EDPB ISSUES SCHREMS II GUIDANCE ON ENSURING COMPLIANCE FOR DATA TRANSFERS

The Schrems II judgment from the Court of Justice of the European Union (read our blog post here) raised the bar for transfers of personal data to third countries by making clear that where Standard Contractual Clauses (“SCCs”) are being used, a level of due diligence needs to take place before any transfer can be made. This is to ensure that personal data originating in the EEA always carries with it protections which are essentially equivalent to those in the EEA. To help data exporters in that assessment, the EDPB has now issued guidance on how to carry out the due diligence exercise in practice (available here).

Whilst the “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” are subject to consultation until the end of November, it seems doubtful that significant/material changes will be made post-consultation to the final version of the guidance without substantial lobbying.

Unfortunately for both data exporters and data importers, although the requirements are now relatively clear, the framework is complicated and will require focus and considerable effort to ensure that all transfers are taking place in a compliant manner. There also remains a significant question mark over certain data transfers and whether or not they will continue to be possible in the future in a GDPR compliant manner.

Summary

We have set out below our key takeaways and initial thoughts in short form. We have then provided a more detailed view of the suggested steps for those who are more interested in the detail but perhaps not all 50+ pages of it!

• The long and winding road to compliance: As mentioned above, the proposed exercise to be undertaken by organisations on a transfer by transfer basis is extensive and likely to be resource heavy and time consuming. Coming off the back of extensive re-papering exercises for Safe Harbor, GDPR, and Privacy Shield, as well as Brexit preparations, this is unlikely to be welcome news for privacy professionals seeking budgetary sign-off for another data protection compliance and re-papering project.
• Mapping and then more mapping: The data mapping exercise alone suggested by the EDPB requires organisations to understand data flows not only to their processors, but also onwards transfers all the way down the chain to subprocessors, their subprocessors, and beyond. It is unlikely that many controller organisations will have this information readily to hand at the level of granularity required. Some may argue this shows a lack of compliance with the record of processing activity (“ROPA”) requirements of the GDPR, but for large global organisations with complex data flows, this will likely just reinforce the impracticality of the ROPA requirements themselves as well as the proposed guidance.
• Mini adequacy assessments: A key element of the EDPB recommendations is the assessment required to ensure that the laws of the importing country contain the so-called European Essential Guarantees (“EEGs”). Essentially this appears to boil down to a mini ‘adequacy assessment’ to be carried out at an organisational level and, for some key countries such as the US, it appears that the working assumption must be that personal data is not subject to an equivalent level of protection. Indeed, a cynical view could well be that very few countries would satisfy the EEGs.
• Supplementary measures only a supplement? Although the recommendations set out various options for technical, contractual and organisational supplementary measures which could be used to protect personal data, the essence of the EDPB guidance appears to be that, in situations where the importer country does not meet the EEGs, the only available acceptable ‘supplementary’ measure would be to encrypt the data to such an extent that it cannot be read even by the data importer – not a practical solution in most circumstances. However, without this, the guidance appears to make it clear that contractual and/or organisational measures alone will not supplement the transfer to a sufficiently protected level.
• Two important use cases: Finally, it is worth mentioning two specific use cases flagged by the guidance where the EDPB confirms that it is incapable of envisioning any appropriate supplementary measures to protect the data when being imported to a country which does not satisfy the EEGs – presumably meaning that any such data transfer cannot and should not take place: (i) transfers to cloud services providers which require access to data in the clear; and (ii) group access (even on a remote basis) to personal data for shared business purposes. Given that these two use cases are likely to be key for many organisations, it is unclear at the moment how it is possible to be able to navigate a compliant route through the EDPB’s guidance.

The (devil is in the) detail

The EDPB guidance is broken down into six steps for organisations to take.

