European Data Protection Board Issues Final Schrems II Recommendations
The European Data Protection Board (“EDPB”), adopted on 18 June 2021 its final recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling (“Final Schrems II Recommendations”). The Final Schrems II Recommendations, together with the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission on 4 June 2021, will now allow organizations to proceed with addressing international data transfers following the landmark Schrems II ruling by the Court of Justice of the European Union in July 2020.
The Final Schrems II Recommendations have maintained the requirement to carry out a 6 Step assessment prior to transferring personal data outside the EEA in reliance on a data transfer tool, such as SCCs. However, there have been some important amendments from the draft recommendations published in November 2020 in order to:
- better align with the new SCCs recently adopted by the European Commission; and
- allow more flexibility in carrying out the assessment of third country laws in Step 3 by being able to take into account practice in the third country as well as the documented practical experience of the data importer.
Our previous blog post on the draft EDPB’s Schrems II recommendations – accessible here – provides further details on the 6 Step process that organizations should follow when transferring personal data from the EEA to a third country such as the U.S. Here we summarise some of the key differences in the 6 Steps as between the draft recommendations and the Final Schrems II Recommendations.
STEP 1 – Mapping Exercise
Data exporters under Step 1 need to identify and map the transfers of personal data from the EEA including onward transfers, such as from a processor in the US to a sub-processor in India. There are only limited changes to Step 1 but importantly the EDPB confirms in the Final Schrems II Recommendations that an individual data subject, who is transferring personal data outside the EEA e.g. by completing an online questionnaire whereby his/her personal data are transferred directly to a controller outside the EEA, is not a data exporter for purposes of international transfers. This could be important, for example, for direct transfers from consumers in the EU to a service provider in the U.S. and so avoid having to enter into SCCs with such consumers. The EDPB also makes it clear that remote access from a third country is also considered a transfer.
STEP 2 – Verify Transfer Mechanism
Step 2 of the Final Schrems II Recommendations requires organizations to identify their transfer tool prior to transferring data outside the EEA. This verification exercise includes determining if the transfer is to a country for which the Commission has adopted an adequacy decision, such as Japan or potentially soon the UK, or if the transfer is on the basis of an Article 46 safeguard, such as SCCs or Binding Corporate Rules (“BCRs”), or on the basis of an Article 49 derogation, such as consent or performance of a contract. The EDPB in the Final Schrems II Recommendations re-iterate that Article 49 derogations cannot be used in a way that contradicts the nature of the derogations as being exceptions, and so should be restricted to specific situations.
STEP 3 – Assessment of Effectiveness of Transfer Mechanism
Step 3 requires an assessment of whether the Article 46 data transfer tool affords a level of protection in the third country “essentially equivalent” to that guaranteed in the EEA as set out in the Schrems II ruling. Step 3 is where there was the most criticism of the draft Recommendations and where most of the changes have been made in the Final Schrems II Recommendations. The assessment requires the data exporter to assess, where appropriate in collaboration with the data importer, if there is anything in the law and/or practice in force in the third country that impinges on the effectiveness of the Article 46 safeguards.
The Final Schrems II Recommendations emphasize that the level of data protection should not only be assessed once the data is imported into the third country, but also whilst the data are in transit (i.e., in the process of being transferred). In an important change, the Final Schrems II Recommendations also provide that the assessment should consider access by public authorities in the third country, such as whether the authority may access the data with or without the data importer’s knowledge, or may be able to access the data through the importer or through telecommunications providers, in either case in light of legislation, practice and reported precedents.
The Final Schrems II Recommendations do, however, provide some softening from the EDPB’s original position on assessments as compared to the November draft, including that:
- the assessment can be limited to the legislation and practices relevant to the protection of the specific data transferred;
- the assessment may also take into account the documented practical experience of the data importer with respect to relevant prior access requests from public authorities in the third country;
- where the powers of public authorities in the third country restrict the fundamental rights but respect “their essence”, the authorities would not automatically be considered to impinge on the protections under the transfer tool, such as SCCs; and
- where the assessment reveals that the relevant legislation in the third country may be problematic and the data or the importer is subject to the “problematic legislation” then the exporter can either suspend the transfer, implement Supplementary Measures, or, importantly, decide to proceed with the transfer without Supplementary Measures if, based on certain criteria enumerated by the EDPB, the exporter has no reason to believe the problematic legislation will be applied in practice to the data or the importer.
