On 10 November the European Data Protection Board (‘EDPB’) published, further to its initial guidance, its recommendations on measures to supplement data transfer rules so to ensure compliance with EEA data protection law (the ‘Guidance’).
The Guidance follows on from the CJEU’s judgment in Schrems II which invalidated the Privacy Shield and found that organisations relying on the Standard Contractual Clauses (‘SCC’s) may need to implement additional safeguards beyond the SCCs to legitimise transfers to third countries.
Those that were hoping for some leniency from the EDPB will be disappointed. There is no one fits all solution and many transfers will not be resolved on the basis of this guidance (largely reflecting the fact that the requirements laid down by the CJEU in Schrems II, are hard to meet).
According to the EDPB, Article 46 transfer tools, not just SCCs, must be ‘effective’ and this will not be the case if the importer is prevented from complying with the transfer tools due to laws of the third country. Those exporting data outside the EEA must assess the laws and practice of the third country that may impede upon the effectiveness of the transfer tool and if such impediments exist, supplementary measures - which look like hard work - will need to be implemented.
These supplementary measures could be contractual, technical or organisational in nature or more likely a combination of the three. However, contractual and organisational measures may not, alone, suffice to provide the essential equivalent standard that EU law requires. Much will therefore rest on technical measures such as encryption and pseudonymisation, but the effectiveness of these tools will depend on the data importer not having access to the re-identification key where the key is also susceptible to public authority access (as is the case under FISA 702 in the US). This leaves a big gap for the innumerable data transfers where the importer needs the data in plain text. For this, the EDPB offers no new solutions.
Where organisations cannot implement effective supplementary measures, the EDPB confirm the data should not be transferred and existing transfers should be suspended.
Given the limitations of contract - which will also apply to the new draft Commission SCCs - it remains unclear, at least where public authority access is concerned in countries like the US, how transfers can continue compliantly where the data’s needed in clear text.
The Guidance, which his available here, is open to public consultation until 30 November.
1. Carry out a Transfer Assessment
Organisations must, as a first step, map data transfers so they can understand where their data is transferred and what adequacy mechanisms are in place. In carrying out this exercise, the EDPB reminds organisations that even remote access from a third country (such as IT support) constitutes a transfer for these purposes. As part of this exercise, controllers must also consider onwards transfers. For example, the extent to which the controller’s processor outside the EEA subsequently transfers the data to a sub-processor in a third country. Clearly if the transfer is to a destination covered by a Commission adequacy decision, the exporter does not need to implement the supplementary safeguards laid down in the Guidance. On BCRs, the EDPB also flag that more guidance as to whether additional commitments may need to be included in the BCRs, will follow asap.
For non-adequate countries, data exporters must next, with help from importers, assess if there is anything in the law or practice of the third country that may undermine the effectiveness of the relevant transfer mechanism. In carrying out this assessment, organisations need to take into account the specifics of each transfer, in particular the purposes of the transfer (HR, marketing, IT Support or other purposes), the type of entity involved in the transfer (private/public, controller/processor), the personal data transferred (for example, data relating to children may be subject to specific rules), the industry sector of the transfer, whether the data will be stored or be accessible remotely from the third country, whether there will be onward transfers, and the format of the data (i.e. whether it will be encrypted, pseudonymized or clear).
According to the EDPB, the transfer assessment must be based ‘first and foremost’ on publicly available legislation. Organisations must look to the law and practice of the third countries to asses if those laws impinge the commitments in the transfer mechanism, including, for example, confirming that data subjects can effectively exercise their rights and in particular if there are laws permitting public authority access to the data for law enforcement, regulatory supervision and national security purposes. Public authority access must be assessed by reference to Article 47 and 52 of the EU Charter of Fundamental Rights, to determine if those powers are limited to what is necessary and proportionate in a democratic society. This includes providing data subjects with effective redress having regard to the rule of law, the comprehensiveness of the data protection law in the third country and its adherence to international instruments providing for privacy safeguards. To help with this, the EDPB published in parallel to the “Guidance an additional recommendation on the European Essential Guarantees for Surveillance Measures” available here. This outlines the 4 essential guarantees, in this context, that need to be in place to make limitations to data protection and privacy rights justifiable: (1) processing should be based on clear, precise and accessible rules; (2) The necessity and proportionality of the legitimate objective being pursued must be demonstrated; (3) an independent oversight mechanism should exist; and (4) effective remedies need to be available to the individual.