Step 1 – Know Your Transfers

The first step in the process requires data exporters to undertake a comprehensive analysis of all transfers of personal data to third countries taking place (including remote access and cloud storage). The EDPB expects data exporters to be able to develop this information through a combination of their records of processing activities, and any information that they provide in privacy notices regarding data transfers, but further due diligence may well be required. The EDPB also makes clear that this exercise must identify onwards transfers by processors to sub-processors in another third country (or the same third country as the processors).

Once all relevant data transfers have been identified, data exporters must ensure that each transfer complies with the data minimisation principle, and that they are “adequate, relevant and limited to what is necessary in relation to the purposes which it is transferred to and processed in the third country”.

This identification and evaluation exercise must take place before any data transfer is made, and before any data transfer is restarted after a suspension.

Step 2 – Verify your transfer mechanism

Once data exporters have a handle on where their personal data is going, they must then identify the Chapter V GDPR transfer mechanism that they are relying on for each transfer.

If a data exporter is relying on an adequacy decision in respect of a transfer to a third country, assuming the adequacy decision is still valid, then no further action will be required. However, data exporters must monitor adequacy decisions to ensure they remain valid.

For non-repetitive data transfers, it may be possible to rely on one of the derogations in Article 49 GDPR (hereafter “Article 49”). Such transfers should be of an exceptional nature, and meet the requirements in Article 49, but no further steps are required in relation to these guidelines when relying on such a transfer mechanism.

For any other data transfers relying on one of the Article 46 GDPR (hereafter “Article 46”) mechanisms, data exporters need to continue through this process. Whilst the Article 46 mechanisms do contain some inbuilt safeguards to ensure personal data maintains an equivalent level of protection to that which it has in the EEA, these will need to be supplemented in some cases.

Step 3 – Assess the Effectiveness of your Article 46 transfer mechanism

The EDPB guidance makes clear that an Article 46 transfer mechanism will not always be enough to ensure personal data maintains the same level of protection as it carries within the EEA. Data exporters must therefore work with data importers to identify any laws or practices in the relevant third country which could prevent the data importer from complying with their obligations under the Article 46 transfer mechanism. It is clear that the EDPB expects cooperation from data importers in this regard, and they will have an active role in providing “relevant sources and information relating to the third country in which it is established and the laws applicable to the transfer”.

The guidance notes that there will be a number of relevant factors when considering how local laws might affect a transfer, including the purposes for the transfers, the entities involved, the relevant types of personal data, and the format of the personal data. Data exporters need to consider data subjects’ ability to continue to assert their rights, the effectiveness of the safeguards in Article 46, and any requirements to disclose personal data.

In practice, much of the assessment of equivalence will turn on the extent to which public authorities can access or intercept personal data. The ability to require disclosure or access to personal data does not necessarily undermine an Article 46 transfer mechanism provided that the requirements are limited to what is necessary and proportionate in a democratic society, with European standards being the level against which this is assessed. To this end, the EDPB has published a second guidance document, the “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures” (available here). It sets out the European Essential Guarantees (“EEGs”) which are the minimum requirements that must be respected to ensure that interferences with privacy and personal data “do not go beyond what is necessary and proportionate in a democratic society”. There are four constituent guarantees, although the EDPB emphasised that these should be assessed on an overall basis given that they are closely interlinked:

• processing should be based on clear, precise and accessible rules;
• necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
• an independent oversight mechanism should exist; and
• effective remedies need to be available to the individual.

If the EEGs cannot be met, then the personal data is not subject to an equivalent level of protection to the EEA.

Where legislation in the relevant third country is lacking, data exporters must evaluate the transfer mechanism against other relevant and objective factors, rather than subjective ones such as the likelihood of public authorities’ access to the personal data. These objective factors may include considering precedents, legislation and practice that might indicate that a public authority will seek access to the personal data (with or without the data importer’s knowledge) or elements which demonstrate that a public authority may be able to access personal data through the data importer or direct interception. Annex 3 sets out further possible sources of information to make this assessment, including case law, adequacy decisions and intergovernmental resolutions and reports.

