[IMPORTANT NOTE: This document is updated as of 10 December 2020, therefore, should the public consultation on EDPB (Recommendations 01/2020 result in amending the current framework, the content of this article may be further amended and/or supplemented]
As is known, on 16 July 2020, the Court of Justice of the European Union (hereinafter "CJEU ") handed down its judgment in the case referred to as "Schrems II".
In its judgment, on the one hand, the CJEU examined the validity of European Commission's decision 2010/87/EU on standard contractual clauses (hereinafter, "SCCs") and declared its validity, due to the existence of effective mechanisms that make it possible, to ensure compliance a level of protection substantially equivalent to that ensured by Regulation (EU) 2016/679 (hereinafter, the "GDPR") within the European Union (hereinafter the "EU").
On the other hand, with the above judgment, the CJEU examined the validity of the "Privacy Shield" decision1, as the transfers of personal data in the context of the dispute that led to the request for a preliminary ruling took place between the EU and the United States. In this respect, the CJEU held that US domestic law requirements and, in particular, certain programs that allow the US public authorities to access personal data transferred from the EU to the United States for national security purposes, impose limits on the protection of personal data that are not set out in such a way as to satisfy requirements substantially equivalent to those laid down by EU law and that such legislation does not grant data subjects rights enforceable in legal proceedings against US authorities.
In light of the above degree of interference with the fundamental rights of persons whose data is transferred to the said third country (i.e. a country that is not part of the EU), the CJEU declared the decision on the adequacy of the Privacy Shield2 invalid.
As readers will recall, the alternatives to the Privacy Shield for transfers of personal data from Italy to the United States were explained in our previous article on this subject, by examining the various possible solutions that could be taken into consideration3.
So, the aim of this paper is to present concrete solutions to companies based in the EU that have hitherto relied on the SCCs4 to transfer personal data from Italy to the United States, in light of the recent recommendations issued by the European Data Protection Board (hereinafter, the "EDPB").
- Introduction to the recommendations on supplementary measures for personal data transfers
In order to be able to provide useful guidance tools, on 11 November 2020 , the EDPB adopted "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data", and "Recommendations 02/2020 on the European Essential Guarantees for surveillance measures"5.
Starting with Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, they effectively describe the activities that data controllers and processors who act as data exporters to third countries must carry out, on the basis of the principles expressed by the aforesaid Schrems II judgment, initially, to map all transfers made outside the European Economic Area (hereinafter referred to as the "EEA") and, thereafter, to assess whether or not it is necessary to adopt supplementary measures to transfer the data in accordance with EU law, to better protect the data subjects.
Indeed, as a result of the Schrems II judgment, data controllers and processors are required to verify, on a case by case basis, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed within the EEA and to adopt any measures that are supplementary to the transfer safeguards envisaged in Chapter V of the GDPR to guarantee effective enforcement of that level of protection, whenever the transfer safeguards alone are not sufficient.
The recommendations therefore are meant to assist data controllers and processors acting as data exporters with identifying and implementing appropriate supplementary measures where needed to ensure an equivalent level of protection for the data transferred to third countries.
In this way, the EDPB aims to consistently enforce the GDPR and the Schrems II judgment throughout the EEA.
- The content of Recommendations 01/2020
As anticipated, Recommendations 01/2020 are devised as a sort of "roadmap" or a series of steps, which data exporters must comply with, in order to assess the need to put in place supplementary measures to be able to transfer personal data outside the EEA in accordance with applicable regulations in the EU, and contain a non-exhaustive list of supplementary measures and conditions for the effectiveness thereof.
Therefore, the steps indicated by the EDPB which data exporters must take in compliance with the principle of accountability6 will be analyzed below:
- So, in bearing in mind that the Recommendations are addressed both to data controllers and data processors wishing to identify any sub-processors, the first step indicated is to map all transfers of personal data that the controller makes to third countries7. Such activity might be particularly complex, especially when several persons are designated as data processors and sub-processors, but it is a first fundamental step to be taken in accordance with the principle of accountability. Precisely because of said complexity, the data processing register required by the data controller pursuant to Article 30 of the GDPR could be of help in this phase. Finally, it should be emphasized that, in this phase, the controller shall necessarily assess compliance with the principle of minimization together with the possible existence of sub-processors in countries outside the EU.
- Subsequently to the mapping described above, the transfer tool the transfer relies on must be verified, amongst those listed in Chapter V of the GDPR8. In this respect, the EDPB clarifies that in the presence of an adequacy decision by the European Commission declaring that the third country ensures an appropriate level of protection of the personal data to be transferred, it will not be necessary to carry on any further in the assessment and the transfer will be deemed legitimate, without prejudice to the need for the controller to monitor said decision in order to verify that the same is not revoked or invalidated.9
- So, in the absence of an adequacy decision, the third step identified by the EDPB requires the controller to assess whether the transfer tool is effective10 with respect to the transfer to be made. In other words, an assessment must be made as to whether the third country has laws or practices that impinge on the efficiency and effectiveness of the appropriate safeguards referred to in Article 46 of the GDPR that legitimize the transfer. In this regard, the EDPB invites data controllers to consider the case where the legislation of the third country allows access to personal data by the public authorities for surveillance purposes. Well, in the event that such legislation is ambiguous or not available to the public, an analysis of the legislation must take into account objective and relevant factors and, finally, must include the necessary checks and be documented according to the principle of accountability.