If primary legislation is lacking, exporters in their assessments must look to ‘other relevant and objective factors’ and must not rely on subjective factors such as the likelihood of public authorities actually accessing the data. This focus on objective rather than subjective factors will make it more difficult for organisations to form their own risk based view.
The transfer assessment must be documented, with the EDPB warning that organisations may be held accountable for decisions they make on the basis of the assessment. The assessments should also be re-evaluated at appropriate intervals given that accountability is an ongoing obligation under GDPR.
In light of the foregoing, the burden of transfer assessments, even for the most sophisticated organisations, is an extremely heavy one and it is difficult see how assessments of this complexity and scale would be achievable for smaller organisations, at least in the absence of assistance from a centralised body such as the European Commission.
If the transfer assessment finds that the transfer mechanism is not effective alone, then supplementary measures need to be implemented. Contractual and organisational measures only go so far with the EDPB recognising that - while they can complement technical safeguards - there will be cases ‘where only technical measures might impede or render ineffective access by public authorities in third countries… in particular for surveillance purposes.’
The Guidance gives a ‘non-exhaustive’ list of technical measures which may supplement safeguards of transfer tools. These measures are of particular importance where the law of the third country impinges on the contractual guarantees of essential equivalent protection as a result of access to the data by public authorities. Importantly, these technical measures apply even if the public authorities’ access complies with local law in the third country, but where in line with the CJEU’s judgment in Schrems II, such access goes beyond what is necessary and appropriate in a democratic society.
The technical measures employed by the exporter and importer should, where appropriate, take account of both public authority access to data in transit, through accessing the lines of communication used to convey the data, and also to public authority access to the data when it is in the custody of the intended recipient.
Examples of scenarios where effective technical measures can be deployed are outlined in the table below.
Use Case |
Conditions to effectiveness |
A data exporter uses a hosting provider in a third country to store personal data for back-up purposes |
|
Transfer of pseudonymised data |
|
The encrypted data merely transiting third countries en route to an adequate country |
|
A data exporter transfers personal data to a data importer in a third country specifically protected by that country’s law - for example, to jointly provide medical treatment to a patient or legal services to a client |
|
Split or multi-party processing i.e. exporter wants data to be processed jointly by two or more independent processors located in different jurisdictions without disclosing identifiable data to either of them |
|
The EDPB also give examples of scenarios where no effective measures could be found to legitimise the transfers.
The examples - both of which are ubiquitous - include an EEA exporter transferring personal data to a cloud service provider where the data is needed in clear text by the processor for it to carry out its assigned task and where the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society.
The second example given by the EDPB is that of a data exporter making personal data available to entities in third countries for shared business purposes, for example an EU subsidiary sharing employee data with its parent in a third country. If the importer uses the data in clear form for its own purposes in a jurisdiction such as the US, where the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society, then the EDPB conclude that it is incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights. However, the EDPB acknowledge that this may change as technologies advance.
Similarly, if the data importer is in possession of the cryptographic key then transport encryption and data-at-rest encryption - even taken together - do not, according to the EDPB constitute a supplementary measure that ensures an essentially equivalent level of protection in countries where public authority access to personal data may extend to cryptographic keys (as in the case under FISA 702 in the US).
