Four months after Schrems II, the European Data Protection Board has published six recommendations for data controllers on how to transfer data outside the EEA in compliance with the judgment.
In the Schrems II judgment of 16 July 2020, the European Court of Justice ruled that the transfer of personal data outside the European Economic Area (EEA) on the basis of ‘standard contractual clauses' (SCCs) is only compliant with the GDPR if the recipient country offers an equivalent level of data protection as in the EU. In the meantime, recommendations have been issued on the supplementary measures which can be taken by companies if the legal framework in the third country does not provide sufficient protection, and a draft version of new SCCs has also been published.
The Schrems II judgment, which invalidated the EU–US Privacy Shield and subjected the transfer of personal data based on SCCs to the condition that the legal level of data protection in the third country is equivalent to the level of protection guaranteed within the EU, see here for a full report.
European Data Protection Board recommendations
Shortly after the judgment, the European Data Protection Board announced that it would issue guidelines on the supplementary measures that should be followed if it appears that the legal framework of the third country does not offer protection equivalent to the GDPR. These long-awaited recommendations were published on 11 November 2020 and include six steps to be taken by data controllers in order to bring their transfers outside the EEA into line with the Schrems II judgment, set out below.
Know your transfers
First of all, the countries outside the EEA to which personal data are transferred need to be identified. This includes verifying whether the transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which the data are processed in the third country.
Verify the transfer tool your transfer relies on
The second step is to determine which transfer tool is used to transfer the data. This can be an adequacy decision (e.g., for Canada, Switzerland, Japan), appropriate safeguards provided for in Article 46 of the GDPR (SCCs, ‘Binding Corporate Rules', codes of conduct and certification) or the specific occasional derogations provided for in Article 49 of the GDPR (e.g. transfers that are necessary for the conclusion or performance of a contract, or transfers that occur on the basis of the explicit consent of the data subject).
Assess the effectiveness of the transfer tools
If the transfer is based on appropriate safeguards provided for in Article 46 of the GDPR, it should be assessed whether these safeguards are effective under the privacy laws of the third country concerned, and particularly with regard to the possibility of government interference in data processing. In order to facilitate the analysis of the legislation in the third country, the European Data Protection Board has identified four ‘European Essential Guarantees' to be monitored in the third country:
- The processing should be based on clear, precise and accessible rules.
- The processing should be necessary and proportionate with regard to the legitimate objectives pursued.
- An independent oversight mechanism should exist in the third country.
- Effective remedies need to be available to the individual whose data are being processed.
Adopt supplementary measures
If the third step reveals that the privacy laws in the receiving country outside the EEA do not comply with the ‘European Essential Guarantees', one or more supplementary measures should be adopted. The European Data Protection Board gives some examples of measures, divided into three categories:
- Technical measures: encryption, pseudonymisation etc.
- Contractual measures: these can include a commitment from the data importer to take certain technical measures itself (e.g., encryption), transparency obligations (e.g., obligation for the data importer to list the laws in the recipient country regarding government access to data as an annex to the contract), a power for the data exporters to conduct audits to verify whether data have been disclosed to the government, a commitment to contest government access requests in court, an obligation for the importer or exporter to notify the exporter and the person concerned whose data have been disclosed following the government request, etc.
- Organisational measures: intra-group policies on transfers of personal data between companies within the same group, internal policies on the procedure to be followed in the event of a government request (including a team in the EEA to be appointed to deal with government requests), privacy policies based on ISO norms, etc.
Verify the formalities
Depending on the transfer tool that is used, certain formalities may still have to be completed. If the transfer is based on SCCs and if, as a supplementary measure, certain clauses have been added that directly or indirectly contradict the SCCs, the data protection authority's authorisation will first have to be sought;
Re-evaluate at appropriate intervals.
Finally, transfers to third countries should be re-evaluated from time to time to ensure that the level of protection remains guaranteed.
Draft new standard contractual clauses
In addition, on 12 November 2020, the European Commission published draft new standard contractual clauses (SCCs), for which a feedback period is currently running until 10 December 2020. The new SCCs have, among others, been revised in line with the Schrems II judgment and, for the first time, provide not only for clauses emanating from a data controller but also for clauses on the transfer of data from ‘processor' to ‘processor'
The final version of the new SCCs can be expected at the beginning of 2021, after which there will be a transition period of one year. During this transition period, the old SCCs will remain valid in existing contracts as long as the parties do not change these contracts. On the other hand, for new data processing agreements and for changes to existing contracts, the new SCCs will have to be used immediately (unless the change only concerns an amendment introducing supplementary measures to provide an equivalent level of data protection).
Implement the six steps of the European Data Protection Board to bring the transfer of personal data outside the EEA fully into line with the Schrems II judgment. In this way, you will avoid the Data Protection Authority imposing a suspension or prohibition of data transfers on your company. This may require you to take supplementary measures.
Please also note that you will soon have to use the new version of the SCCs when you conclude a data processing agreement or when you plan to transfer personal data to third countries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.