It is important that data exporters document their assessment at this step thoroughly, as the EDPB has made clear that data exporters will be held accountable for the decision they make about the effectiveness of the transfer mechanism. If the data exporter concludes that the transfer mechanism is not effective, because it does not ensure an equivalent level of protection to the EEA, then it must either put in place effective supplementary measures (as outlined in step 4), or not transfer the personal data in question.

Step 4 – put in place supplementary measures

Where the Article 46 transfer mechanism alone does not provide effective protections, data exporters will need to consider whether there are supplementary measures which they can put in place in conjunction with the data importer to cure these deficiencies.

Supplementary measures must be identified on a case by case basis, meaning transfers to the same third country but to different data importers for different purposes may have different supplementary measures.

These measures will be technical, contractual or organisational in nature. However, where the aim of the supplementary measures is to manage access by public authorities, contractual and organisational measures alone are unlikely to be sufficient, and technical protections will be necessary to limit access by public authorities to the personal data.

The EDPB has set out non-exhaustive examples of possible measures in Annex 2 of the guidance.

• Technical measures

The range of technical measures that might be implemented will be familiar to data exporters.

Unsurprisingly, encryption is a key focus in the potential technical measures that might assist to ensure the security of data transfers. This includes robust encryption prior to transmission, and ensuring that the encryption itself is strong enough to survive brute force attacks (including during transmission). Limiting access to encryption keys may also be a useful tool for protecting personal data.

Pseudonymisation will be of assistance where the data importer does not require a disaggregated data set. However, the EDPB has cautioned that this may not be sufficient in cases where personal data relates to the use of information services, given that public authorities may already hold other relevant data.

Technical measures are not a complete solution. They will not assist in respect of third countries where public authorities have access to personal data beyond what is necessary and proportionate, and the data importer needs access to personal data to be in the clear.

• Contractual measures

Contractual measures will generally need to be supplemented by technical or organisational measures, because they cannot bind third party authorities. Additional provisions can complement those which are already in place under the applicable Article 46 transfer mechanism, and may include provisions:

• requiring the use of specific technical measures;
• requiring the data importer to provide the data exporter with information about the extent to which public authorities can access personal data;
• warranting that the data importer has not created or is not required to leave backdoors in its systems, or has not otherwise facilitated access for third parties;
• allowing audit or inspection to confirm whether personal data has been disclosed to public authorities;
• requiring the data importer to inform the data exporter if the law changes in a way which impacts the maintenance of an essentially equivalent level of data protection;
• if permitted by local law, requiring the data importer to provide regular notifications that there have been no orders to disclose personal data (the so called “Warrant Canary” method);
• requiring the data importer to assess the legality of any disclosure order and limiting its ability to disclose the personal data (such as an obligation to challenge orders where appropriate);
• requiring the data importer to inform public authorities of conflicts with Article 46 transfer mechanisms;
• limiting access to personal data without consent from the data subjects;
• obliging the data importer to notify data subjects of access requests or orders from public authorities; or
• obliging both the data importer and data exporter to assist data subjects in exercising their rights.

• Organisational measures

Organisational measures may be internal measures that the data exporter puts in place in its own business, or those which are imposed on data importers. Organisational measures can contribute to awareness within businesses about the risks to personal data from access by public authorities, and ensure that those handling personal data can respond confidently to them (including when to refuse requests).

The EDPB suggests the following:

• internal policies governing data transfers, with clear reporting, allocation of responsibilities and procedures for dealing with access requests;
• record keeping requirements for data access requests from public authorities;
• transparency reporting and summaries regarding public authority requests (where permitted by local law);
• strict data access and confidentiality policies, including data minimisation requirements;
• procedures to ensure the data protection officer, legal or audit functions are involved where appropriate;
• strict data security and data privacy policies;
• regular review of internal policies and supplementary measures; and
• commitments from the data importer not to engage in any onward transfer where an equivalent level of protection to the EEA cannot be guaranteed.

