On 11 November 2020, the European Data Protection Board (EDPB) published two recommendations that provide guidance to companies on how to assess data transfers after the ECJ’s Schrems II decision:
Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data; this is a draft, open to comments from public until 30 November 2020 ("Supplemental Measures Recommendations" or "SMR");
Recommendations 02/2020 on the European Essential Guarantees ("EEG") for surveillance measures ("EEG Recommendations" or "EEGR").
I. Summary of recommendations
The two documents of more than 50 pages, in particular the Supplemental Measures Recommendations, describe at length how companies should assess and document the conditions under which their personal data transfers are compliant with the GDPR post-Schrems II. The SMR describes six steps companies need to take for the assessment:
Step 1: Data mapping
Companies must be aware of personal data transfers (including onward transfers and sub-processors). The EDPB emphasises that remote access in support situations and storage in cloud systems outside the EEA are also considered transfers (recital 13 SMR).
Our opinion: This is something that authorities have already requested that companies do after the ECJ's Schrems II decision. The EDPB reiterates this requirement and emphasises that companies need to complete the data-mapping exercise "prior to resuming transfers after suspension of data transfer operations" (recital 12).
Step 2: Identify the transfer tools
For each transfer (including onward transfers), companies must identify or designate an appropriate transfer tool under Chapter V GDPR.
If the transfer is subject to the following transfer tools, no additional steps are required (recital 19, 24 and 25 SMR):
an adequacy decision of the EU Commission (Art. 45 GDPR); or
an Art. 49 GDPR derogation, which in the opinion of the EDPB must be interpreted restrictively, and may relate to processing activities that are occasional and non-repetitive.
If the transfer is subject to an Art. 46 GDPR transfer tool, in particular SCC or binding corporate rules ("BCR"), companies must ensure that overall the transferred personal data will effectively have the benefit of an equivalent level of protection. In this case, the additional steps 3 and possibly 4 are required.
Our opinion: This is in line with the Schrems II decision. Although the ECJ did not address BCRs directly, it is clear that the reasoning of the decision also applies to BCRs and other transfer tools in Art. 46 GDPR.
Step 3: In case of an Art. 46 GDPR transfer – is the protection of personal data essentially equivalent?
Companies must assess for each transfer (including onward transfers and all recipients) whether the transferred personal data is subject to a level of protection in the third country that is "essentially equivalent" to the EEA (i.e. the level of protection must be essentially equivalent to protection in the EEA, recital 29 SMR).
According to the EDPB, this requires a review "if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards" for the specific transfer (recital 30 SMR). The review must take place with assistance from the data importer and publicly available sources.
The following considerations are of key importance (and cite established criteria from ECJ’s case law and previous EDPB guidance):
Review laws that require disclosure to or allow access by public authorities in third countries. Are laws allowing access limited to what is necessary and proportionate in a democratic society and are data subjects afforded effective redress?
Review how a third country complies with the rule of law and respect for human rights (Art. 45 (2) a) GDPR).
Review the possibility of redress by individuals against access by authorities (i.e. general laws and laws laying down requirements to disclose personal data to public authorities).
Can data subjects exercise their rights (i.e. access) in the third country according to the stipulations under the transfer tool (recital 34 SMR)?
If publicly available legislation does not provide sufficient information, other objective factors must be taken into account (recital 42 et seq SMR). Such objective factors are "elements" (i.e. evidence, indications) that a third-country authority will use to seek or access the data including through interception in "light of reported precedents, legal powers, and technical, financial, and human resources". One example is when US NSA intercepts of telecommunication became public through information leaked by the whistleblower Edward Snowden.
SMR also emphasises that subjective factors do not play a role in the assessment (e.g. the likelihood that data will be intercepted or accessed by public authorities, recital 42 SMR).
The EEGR provides additional details on how to assess if access or interception rights by third-country authorities comply with European standards. It makes special reference to ECJ case law (e.g. the court's review of FISA rules in Schrems II and its rules for obligations to retain traffic data in the EU) and explains at length the following criteria to limit data protection and privacy rights in accordance with the Charter:
Processing should be based on clear, precise and accessible rules;
Necessity and proportionality in the legitimate objectives pursued need to be demonstrated;
An independent oversight mechanism should exist;
Effective remedies need to be available to the individual.