Contractual measures will generally consist of unilateral, bilateral or multilateral contractual commitments. Such measures are subject to significant limitation, in that they will not bind public authorities in the third country nor rule out the application of third country legislation which does not align with the EDPB’s European Essential Guarantees Standard. However, supplementary contractual measures can nonetheless complement and reinforce the safeguards in Article 46 transfer mechanisms.
The EDPB also clarify that where organisations add supplementary contractual safeguards to the SCCs, there is no need to request approval from a supervisory authority, provided the supplementary measures do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR in not undermined.
Annex 2 of the Guidance gives a number of examples of contractual clauses that exporters could add to their contracts with importers, some of which are outlined in the table below.
Contractual Clause |
Details |
Conditions to the effectiveness of the clause |
Contractual obligations to implement technical measures |
Contract could provide that the transfer will only take place if specific technical measures are put in place |
|
Transparency obligations - information on public authority access |
The exporter could add annexes to the contract that would require the data importer, based on its best efforts, to provide information on access to the data by public authorities in the third country including for surveillance purposes.
|
Such a clause would only be effective where the importer is able, under the laws of the third country, to provide this information to the exporter. The EDPB also note that this type of clause is only a means to flush out the risks attached to the data transfer. Such a clause, of itself, can neither justify the importer’s disclosure of personal data nor give rise to the expectation that there will be no further public authority access.
|
Transparency obligations - no back doors |
The exporter could add a clause requiring that the data importer certifies that (a) it has not purposefully created backdoors that could be used to access the personal data or systems; (b) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems; and (c) that national law or government policy does not require the importer to create or maintain back doors or to facilitate access to personal data or systems.
|
For this clause to be effective, there would have to be no legislation or government policy in the third country preventing the importer from disclosing the information required by this clause. In addition, according to the EDPB, the contract would need to include penalties and/or the ability for the data exporter to terminate on short notice in cases where the importer fails to reveal such backdoors. |
Transparency obligations - flagging changes in law |
While the law of the third country may have initially been deemed to provide an equivalent level of protection, things change, and the exporter could strengthen the obligations on the importer to inform the exporter of its inability to comply with the contractual commitments and as a result with the required standard of ‘essentially equivalent level of data protection’. |
This clause is only effective where:
|
Transparency obligations - increased audit rights |
The exporter could strengthen its audit and inspection rights over the data processing facilities of the importer (either on site/or remotely) so as to verify if data was disclosed to public authorities and under what conditions.
|
For this clause to be effective the scope of the audit should legally and technically cover any processing by the data importer’s processor or sub-processors. There would also need to be appropriate tamper proof access logs and audit trails which distinguish between access due to regular business operations and access due to public authority orders or requests for access. |
Transparency obligations - warrant canary |
The contract could reinforce the transparency obligations of the data importer by providing for a ‘warrant canary’ i.e. where the importer is required to regularly publish (e.g. at least every 24 hours) a cryptographically signed message informing the exporter that as of a certain date and time it has received no order to disclose personal data. Absence of the notice will signify to the exporter that the importer may have received an order.
|
This clause is only effective where:
|
Obligations to take specific actions - such as agreeing to review the legality of any order to disclose data |
The importer could commit to reviewing the legality of any order from public authorities to disclose data including challenging the order where appropriate. This would also include an obligation on the importer to only provide the minimum amount of information possible when responding to the access order.
|
This clause would only be effective where, among other matters,
|
Obligations to take specific actions - agreeing to flag local law inconsistencies with the Article 46 transfer tool |
The importer could commit to inform a requesting public authority of the incompatibility of any data access order from the public authority, with the safeguards contained in the transfer tool (such as the SCCs) and the existing conflicting contractual obligations to the exporter. The importer would also simultaneously notify the exporter and/or the competent supervisory authority from the EEA.
|
This clause would only be effective where:
|
Obligations to empower data subject rights - restrictions on data access without consent |
The contract could provide that data transferred in plain text may only be accessed with the express or implied consent of the exporter/data subject.
