law. While the new draft set of Standard Contractual Clauses for Processors issued by the European Commission has incorporated much of the EDPB guidance, the new Standard Contractual Clauses seem to permit a risk assessment taking into consideration, i.a., the categories of data concerned and access requests by law enforcement in the third country (see Clause 2(b)).
For transfers to the United States, the guidance calls out FISA 702 as being incompatible with the principles of the GDPR and specifies that any transfers to entities subject to 702 FISA can only be made if “additional supplementary technical measures make access to the data transferred impossible or ineffective” (emphasis added). While this statement follows the view of the CJEU in the Schrems II judgment, it unfortunately lacks any discussion of the substantive legal arguments the U.S. Department of Commerce (DOC) and U.S. Department of Justice (DOJ) presented in their September 2020 whitepaper, which argues that the EU Commission did not base its adequacy finding in 2016 on a comprehensive set of facts regarding the application of FISA. Further, the EDPB’s guidance cautions against relying on nonbinding statements suggesting a broad lack of interest in collecting certain data (as suggested in the DOC and DOJ whitepaper).
For the UK, as January 2021 looms on the horizon any post-Brexit adequacy decision is looking increasingly unlikely. Like the US, the UK’s surveillance laws have received criticism from the EU and, as the UK will no longer be within the EEA, EU data exporters will now need to apply the same rigour to international data transfer to the UK as they do to other third countries.
The regulatory burden primarily falls on European, U.K. and Swiss companies exporting personal data to international partners or vendors to demonstrate that these transfers are lawful and that data subjects are receiving “essentially equivalent” protection. The flip side of this is that U.S. and other third country entities receiving personal data outside the EEA will also need to develop ready-made mechanisms to reassure EEA data exporters that they are able to provide a level of protection for personal data compatible with obligations under the GDPR. The – very unpalatable – alternatives would either involve abandoning their EEA, U.K. and Swiss client base or facing the administrative burden of either implementing some form of data localisation in the EEA or addressing each client’s requests for supplementary measures on an individual basis.
What Should Companies Do?
Even though this guidance is not yet binding and may change, it is safe to say that the process for conducting international personal data transfers is becoming increasingly more complex, and both data exporters and data importers need to start preparing for the new regime:
Finally, follow any further developments and watch out for the final guidance from the EDPB.
Background and Context
The GDPR contains several restrictions to ensure that the standard of protection for personal data set out in EU law is not circumvented simply by transferring personal data outside the EEA. Aside from its extraterritorial scope, the GDPR:
In July 2020, the CJEU published its decision in Schrems II, in which it declared the EU-U.S. Privacy Shield to be invalid and flagged that all international transfers of personal data (regardless of the legal mechanism) must be carried out in a manner that affords data subjects a level of protection with respect to their personal data that is “essentially equivalent” to that guaranteed within the EU. See our previous blog on the Schrems II decision for further details.
What was unclear from the CJEU’s decision, however, was how such equivalent protection could be guaranteed in a way that was compatible with international data recipients’ obligations under local law. Of particular focus was access to personal data by national surveillance authorities, especially in the U.S. where personal data processed by operators of “electronic communication services” are potentially subject to access by, or orders to disclose from, U.S. security authorities under Section 702 FISA and Executive Order 12.333.
The guidance published by the EDPB has therefore been long awaited by data exporters and data importers alike, in anticipation that EU regulatory authorities might be able to shed some light on how to address the issues raised in Schrems II in practice.
So, What’s “Essentially Equivalent”?
The question is not so much whether the law of the recipient’s country is “essentially equivalent” to the standard in the GDPR, but whether that law prevents the relevant transfer tool selected (whether Standard Contractual Clauses, binding corporate rules or another recognised mechanism) from being effective in ensuring that the level of protection guaranteed by the GDPR is not undermined by the transfer.
In carrying out the assessment, exporters are required to familiarise themselves with “all of the relevant aspects of the legal system of that third country,” using publicly available tools and help from data importers.