If laws applicable to a transfer do not meet these criteria, no "essentially equivalent protection" exists and additional measures are necessary (step 4).
Our opinion: If laws apply that allow access to or interception of personal data by third country authorities, the thresholds that must be passed are extremely high. In our view, "essentially equivalent" means "in compliance with the Charter of the Fundamental Rights of the EU". Therefore, if a law is potentially in breach of EEG, companies and their data importers should carefully consider if it actually applies to the transfer. If it is objectively doubtful and no contrary practices or precedents exist, companies can argue that such laws do not apply to the transfers. If they do apply, the only available safeguard is to encrypt or anonymise or pseudonymise the transferred data to the extent that authorities cannot access or intercept personal data.
Step 4: Adopt supplementary measures if required
If additional measures are necessary, the SMR is clear that only technical safeguards that prevent access to personal data by either the recipients or authorities in third countries are sufficient (recital 48 and recital 79 to 87 SMR).
In particular, Use Cases 6 and 7 establish the EDPB’s view that access to unencrypted data by cloud providers and remote access for business purposes by data importer will always mean that data is not "essentially equivalently protected" even if some encryption exists as long as decryption by the data importer is possible (recitals 86 to 91 SMR).
Our opinion: Additional contractual clauses or measures may help with the original assessment or re-evaluations for step 3 (recitals 99, 105, 107 SMR), but if the result of the analysis under step 3 is that protection is not effective, none of those measures will provide adequate supplementary measures because they provide no protection against access by third-country authorities.
Step 5: Procedural steps if supplementary measures were identified
Any additional steps require no prior authorisation from a data-protection authority provided they do not undermine the SCC or BCRs.
Our opinion: It is hard to see how any measure that ensures effective protection according to SMR could interfere with protections under SCC.
Step 6: Re-evaluations in appropriate intervals
Companies must monitor on an ongoing basis any development that could affect the initial assessment.
II. Implications, outlook and first look at SCC draft
Having the ECJ’s decision in mind, the EDPB’s approach is understandable though unfortunate. Any third-country law that may apply and does not meet the high standards against impinging safeguards means that – with or without SCC or any of the other transfer tools according Art. 46 GDPR – the transfer is not compliant unless technical safeguards prevent access to data by authorities.
As always, it remains to be seen to what extent authorities will now pick up the review of data transfers and begin enforcing the Schrems II decision. But one thing seems sure – companies that have not yet started their data mapping and reviews of transfers need to start now.
It is unclear when authorities expect assessments to be finalised. The European Data Protection Supervisor initially requested that EU institutions conclude "Transfer Impact Assessments" by the spring 2021, but this document was apparently withdrawn after the SMR was published. It seems reasonable to assume that companies should also have conducted their reviews and assessment plus any actions by then.
Data in transit should always have state-of-the-art encryption. Even if this requires exchange of keys between data importer and data exporter, it may relieve the companies from reviewing other laws or practices of third countries that had access to the data in transit (e.g. no review of GCHQ practices required if data is transferred via UK from Germany to US).
The legal analysis of what laws are applicable when transferring data is important because if security laws do apply, they may not comply with EU standards given the strict requirements of the ECJ in Schrems II and of EDPB in its SMRs.
The SCC draft does not provide a way to "escape" the Schrems II decision. Instead, its Section II Clause 2 requires that data importers and exporters assess whether the laws of the third country are "applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the Clauses." Interestingly, this clause does not make reference to "effective legal remedies" for data subjects or independent oversight. It remains to be seen whether or not this will be included in a later draft of the new SCC and how this aligns with the requirements of the ECJ. Note that this clause is not part of the third-party beneficiary provisions in Section I Clause 2 of the draft SCC.
For more information on these recommendations and how they could affect your business, contact your CMS partner or local CMS experts: