EDPB issues finalised Schrems II guidance on ensuring compliance for data transfers

In a busy few weeks for international data transfers following the publication of final standard contractual clauses for both the international transfer of personal data to third countries ("SCCs") (see our blog post here)  and Article 28 clauses (see our blog post here), as well as the European Commission adopting two adequacy decisions for the UK (under both the GDPR and the Law Enforcement Directive), the EDBP issued its finalised guidance on supplementary tools resulting from the Schrems II judgment from the Court of Justice of the European Union (available here) (the "Final EDPB Guidance").

The Final EDPB Guidance followed the issuing by the EDPB in November 2020 of draft guidance to assist data exporters where they use SCCs to export personal data with undertaking sufficient due diligence to ensure that personal data which originates in the EEA always carries with it protections which are essentially equivalent to those in the EEA (the "Draft EDPB Guidance") (for more information on which see our blog post here (the "Draft EDPB Guidance Blog")).

While some aspects of the Final EDPB Guidance have been softened (such as an emphasis on considering the practices in a jurisdiction as well as the law), ultimately there has not been a significant change from the Draft EDPB Guidance which, as discussed in the Draft EDPB Guidance Blog, will require substantial and somewhat complex activities to be undertaken by data exporters.

Summary

The Final EDPB Guidance adopts materially the same approach as the Draft EDPB Guidance which involves a six step process to ensuring the compliant undertaking of data transfers. While slightly softened in places, this process remains a challenging, time-consuming, and resource-heavy expectation for exporters which will involve data mapping, detailed assessments, and potentially the implementation of supplementary measures.

The Draft EDPB Guidance does help exporters to some degree, in particular by taking a less restrictive and more reasonable approach to undertaking assessments of third countries, allowing for the consideration of practices and experience in the country, and providing that this can form part of the determination on what the appropriate next steps are.

The Final EDPB Guidance and the Draft EDPB Guidance

As was perhaps to be expected, and despite substantial lobbying, materially the Final EDPB Guidance adopts the approach of the Draft EDPB Guidance. The Draft EDPB Guidance Blog provides more information and discussion on the key takeaways, but in summary these are:

• A transfer-by-transfer review will need to be undertaken to understand the particular context of each arrangement which will likely be resource-heavy and time consuming.
• Mapping data flows to processors and all onwards transfers remains a key tenant of the requirements (step one of the guidance). While many organisations will have been undertaking this in greater detail over the last few months, for large global organisations with complex data flows this remains a substantial task initially as well as being able to maintain it accurately as new data flows are put in place and others evolve (step six).
• Undertaking the equivalent of a mini adequacy assessment will be a fundamental part of the transfer-by-transfer analysis (step three) which, while softened to now include a consideration of practice as well as the legal position (see 'Third Country Assessments' below), still places on an exporter a difficult and onerous expectation.
• The Final EDPB Guidance continues to include a range of technical, contractual and organisational supplementary measures to be used to protect personal data (step four), however it continues to appear to be the case that where such supplementary are required, strong encryption (to a level that may be impracticable) remains the only recommended approach.

What's Changed?

Although the approach has remained very similar (in particular steps one, two and four to six), there have been some changes brought about by the Final EDPB Guidance:

Derogations

Step two of the EDPB's advised approach is for organisations to verify their transfer mechanism by identifying a basis under Chapter V GDPR to rely on to undertake the transfer. Unsurprisingly, substantively this section of the Final EDPB Guidance has not changed, however it is notable that the EDPB has reworked its discussion of the derogations available under Article 49 (i.e. those for non-repetitive data transfers). The Draft EDPB Guidance was light-touch on this, however the Final EDPB Guidance emphasises that the use of a derogation cannot become "the rule" in practice, and must be restricted to specific circumstances. This focus perhaps looking to make clear that Article 49 is not a backdoor to legitimising transfers which may appear more difficult in light of an assessment made pursuant to step three.

Third Country Assessments

The aspect of the Final EDPB Guidance which has seen the most change from the Draft EDPB Guidance is in relation to step three, assessment of the effectiveness of the transfer tool under Article 46 which is being relied on.Materially similar expectations do remain, including undertaking an analysis to understand the extent to which public authorities can access or intercept personal data and whether the European Essential Guarantees are met, while operatively it is expected that a data importer would assist an exporter with such analysis.

There has though been a shift in some areas:

Publically available legislation:

The Final EDPB Guidance highlights that the assessment of a third country should be "based first and foremost on legislation publically available". The reference to 'publically available' is now emphasised to a much greater degree throughout the guidance which is helpful in providing a threshold for awareness, particularly useful for countries where all relevant legislation may not be publically accessible.

Practices in the third country:

There is also an increased emphasis on consideration of the practices in force in the third country as well as the publically available legal position. The Final EDPB Guidance provides for a more nuanced analysis of the practices in the third country, in particular in two scenarios:

1. Where the legislation may formally meet the standards of the EU, an exporter must still consider whether the practices of public authorities in the third county do in fact comply with the governing legislation. It would therefore not be enough for an exporter to determine that a third country who has in place GDPR-equivalent legislation was satisfactory, but rather they must evaluate whether such legislation is adhered to by that country's public authorities. This seems a difficult and onerous obligation for exporters to comply with, and as well as being the counterpoint to enabling a more subjective approach, may perhaps have been introduced with an eye on the UK whose post-Brexit GDPR-based data protection regime could come under closer scrutiny.
2. Where there does not appear to be relevant legislation in place, then a similar consideration of practices should occur to determine whether such a transfer remains appropriate or if supplementary measures should be put in place. This subjective analysis (discussed further below) provides more flexibility to data exporters than under the Draft EDPB Guidance and is to be welcomed.