In particular, the EDPB has set out the key elements to be considered when analysing the level of access to, and the right to require disclosure of, personal data granted under the law of the third country. The European Essential Guarantees provide an overview of jurisprudence from the CJEU and the European Court of Human Rights on the question of what constitutes justifiable government interference with individuals’ privacy rights under the Charter of Fundamental Rights of the EU, neatly summarised into four essential elements:
Where applicable legislation is not publicly available or clear legislation is lacking, exporters must look beyond the legislation at “other relevant and objective factors” – namely reported precedents, legal powers, legislation and practice, and technical, financial and human resources at the disposal of the third country. The EDPB explicitly cautions against a reliance on what it refers to as “subjective” factors “such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards,” in what may be a (very) thinly veiled dig at the DOJ and DOC whitepaper.
It is important to flag, however, that the assessment is not an adequacy determination on the scale undertaken by the European Commission. Although the guidelines do propose that the same Article 45(2) adequacy considerations will be relevant, the analysis applies only to the given circumstances of the transfer, and the law of the recipient country is only one of the factors to be considered. Other elements will need to include:
In addition, while conducting such analyses for each transfer and each recipient country will be onerous in the short term, in the longer term, one would expect that the information required about third countries’ legal regimes will become more readily available for assessment by EEA, U.K. and Swiss data exporters. This information, together with developing practice and comments from regulators, should either ease the time and effort required to conduct the initial research and provide a bit more grounding and certainty to any conclusions drawn or, as with the United States, give clear guidance that such transfers are incompatible with EU law unless the data is rendered unreadable to the U.S. recipient.
What Happens Where the Level of Data Protection in the Third Country Does Not Effectively Ensure an Essentially Equivalent Level of Protection?
Data exporters will need to identify and adopt supplementary measures as necessary to bring the level of protection of the data transferred up to the EU standard. Where no supplementary measures can remedy the deficiencies identified, the EDPB says that transfers must be stopped or not commenced. If the data exporter intends to continue transferring the data notwithstanding the fact that the relevant deficiencies cannot be remedied, the EDPB takes the view that the data exporter should notify the competent supervisory authority.
Thankfully, the EDPB provides a non-exhaustive list of recommendations and examples of supplementary measures in Annex 2 of the guidance. These are broadly broken down into contractual, technical and organizational measures that can be combined in a way that they support and build on each other.
Of the use cases proposed by the EDPB, two are particularly noteworthy, as they refer to scenarios where the EDPB indicates it has not (yet) found any effective technical safeguards. These scenarios include data processing in the clear by cloud service providers (i.e., unencrypted processing) or remote access and use of data in the clear from a third country for business purposes, such as processing of personal data through human resource tools.
The EDPB emphasises the importance of technical safeguards, as making the data unintelligible other than to the data exporter is the most effective way of mitigating the risk of access to the transferred data by public authorities in third countries. The EDPB provides seven potential use cases:
If the encrypted data merely transits a third country, encryption at transit suffices.
In addition, in order to maintain the efficacy of encryption as a measure to mitigate the risk of disclosure to national authorities, the cryptographic keys would need to be stored out of reach of the data recipient – i.e., held solely by the data exporter or other entities entrusted with this task that reside in the EEA or an “adequate country.”
It will be interesting to see how this approach will align with the EU’s proposals to provide “lawful access” to end-to-end encrypted services in the United States.
As with the implementation of any encryption techniques, the EDPB requires a high standard of pseudonymisation and states that in many situations factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person, their physical location or their interaction with an internet-based service at specific points in time may allow the identification of that person even if his/her name, address or other plain identifiers are omitted.
By definition, supplementary contractual measures would need to go beyond those already set out in either Standard Contractual Clauses or Binding Corporate Rules.
That said, as the EDPB notes, the effect of such measures is questionable in that they only bind the data importer and not external parties (i.e., national authorities). Commitments to challenge government orders will generally provide “very limited additional protection” and will often only remedy deficiencies in the standard of protection when implemented as part of a broader package of supplementary measures.
The measures suggested by the EDPB are similar to the contractual measures proposed by the Data Protection Supervisory Authority for the State of Baden-Wuerttemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden Württemberg) in August). See our previous blog for further details.
As with any additional contractual measures, the EDPB states that such safeguards would need to be combined with contractual and technical safeguards in order to be effective. Organizational measures alone will rarely provide an essentially equivalent standard of protection. They might include:
If you have questions about this update, please reach out to the authors for more information.