In the past month, the European Data Protection Board (EDPB) has provided insight into its interpretation of the Schrems II decision by the EU Court of Justice (ECJ) in July 2020. In Schrems II, the ECJ invalidated the EU-US Privacy Shield, the mechanism allowing for the lawful transfer of personal data from the EU to the US. The ECJ did uphold the continued use of Standard Contractual Clauses (SCCs) as a mechanism to continue to transfer personal data outside of the European Union (EU), but with a caveat;
“In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.”
Where the ECJ decision failed to provide sufficient supplementary measures to permit companies’ use of the SCCs in international data transfers, the EDPB released Recommendations 01/2020 (“Recommendations”) intended to provide a framework to address, or at least attempt to understand, the vague “supplementary measures” envisioned by the ECJ. These Recommendations are open for public comment until December 21, 2020.
These Recommendations, the ultimate goal of which is to determine if the protections provided by a non-EU country are “essentially equivalent” to those provided within the EU, include six key factors:
- Know Your Transfers
The first thing a company needs to ask is whether they transfer data internationally. To answer that question, it is helpful to start with data mapping. Data mapping helps identify what data companies have, why they have it, and what they are using it for. In the cross-border data transfer context, it is also important to understand if you are exporting or importing data and what parties you are sending it to and/or receiving it from. A data map can help you to determine the true risks created by cross-border data transfers.
2. Verify Your Transfer Tool
This factor relies heavily on the valid mechanisms to transfer data under Chapter V of the GDPR. For example, if the EU Commission has already approved a receiving country under an adequacy decision, then personal data can be transferred lawfully. Alternatively, companies can rely on the SCCs, Binding Corporate Rules, or other mechanisms allowed for under the GDPR.
The SCCs are also subject to revision, with the European Commission releasing revisions on November 10, 2020 for comment. The SCCs remain valid but are now a user-beware proposition with parties subject to the SCCs clearly required to demonstrate that the protections provided adequately meet the EU data protection requirements.
As such, this step requires companies to delve into the current mechanisms used to transfer data (after mapping those data transfers in step 1) and then identifying the best mechanism to legally conduct the transfer.
3. Assessing the Law of the Receiving Country
When reviewing the intended country receiving the personal data, it is key that a company assess whether the privacy and security measures are adequate to address any concerns. The Recommendations emphasize that the review “should be primarily focused on third country legislation that is relevant to your transfer.” This is an important scoping reference; there are many laws that may not align with EU data protection requirements, but the key is whether those laws would impact your transfer.
For example, in response to Schrems II, the Department of Justice, Department of Commerce and the Office of the Director of National Intelligence jointly prepared a white paper entitled, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II” (the “White Paper”). The White Paper made clear that certain legislation in the US that Schrems II took issue with, specifically Executive Order 12333 (“EO 12333”), and (2) Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”), would not apply to most companies transferring data to the US. As such, under the Recommendations, these laws would not be considered when assessing the receiving country’s laws.
4. Identify and Adopt Supplemental Measures
The Recommendations state that “[t]his step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer.” Annex 2 of the Recommendations lays out scenarios with corresponding supplemental measures that may be used to alleviate the privacy and legal risks associated with the continued transfer of the personal data.
Ultimately, each data transfer is analyzed, and the appropriate supplementary measures are assessed on a case-by-case basis. This ties into the first factor, data mapping. Without a deeper understanding of where the data is going, and what is happening to the data once transferred, it is challenging to even start to identify the appropriate supplemental measures. It is the combination of the appropriate legal transfer tool plus the supplemental measures that allow the transfer to move forward.
5. Formal Procedural Steps
Once a path forward is determined, the companies transferring the personal data must execute formal documentation of such transfer and comply with the requirements of the chosen transfer tool.
A key component of all data protection requirements under the GDPR is documentation and accountability. The Recommendations make clear that accountability requires active participation by all parties involved in the transfer:
“The right to data protection has an active nature. It requires exporters and importers (whether they are controllers and/or processors) to go beyond an acknowledgement or passive compliance with this right.”
A “set it and forget it” approach is not permissible: the company must continue to monitor legal and regulatory developments in the recipient country to continue to confirm that the legal tool used to transfer the personal data and the supplementary measures remain valid.
Recommended Next Steps
While the Recommendations are still under consideration, they do point to a need for deeper analysis of both your data flows and the reason for those data transfers. For many companies, the inclusion of SCCs to all agreements has become routine. But, those agreements, and the legal tool to transfer data under those agreements, need to be addressed on a case-by-case basis, with an understanding of the legal requirements and the corresponding risks.
Beckage’s Global Data Privacy Team works with clients to assess their current infrastructure to further evaluate bases for international data transfers, including the use of DPAs, SCCs and on the development of Binding Corporate Rules. Team Beckage includes Certified Information Privacy Professionals (CIPP/US) and (CIPP/E) and Certified Information Privacy Managers (CIPM) as certified by the International Association of Privacy Professionals as well as attorneys with substantial experience navigating the ever-changing international privacy landscape.
Watch the full video blog.
*Attorney advertising. Prior results do not guarantee future outcomes.
Subscribe to the Beckage Newsletter.