These lists are not exhaustive but provide a helpful starting point for tools that data exporters might use to put additional safeguards around their transfers.

Once appropriate supplementary measures are in place, provided an essentially equivalent level of protection has been reached for the relevant personal data, the transfer may proceed. Transfers should not start, or should be suspended until, this threshold has been reached.

The EDPB guidance does anticipate a situation where a data transfer might proceed despite the data importer being unable to meet its commitments under the Article 46 transfer mechanism, but those instances must be reported to the supervisory authority, who will suspend or prohibit the transfer where equivalent protection cannot be ensured. It remains to be seen how this would result in anything other than the transfer being prevented, and could result in a fine, so we do not anticipate many data exporters utilising this backstop.

Step 5 – Procedural steps relating to supplementary measures

Depending on the supplementary measures put in place, data exporters may need to take additional procedural steps.

• Standard Contractual Clauses

If data exporters need to add clauses to the SCCs to manage the supplementary measures that they have put in place, there is no need for permission from a supervisory authority to make such amendments, provided there is no direct or indirect conflict between the new provisions and the SCCs, and they do not limit or lower the protection afforded by the SCCs. Data exporters will need to be able to demonstrate this unambiguity if tested.

• BCRs

The EDPB is still reviewing the impact of the Schrems II judgment on BCRs. Given that they are contractual in nature, BCRs cannot prevent access to personal data by public authorities. Data exporters will still need to assess whether their current BCRs can maintain equivalent protection to the EEA, and if not, consider whether supplementary measures could be put in place to mitigate this.

• Ad hoc contractual clauses

As with BCRs, ad hoc clauses remain under review, and data exporters should consider whether supplementary measures are required in the interim.

Step 6 – Reassess Regularly

The EDPB guidance requires data exporters to monitor their data transfers to third countries on an ongoing basis. If there are any developments in third countries which could impact the assessment carried out under this process, the data exporter would need to carry out a re-evaluation. Transfers to third countries should be suspended or ended where the data importer has breached or cannot honour the commitments it has taken under the relevant Article 46 transfer tool, or where the supplementary measures the data exporter has put in place are no longer effective.

Conclusions

It is clear that the EDPB has put a lot of thought into outlining a comprehensive process which tries to provide a secure route to maintaining transfers of personal data to third countries.

However, for its comprehensiveness, the guidance is not practical and will be extremely challenging for organisations looking to be compliant without grinding international trade and data transfers to a halt.

The due diligence requirements for local laws are particularly onerous and are unlikely to be achievable by private companies alone. We expect this guidance will result in increased involvement from in-house legal teams, external counsel, or external consultants in assessing data transfers. That this obligation falls to businesses themselves, rather than central authorities, risks divergence. Some businesses may diligently follow the guidance, and invest in the process, and find themselves unable to continue certain data transfers, whereas some businesses may take a more risk-based approach and continue to transfer personal data on the basis of a combination of due diligence, risk assessments and technical, contractual and organisational supplementary measures. Given the sheer volume of transfers taking place, it will also be interesting to see how supervisory authorities actually manage compliance with the guidelines.

It also remains to be seen how much involvement there will be from data importers. In a similar way that many non-EEA controllers and processors uplifted their processes to meet a GDPR-standard as a cost of continuing to do business, we may see that data importers are forced to take an advisory role to maintain the confidence of data exporters and ensure that data transfers continue. In particular, it will be interesting to see how the global IT cloud providers respond given the challenges highlighted by the EDPB’s use cases (as described above).

It is clear that there is now a large task facing all organisations, as well as supervisory authorities, to get to grips with the guidelines and ensure that data transfer mechanisms are supplemented where appropriate and compliant. We will watch this space to see if any trends develop, or further guidance is issued by local supervisory authorities to help conduct this exercise in practice.