European Data Protection Board Issues Schrems II Recommendations
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Board, tasked with overseeing compliance with the GDPR (“EDPB”), on 11 November 2020 issued its anticipated recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling. These recommendations are applicable immediately but are open for public consultation until November 30. Information on submitting public comments is accessible here.
In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program (“Privacy Shield”) and potentially required supplementary protections to be implemented when Standard Contractual Clauses (“SCCs”) are used to ensure an ‘essentially equivalent’ level of data protection. Under the GDPR, personal data transfers outside the EEA to jurisdictions which are not found to provide an ‘adequate level of protection’ to the data, are restricted unless appropriate safeguards are implemented. The Privacy Shield and SCCs were two key appropriate safeguard mechanisms used to legitimize transfers of personal data outside the EEA to ‘non-adequate’ recipient countries, referred to as “Third Countries.”
In Schrems II, the CJEU ruled that data exporters looking to rely on SCCs must perform an assessment of the circumstances of the transfer and the recipient country’s legal order to confirm that the personal data transferred is granted a level of protection that is ‘essentially equivalent’ to the EU’s protection level guaranteed in principle under the GDPR and the EU Charter of Fundamental Rights. If the assessment shows that this level of protection is not afforded, i.e. if the law or practice of the third country impinge on the effectiveness of the SCCs as an appropriate safeguard, supplementary protection measures must be implemented with the aim of achieving a sufficient level of protection. When such additional measures in turn are not able to safeguard an essentially equivalent level of data protection, the transfer must be suspended. In the Schrems II decision, the CJEU assessed the degree of data access by U.S. authorities for surveillance purposes in determining the level of data protection in the recipient country. The CJEU did not concretely specify what this assessment or these measures may entail.
The EDPB on November 11 issued two sets of recommendations. The first set of recommendations covers the assessment and supplementary measures data exporters may need to adopt to ensure compliance with the EU level of personal data protection (“Supplementary Measures Recommendations”). The second set of recommendations lays down the elements to be used to examine whether surveillance measures allowing access to personal data by public authorities in a third country can be regarded as a justifiable interference with the level of data protection guaranteed in principle by the EU (“European Essential Guarantees Recommendations”).
Significantly, the EDPB’s guidance and recommendations do not state or imply that data transfers to the U.S. under SCCs are categorically prohibited, or even that assessments of the relevant U.S. laws and protections are presumptively insufficient without significant supplemental measures. Moreover, the EDPB guidance contemplates that third-country surveillance (including presumably that of the U.S.) could be undertaken for reasons that satisfy the GDPR’s “public interest” derogation to legitimate data transfers outside the EEA. Consideration of such public interest derogation was a key component of the recent U.S. Government White Paper guidance on Schrems II.
The Supplementary Measures Recommendations provides for a step-by-step guide to help data exporters assess a third country’s legal order and identify appropriate supplementary measures. The European Essential Guarantees Recommendations fold into this process when assessing the third country’s legal order. Key takeaways of both sets of recommendations are summarized below in accordance with the step-by-step process:
Step 1 – Mapping Exercise: Data exporters are advised to ‘know their transfers’ and should have a clear overview of all their personal data transfers, and in particular the recipient country. Data exporters should be able to rely in large part on their Art. 30 data processing records to build their data transfer inventories. When doing so, the GDPR’s data minimization and purpose limitation principles should also be respected and verified, meaning that data exporters need to ensure they are only transferring adequate, relevant and the minimum amount of personal data necessary for the purpose in question.
Step 2 – Verify Transfer Mechanisms: For each personal data transfer, data exporters must identify (i) whether the recipient country has been granted an adequacy decision, and if not (ii) which appropriate GDPR Article 46 safeguards (e.g., SCCs or Binding Corporate Rules (BCRs)) or Article 49 derogations (e.g., consent or performance of a contract) they will rely on to legitimize the transfer.
Step 3 – Assessment of Third Country Legal Regimes: If the data exporter relies on appropriate safeguards, it must assess to what extent the law or practice of the third country may impinge on the effectiveness of the appropriate safeguards in the context of the transfer. The assessment should be focused on the legislation, or if that is not available, other relevant factors, relevant to the transfer and appropriate safeguards that may “undermine the level of protection.” The data exporter is recommended to seek guidance from, and contractually require, the data importer (located in the third country) to provide guidance on relevant applicable laws.
In particular with respect to surveillance, the European Essential Guarantees Recommendations essentially provide that third country legislation that complies with the following guarantees would offer an essentially equivalent level of protection: (i) lay down clear and precise rules governing the scope and application of the measure in question and impose minimum safeguards; (ii) demonstrate that the interference with data protection rights is necessary and proportionate with respect to the legitimate (public interest) objective pursued; (iii) provide for an independent oversight mechanism (e.g. an administrative body or court); and (iv) provide for effective remedies for the individual (redress rights).
Step 4 – Identify and Implement Supplementary Protection Measures: Step 4 is only necessary if the above assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 transfer tool that is being relied upon (e.g., SCCs or BCRs). The EDPB has provided a non-exhaustive list of examples of: (i) technical measures, which include state-of-the-art encryption and pseudonymization; (ii) contractual measures (with the data importer); and (iii) organizational measures (which are especially relevant for intra-group transfers). The EDPB emphasizes that the data exporter (and importer) bear the responsibility for ensuring that the measures are effective, and this may mean, for instance, that several measures will need to be combined or that no measure can ensure an essentially equivalent level of data protection (in which case the transfer must be suspended).
Step 5 – Implement Appropriate Safeguards: This fifth step entails that the data exporter and importer comply with all procedural formalities to put in place the appropriate safeguards, g. execute SCCs, consult a competent EU data protection authority etc.
Step 6 – Re-evaluate at Appropriate Intervals: Data exporters should also monitor the legal and regulatory developments applicable to their personal data transfers, as well as the third country’s legal regime, to ensure an essentially equivalent level of data protection (especially in this fast-evolving regulatory landscape). This also applies to adequacy decisions, as these can be re-evaluated by the EU Commission from time to time.
The EDPB repeats and confirms that EU data protection authorities (DPAs) will continue monitoring and enforcing the GDPR, and will consider the actions data exporters take to ensure their transfers are afforded an essentially equivalent level of protection. The EDPB also notes that DPAs will also suspend or prohibit transfers where an essentially equivalent level of protection cannot be ensured. In addition, the EDPB confirms that DPAs will continue to develop guidance for exporters and coordinate actions in the EDPB to try to ensure consistent application of EU data protection laws.