At this point, if the data controller (or the data processor) considers that there is no interference and that the transfer tool the transfer relies on is effective, the data controller (or the data processor) will not need to take any supplementary measures and may continue or begin to transfer personal data to the third country. Otherwise, the supplementary measures that must be taken to ensure an appropriate level of protection shall be identified.
- However, where the assessment referred to in the preceding step identifies obstacles to the effectiveness of the appropriate safeguards, the controller will be obliged to take supplementary (additional) measures for the transfer that guarantee the data subjects a level of protection equivalent to that afforded to them in the EU. For this step, Annex 2 to the Recommendations must be taken into account that provides a non-exhaustive list of such measures. Said supplementary measures may be technical (such as: encryption, separation of data processing, pseudonymization, etc.), contractual (such as: transparency of obligations, people's rights, etc.) and organizational (such as: internal policies, transparency, etc.). In any case, supplementary measures may concern several factors, such as: format of the data, nature of the data, complexity of data processing workflow, number of actors involved in the processing, subsequent transfers, etc.
In the event that, despite the adoption of supplementary measures, the data transfer does not provide appropriate safeguards for the data subjects, the controller must refrain from transferring the data or, if already in progress, suspend the transfer.
- If, on the other hand, the adoption of supplementary measures proves sufficient to ensure the data subjects a level of protection equivalent to that afforded to them in the EU, depending on the transfer tool the transfer relies on, it will be necessary to implement any formal procedures required by the supplementary measures to be adopted.11
- Lastly, it will be appropriate to monitor, update and periodically verify that the measures taken remain effective over time12.
Finally, the EDPB clarifies that data exporters must document the assessment process described above, as they are "responsible" for the decisions they make, in line with the principle of accountability.
- The content of Recommendations 02/2020
On the other hand, "Recommendations 02/2020 on the European Essential Guarantees for surveillance measures" are complementary to those described so far.
The recommendations on the European essential guarantees13 provide data exporters with useful elements to determine whether the legal framework governing public authorities' access to personal data in third countries for surveillance purposes can be regarded as a justifiable interference with rights to privacy and the protection of personal data, and therefore is not in breach of the commitments made by the exporter and importer through the transfer tool relied on among those referred to in Article 46 of the GDPR.
- Practical solutions for the transfer of personal data into the United States
In light of the above and to sum up the matter, what should we do if we use the SCCs with a data importer in the United States?
Well, the CJEU has established that the laws of the United States do not ensure a substantially equivalent level of protection.
Therefore, as also clarified by the EDPB14, the possibility or not of transferring personal data on the basis of the SCCs depends on the outcome of the assessment that the data exporter must carry out, taking into account the circumstances surrounding the transfer and any supplementary measures possibly put in place. The supplementary measures together with the SCCs, in light of a case-by-case analysis of the circumstances surrounding the transfer, should ensure that US law does not interfere with the appropriate level of protection guaranteed by the SCCs and the supplementary measures themselves.
If the conclusion is reached that, taking into account the circumstances surrounding the transfer and any supplementary measures, appropriate safeguards cannot be provided, then it is necessary to suspend or terminate the transfer of personal data. However, if the intention is nevertheless to continue to transfer data, the competent supervisory authority must be informed.
It is also necessary to understand and consequently assess on a case by case basis, what happens if the condition of legitimacy for the transfer is based on the other transfer tools provided for by Article 46 GDPR or is based on one of the derogations referred to in Article 49 GDPR.
In any case, it should be considered that, if the transfer is based on the SCCs, Article 6 of the draft decision by the European Commission, submitted for public consultation, with the draft SCCs integrated on the basis of the decision of the CJEU15 stipulates that, for a period of one year from the entry into force of the decision and the new SCCs, the exporter and importer of the data may continue to rely on the previous clauses, laid down with Decision 2001/497/EC and updated with Decision 2010/87/EU, to perform any contract concluded before the entry into force of the decision.
In this period of time, the contract between the parties may however be integrated with the supplementary measures required to ensure that the transfer takes place with the appropriate safeguards and security.
In conclusion, it is evident that the EDPB leaves it up to the data exporter and data importer, to assess whether the level of protection required by EU law is complied with in the third country in order to determine whether the safeguards provided by the chosen transfer tools can be complied with in practice, with the result that only in the event that said level cannot be complied with, will it be necessary to assess whether it is possible to provide supplementary measures to ensure a substantially equivalent level of protection to that envisaged in the EEA.
In other words, the supplementary measures will be able to fill the gap, where the transfer tool identified among those of Article 46 of the GDPR alone fails to ensure a level of protection of personal data substantially equivalent to that envisaged in the EEA, provided that the legislation of the third country does not permit interference with the said supplementary measures such as to effectively compromise their effectiveness16.
1 on 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield.