|
This clause would only be effective where:
|
Obligations to empower data subject rights - notifying data subjects of public authority access |
The contract could oblige the importer and/or exporter to notify the data subject promptly of a public authority request in the third country or of the importer’s inability to comply with the contractual commitments so as to enable the data subject to see information as an effective redress.
|
The clause would only be effective where national regulations and policies do not prevent the importer making the notification to the data subject. |
Obligations to empower data subject rights - commit importer and exporter to assist the data subject in exercising their rights |
The contract could commit the exporter and importer to assist the data subject in exercising his/her rights in the third country jurisdiction through ad hoc redress mechanisms and legal counselling.
|
This clause would only be effective where the law in the third country does not impose conditions that would undermine the effectiveness of the ad hoc redress mechanisms.
|
Additional safeguards may also include organisational measures. Organisational measures consist of internal policies, organisational methods, and standards that organisations can implement and also impose on importers in third countries. The implementation of these policies helps ensure consistency and risk awareness within organisations. However, the Guidance notes that the introduction of organisational measures alone, will not necessarily ensure that transfers meet the essential equivalence standards that EU law requires, but again, they can complement the other contractual and/or technical measures in place.
Examples of appropriate organisational measures are outlined in the table below.
Measure |
Details |
Conditions to the effectiveness of measure |
Internal policies for governing transfers especially within groups of enterprises |
Organisations should adopt adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of covert or official requests from public authorities to access personal data.
|
Such policies will only work where the request from public authorities is compatible with EU law. When the request is incompatible, these policies would not suffice to ensure an equivalent level of protection, |
Transparency and accountability measures - document access requests |
Organizations should document and record the requests for access received from public authorities and the response provided, together with the legal reasoning and the parties involved.
|
The law in the third country may prevent disclosure of the requests or parts thereof, thus undercutting the protection of the clause.
|
Transparency and accountability measures - Regular publication of transparency reports |
There should be regular publication of transparency reports or summaries regarding governmental requests for access to data and the type of response submitted, to the extent publication of this information is permitted by local law.
|
The information provided should be relevant, clear and as detailed as possible.
|
Organizational measures and data minimization |
Organizations should adopt strict access and confidentiality policies and best practices, monitored through regular audits and enforced through disciplinary measures.
|
According to the EDPB strong disciplinary measures should be in place within the organization in order to monitor and enforce compliance with these policies.
|
Organizational measures - timely provision of data to the data protection officer |
Organizations should develop best practices to appropriately involve the data protection officer (where one is appointed)/or relevant internal and audit teams with international data transfers. |
The DPO, Legal and audit teams should be provided with the relevant information before the transfer and must be consulted on the necessity of the transfer and the additional safeguards.
|
Adoption of standards and best practices - regular review of internal policies |
Organizations should adopt and regularly review internal policies to ensure they remain current and fit for purposes so as to ensure an equivalent level of protection to that guaranteed within the EU.
|
|
Restrictions on onward transfer |
Somewhat overlapping with the contractual measures above, organizations should obtain commitments from the data importer to not engage in any onward transfer of personal data within the same or third countries, or suspend ongoing transfers, when an equivalent level of protection of personal data to that within the EEA cannot be provided in the third country.
|
|
If the supplementary measures above, in combination with the transfer tool, provide a level of protection ‘essentially equivalent’ to that guaranteed in the EEA - then the data may be transferred.
In contrast, where organisations are not able to establish essential equivalence, the EDPB, find that the transfer should not be made and existing transfers should be stopped - if not, the competent supervisory authority may do that for them. The EDPB further advise that if you decide to transfer, notwithstanding lack of essential equivalence, the exporter should notify the competent supervisory authority, in accordance with the specific provisions in the relevant transfer tool.
For many transfers the guidance will give no comfort. The big question now, is whether regulators will enforce these words and when. In this respect we’ll likely see different enforcement practice across Europe, including in terms of possible fines. Companies should therefore keep developments on this front under review, including at Member State level.