In carrying out the assessment, the data importer is required to provide the exporter with relevant sources and information on the third country’s laws and practices as applicable to the transfer. Annex 3, which lists these possible sources, has been significantly updated and includes a non-exhaustive list of sources
in hierarchical order of preference. These now also include (1) reports based on practical experience with prior instances of requests for disclosure from public authorities, or, the absence of such requests, from entities active in the same sector as the importer; (2) warrant canaries (i.e., communications to customers that indirectly alert them that their information may have been targeted by the government when direct communication is prohibited) wither by entities in the importer’s sector or by the importer itself (under specific conditions); (3) reports produced or commissioned by Chambers of commerce, business, professional and trade associations; (4) reports from private providers of business intelligence on financial, regulatory and reputational risks for companies; (5) transparency reports (e.g., issued by relevant companies including service providers) provided they mention that no access requests were received; and (6) the importer’s internal statements or records expressly indicating no access requests were received “for a sufficiently long period”, preferably issued by internal positions with autonomy such as internal auditors or the Data Protection Officer. All sources must be relevant, objective, reliable, verifiable and publicly available or otherwise accessible – and it is crucial that this is all clearly documented.
Of note, the EDPB chose to reference U.S. law several times in Step 3 (and elsewhere in the Final Schrems II Recommendations) by addressing 50 USC § 1881a, which is Section 702 of the U.S. Foreign Intelligence Surveillance Act (“FISA 702”). In doing so, the EDPB recognized that assessing the impact of a potential application of FISA 702 to a particular transfer can include objective, reliable, relevant, verifiable and preferably publicly available information.
STEP 4 – Identify and Implement Supplementary Protection Measures
Where the assessment carried out in Step 3 reveals that the third country laws and practice do impinge on the effectiveness of the Article 46 safeguard, then Supplementary Measures should be adopted in Step 4 to ensure the transferred data is afforded a level of protection “essentially equivalent” to that in the EAA.
The Final Schrems II Recommendations provide a non-exhaustive list of examples of technical, organizational and contractual Supplementary Measures. The technical measures, included seven case studies with examples of technical measures that in the EDPB’s view would or would not be effective.
Case Studies 6 and 7, which set out technical measures that were not considered effective (alone) by the EDPB, received extensive criticism from commentary to the draft recommendations. Nevertheless, Case Study 6 and 7 remain in the Final Schrems II Recommendations. Case Study 6 involves transfers of data to cloud services or other processors that require access to data in the clear (i.e. unencrypted) in order to provide their services. Case Study 7 involves transfers (including through remote access) for shared business purposes where again data needs to be accessed by the importer in the clear, e.g. intra-group transfers of HR data. While these Case Studies remain in the Final Schrems II Recommendations, the EDPB has clarified that such transfers are only affected where the problematic legislation in question applies to the transfer “in practice”, referencing the more practical approach taken in Step 3 of the assessment. The EDPB has also acknowledge that there may be measures sufficient to ensure an essentially equivalent level of protection that it did not identified identify, including those that are not yet technologically developed.
STEPS 5 and 6 – Steps 5 and 6 describe the implementation of the applicable appropriate Article 46 safeguards and recommend that exporters re-evaluate the approach at appropriate intervals in line with relevant developments. These Steps have not been significantly amended in the Final Schrems II Recommendations. However, it will be important for organizations to carefully consider implementation of the new SCCs as part of Step 5 going forward.
The Final Schrems II Recommendations are welcomed as they permit organizations to proceed with their international data transfer assessments. Further, the changes between the draft version and Final Schrems II Recommendations are also generally positive in nature as they provide more flexibility in carrying out the third country assessments by allowing exporters and importers to take into account practice as well as law in the third country. However, undertaking the 6 Steps, as well as implementing the new SCCs, will still present a significant undertaking for many organizations and will need to be carefully considered.