2 The full text of the judgment can be found at the following link: http://curia.europa.eu/juris/documents.jsf?num=C-311/18.
3 All data controllers or data processors could in the short term:
- reassess the need to transfer personal data overseas and consider the possibility of replacing suppliers based in the United States with suppliers established in the EU or the need to store data at an establishment within the EU;
- base transfers of personal data on the SCCs, after having established a procedure for assessing the level of data protection in the country or territory to which such data is transferred and impose appropriate technical and organizational measures for such level of protection;
- rely on the express consent from data subjects, based on the indications of the Data Protection Board;
whilst, in the medium-long term:
- for multinational groups, define binding corporate rules and submit them for approval to competent authorities pursuant to and for the purposes of Article 47 of the GDPR; or
- wait for the issue of codes of conduct or certification mechanisms and then endorse them.
4 In most cases, companies with headquarters in the United States that do not comply with the Privacy Shield have based the flows of personal data from the EU on the SCCs. The SCCs consist of a set of "standard" clauses that exporters and importers of personal data sign, in order to guarantee, through contractual obligations that comply with the provisions of the GDPR, an appropriate level of protection for personal data that leaves the European Economic Area. So far, the European Commission has approved up to three sets of standard contractual clauses: two for data transfers from data controllers based in the EU to data controllers based outside the EU or the EEA and one for data transfers from data controllers based in the EU to data processors based outside the EU or the EEA. SCCs have not yet been issued that relate to transfers from a data processor based in the EU to a data controller based outside the EU nor that relate to transfers from data processors (or sub-processors) based in the European Union to data processors (or sub-processors) based outside the EU. In this respect, on 12 November 2020, the European Commission published a draft decision, submitted for public consultation until midnight on 10 December 2020 (Brussels time), with the draft SCCs integrated on the basis of the decision of the CJEU, which repeals Decision 2001/497/EC and Decision 2010/87/EU. In particular, the annexes to the draft currently under discussion govern four types of transfers: (i) transfer from controller to controller; (ii) transfer from controller to processor; (iii) transfer from processor to processor; (iv) transfer from processor to controller.
5 Recommendations 01/2020 are subject to public consultation until 21 December 2020 and will be applicable immediately after their publication.
6 Indeed, according to the principle of accountability, envisaged in the GDPR, it is the data controller's responsibility to be able at all times to demonstrate compliance with the regulations on the processing of personal data.
7 On this subject, the EDPB specifies that remote access from a third country (in support situations) and/or storage in a cloud located outside the EEA is also considered to be a transfer outside the EU.
8 Pursuant to the GDPR, in the absence of an adequacy decision, transfers of personal data to third countries can be carried out only if the data controller or processor transferring the personal data to a third country has provided appropriate safeguards and data subjects have enforceable rights and effective legal remedies. Appropriate safeguards referred to in Article 46 of the GDPR may be provided by: (i) SCCs; (ii) binding corporate rules ("BCR"s); (iii) codes of conduct; (iv) certification processes; (v) ad hoc contractual clauses. In addition to the cases described above, the transfer can also be based on the derogations referred to in Article 49 (including, among others, the explicit consent of the data subject).
9 However, at the same time, it should be pointed out that adequacy decisions do not prevent data subjects from submitting a complaint, nor do they prevent supervisory authorities from bringing a case before a national court in case of doubt about the validity of a decision, so that the national court can then submit a request for a preliminary ruling to the CJEU with a view to examining its validity.
10 The term "effective", means that personal data must be guaranteed a level of protection equivalent to that guaranteed in the EU.
11 In particular, if the transfer is based on the SCCs, as long as the identified supplementary measures do not infringe the rights of the data subjects or contradict the provisions of the SCCs, it will not be necessary to request the supervisory authority's authorization to be able to take such measures. Otherwise, if the controller wishes to amend the SCCs or if the additional measures identified contrast with the SCCs, the competent supervisory authority's authorization must be requested, pursuant to Article 43, section 3, letter a) of the GDPR.
12 In particular, the controller must adopt mechanisms to immediately suspend the transfer when the importer is no longer able to comply with the transfer tool relied on and/or the additional measures are no longer sufficient to guarantee an appropriate level of protection for the data subjects.
13 In particular, Recommendations 02/2020 identify the following "essential guarantees": (i) clear, precise and accessible rules for the processing of personal data, (ii) need to demonstrate the necessity and proportionality with regard to the legitimate objectives pursued; (iii) existence of an independent oversight mechanism, (iv) existence of effective remedies for individuals.
14 See the "Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner/Facebook Ireland Ltd and Maximillian Schrems".
15 See Note 4.
16 On this subject, the fact should be considered that clause 3 of the draft decision by the European Commission, submitted for public consultation, with the draft SCCs integrated on the basis of the decision of the CJEU, includes a series of obligations incumbent on the importer in case of requests for access to personal data by the government. Among these is the obligation to notify the exporter of the Authority's request, and to communicate to the latter as much information as possible on the requests received (number of requests, type of data requested, authority or requesting authority, if the requests have been disputed and the outcome of such disputes, etc.).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.