Problematic legislation:

Final EDPB Guidance has also introduced the concept of 'problematic legislation' which exporters should be cognisant of. This is defined by way of a footnote as legislation which may impinge on the transfer tools' contractual guarantee of an essentially equivalent level of protection and does not respect the EU's fundamental rights and freedoms. This is a broad concept which, if identified as being relevant to a transfer, would require an exporter to suspend the transfer or implement measures which ensure an essential equivalence (likely strong encryption).

However the Final EDPB Guidance does provide that even if there is problematic legislation (or indeed no relevant legislation which provides equivalent protection), a consideration of the practices in the third country may determine that inappropriate behaviours do not in fact occur or that problematic legislation is not applied and so a transfer may be undertaken without supplementary measures. Such a determination must be based on a detailed and documented assessment which takes into account the experience of actors operating in the same or similar sector.

Notably too, in a footnote to this requirement to produce a detailed assessment, the Final EDPB Guidance includes a new statement that such "reports should be endorsed by the legal representative of the exporter". Such an explicit expectation for legal involvement highlights that this is not an obligation to be taken lightly.

The Final EDPB Guidance does therefore provide more opportunity for organisations to take a proportionate and reasoned approach where the legislation of the third country is problematic, but the steps to be taken to satisfy the documented and demonstrated analysis obligations will be substantial.

Importer's practical experience:

Feeding into the third country analysis, the Final EDPB Guidance further provides that an exporter may take into account, as an additional source of information, the experiences which a data importer has had in the third country of situations where a public authority has raised information requests.

However this is caveated by the importer being able (pursuant to legislation in the third country) to disclose such experience in the first place, and also that the absence of any request may not be the decisive factor in determining whether any supplementary measures are required.

Sources of information:

There is now an explicit expectation that data importers will provide data exporters with relevant sources of information regarding the laws and practices in the third country (as well as any experience). While importers should be well-acquainted with such law and practice, there is perhaps a question of the extent to which an importer would want to be responsible for the sources of the exporter's knowledge, and also whether any contractual obligations or warranties will begin to appear to enforce this support expectation.

The Final EDPB Guidance also builds out the list of sources of information which an exporter may look to use, including reports from various reliable bodies such as regulatory networks or independent oversight bodies and internal statements regarding access requests. While not a closed list in the first place, the expanded range of examples is helpful in providing some more guidance to the limited list provided in the Draft EDPB Guidance.

US example:

The Final EDPB Guidance now includes a more detailed example in relation to the operation of s.702 FISA (an issue of key importance in the Schrems II decision which held that it did not respect the minimum safeguards expected by the EU).

This example provides, in the context of the Final EDPB Guidance, a reasoned approach to the required analysis in practice and determining whether and how to continue with a transfer. Whereas before, encryption appeared to be the only acceptable approach under FISA, now the analysis of the practices and law and whether it in fact applies, provides greater flexibility to exporters. That said, the real work will be in generating the information to inform the analysis which, as discussed above and in the Draft EDPB Guidance Blog, will be a substantial undertaking for a single jurisdiction, let alone many.

Data subject rights:

The Final EDPB Guidance has also provided for an interesting additional supplemental measure which is to provide for a contractual right for data subjects to pursue a data importer where the importer had disclosed personal data in contravention of the commitments in the transfer tool.

While potentially helpful as a deterrent to importers, it is perhaps difficult to see that this will provide much assistance to data subjects in practice.

UK Position

ECJ judgments handed down prior to the end of 2020 (i.e. the end of the implementation period regarding Brexit) continue to have precedence in the UK, forming part of retained EU law. This would include the Schrems II judgement itself. There is nonetheless a limited ability for the Supreme Court and Court of Appeal in the UK to deviate from such case law, including potentially Schrems II, where it appears right to do so.

The ICO has stated that it is preparing a UK version of the SCCs and, while there is little detail about how these may appear in practice, it will be interesting to see the extent to which the Final EDPB Guidance are instructive to the ICO in how it goes about preparing them and what supplemental measures might be expected to be put in place for UK-based exporters.

Given the DCMS' National Data Strategy makes it clear that data is a resource to be harnessed and that the government is seeking to optimise the opportunities that arise from data use to power innovation, it may be that the UK adopts a more relaxed, business-minded approach to these supplemental measures. However, in practice, the UK cannot, and is unlikely to, simply disregard Europe; not least given that any deviation could potentially put the UK adequacy decision at risk. The ICO's response will therefore be interesting to monitor.

Final Thoughts

Given the detail and thought which went into the Draft EDPB Guidance, it was perhaps unsurprising that deviation from that position has been limited in the Final EDPB Guidance.

While the Final EDPB Guidance has softened positions and added more information and nuance (particularly with regard to the assessments of third country requirements) which will assist exporters by providing more flexibility, the guidance remains somewhat impractical and challenging for organisations looking to be compliant. Indeed the conclusions detailed within the Draft EDPB Guidance Blog have not changed as a result of the publication of the Final EDPB Guidance.

There is now a large task facing all organisations, one which has been exacerbated by the publication of the Final EDPB Guidance and no longer enabling organisations to adopt a 'wait and see' approach in case the position materially changed. Data mapping, third country assessments, and the implementation of supplementary measures are now requirements that organisations must, if they were not already, have as a high priority for implementation to ensure that they can continue to undertake data transfers to third countries and ensure compliant operational continuity.