On November 11, 2020, the European Data Protection Board (EDPB) issued eagerly awaited guidance for complying with the requirements of the General Data Protection Regulation (GDPR) for protecting the privacy rights of individuals in their personal data subject to potential transfer from the European Union (EU) to the United States and other countries. The guidance comes in the wake of the uncertainly following the Court of Justice’s July 16, 2020 decision in Schrems II invalidating the EU-US Privacy Shield and upholding the use of standard contractual clauses as a permissible vehicle to transfer personal data to countries outside of the European Union provided there are “effective mechanisms” in place to ensure a level of protection for the data that is “essentially equivalent” to that existing within the European Union. The Court recognized that additional safeguards may be needed to provide an adequate level of protection because the standard contractual clauses are between private parties, and do not bind governmental authorities.
The EDPB’s comprehensive guidance goes well beyond its previous post-Schrems II commentary by recommending a step-by-step roadmap that organizations subject to the GDPR should use to determine whether the particular data transfer may permissibly occur and the contractual, technical and other safeguards necessary, if any, to permit the transfer. A well-documented legal analysis of the laws in the data importer’s country potentially impacting the safeguards for the specific data to be transferred is critical. The potential use of additional contractual protections beyond that which is already provided in the standard contractual clauses and technical safeguards, such as encryption, pseudonymised data and split data processing, are featured as part of the assessment process. The EDPB has sought, therefore, to provide a detailed framework for considering safeguards that may be needed if a cross-border data transfer is to be permissible.
Reinforcing the significance of its guidance, the EDPB stated in a press release that:
The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the [European Economic Area].
The guidance is premised on the fundamental principle that the protections of the GDPR attach to and travel with the data in transit and at rest in the destination country. Thus, the transfer of data outside the EU cannot be a means to avoid the protections afforded under the GDPR. Indeed, the outcome in Schrems II invalidating the Privacy Shield because it did not provide an adequate level of protection, was motivated by the Court’s concern that the United States’ surveillance programs broadly permitted surveillance of communications in transit for the objective of obtaining foreign intelligence without guarantees for non-U.S. persons potentially impacted by those programs, including the lack of actionable legal remedies against U.S. authorities. In the context of standard contractual clauses as a potential alternative transfer vehicle to the Privacy Shield, the Court recognized that these same concerns over broad surveillance programs warranted supplemental protections to protect the data beyond the standard contractual clauses themselves.
In light of the Court’s concerns, the EDPB recommends the following steps:
Step 1: Know the destination and necessity for data transfers by use of a data map. Data exporters must know where and why the data is being transferred so that they can assess whether the transfer is adequate, relevant and necessary to the purposes for which it is being transferred.
Step 2: Verify that the transfer tool is authorized under the GDPR. In the absence of an adequacy decision pertaining to the third county, the data exporter will need to rely on the transfer tools listed in Article 46 of the GDPR, including standard contractual clauses, Binding Corporate Rules (BCRs) and ad hoc contractual clauses, for transfers that are “regular and repetitive.” The EDPB once again has emphasized that the derogations in Article 49 permit cross border transfers that are only “occasional” and “non-repetitive.”
Step 3: Assess whether the law or practice of the third country may impinge on the effectiveness of the appropriate safeguards for the transfer tools being relied on in the context of the specific transfer. The exporter should focus on legislation that may affect the level of protection for the particular type of data to be transferred (e.g., financial, personnel, health, research, child related or other sensitive data such as race, or ethnicity). The EDPB cautions that the assessment should “not rely on subjective factors such as the likelihood of public authorities’ access to your data not in line with EU standards.” The type and purpose of the data transfer must be considered in the context of legally permissible governmental access and whether that access “is limited to what is necessary and proportionate in a democratic society and whether data subjects are afforded effective redress.”
Step 4: Identify and adopt supplementary measures that are necessary to bring the level of data protection transferred up to the EU standard of essential equivalence. Possible technical safeguards may include use of pseudonymised data where the EU data exporter retains sole control over the algorithm or repository that permits reidentification. The exporter should also consider strong encryption with the cryptographic key being held solely by the EU exporter for certain use cases. Contractual clauses may provide added protections. These may include, for example, the provision for audits by the data exporter to verify if data was disclosed to public authorities and under circumstances “beyond what is necessary and proportionate in a democratic society,” as well as a contractual requirement for the data importer to provide prompt advance notice of its inability to comply with its contractual commitments and meet an “essentially equivalent level of data protection.” The data exporter may also wish to secure a promise by the data importer to review and challenge, where permissible, the legality of any order to disclose the data. The EDPB emphasizes: “You will be responsible for assessing the effectiveness [of the supplementary measures] in the context of the transfer, and in light of the third country law and the transfer tool you are relying on and you will be held accountable for the decision you take.”
Step 5: Comply with formal procedural steps under the GDPR, including consulting competent supervisory authorities as required. This consultation may be required depending on the particular transfer vehicle being relied upon.
Step 6: Evaluate as appropriate the level of protection afforded to ensure continuous vigilance of the level of protection of personal data. Following the issuance of the EDPB’s guidance, organizations should evaluate their processes for authorizing cross-border transfers, and document their considerations and decisions, using the roadmap. The assessment will need to include a legal analysis in the context of the specific type of data at issue and applicable privacy, cybersecurity and surveillance laws in the importing country. The ultimate decision as to whether to proceed with a cross border data transfer may depend on the sufficiency of the mix of contractual and technical safeguards. Any questions regarding the EDPB’s guidance may be directed to Brian Cesaratto or another member of the EBG Privacy, Cybersecurity and Data Asset Management Group