The EU Recommends Supplemental Measures to Protect Personal Data in Cross-Border Data Transfers
In the past month, the European Data Protection Board (EDPB) has provided insight into its interpretation of the EU Court of Justice (ECJ) decision in Schrems II in July 2020. As a brief recap, in Schrems II, the ECJ held that the EU-US Privacy Shield, the mechanism to lawfully transfer personal data from the EU to the US, was invalid.The ECJ did uphold the continued use of Standard Contractual Clauses (SCCs) as a mechanism to continue to transfer personal data outside of the European Union (EU), but, with a caveat:
“In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.” ¶ 133.
The ECJ decision left open what would be considered adequate supplementary measures sufficient to permit the continued use of the SCCs in international data transfers. To fill this gap, the EDPB released Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”). These Recommendations 01/2020 are open for public comment until December 21, 2020.
These Recommendations provide a framework to address, or at least start to understand, the vague “supplementary measures” envisioned by the ECJ. With the ultimate goal to determine if the protections provided by a non-EU country are “essentially equivalent” to those provided within the EU. Recommendations, p. 2. The Recommendations include six key factors:
1. Know Your Transfers
The first key question to ask is: does the company transfer data internationally? And, how do you answer that? Start with data mapping. Data mapping can be illuminating for a number of reasons: identifying what data you actually have, why you have it, and what you are doing with it. But, in the cross-border data context it is key: are you exporting data? Importing data? Who are you sending it to and/or receiving it from? A data map will help you to identify the true risks created by cross-border data transfers.
2. Verify Your Transfer Tool
This factor relies heavily on the valid mechanisms to transfer data under Chapter V of the GDPR. For example, if the EU Commission has already approved a receiving country under an adequacy decision, then personal data can be transferred lawfully. GDPR, Art. 45. Alternatively, companies can rely on the Standard Contractual Clauses (SCCs), Binding Corproate Rules, or other mechanisms allowed for under the GDPR.
The SCCs are also subject to revision, with the European Commission releasing revisions for comment on November 10, 2020. The SCCs remain valid, but are now a user-beware proposition with parties subject to the SCCs clearly required to demonstrate that the protections provided adequately meet the EU data protection requirements.
As such, this step requires companies to delve into the current mechanisms used to transfer data (after mapping those data transfers in step 1) and then identifying the best mechanism to use to actually legally conduct the transfer.
3. Assessing the Law of the Receiving Country
When reviewing the country that is intended to receive the personal data transferred, it is key that a company assess whether or not the privacy and security measures are adequate to address any concerns. The Recommendations emphasize that the review “should be primarily focused on third country legislation that is relevant to your transfer.” Recommendations, p. 3. This is a key scoping reference: there are many laws that may not align with EU data protection requirements, but the key is whether or not those laws would impact your transfer.
For example, in response to Schrems II, the Department of Justice, Department of Commerce and the Office of the Director of National Intellgience jointly prepared a white paper entitled, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II” (the “White Paper”). The White Paper made clear that certain legislation in the US that was at issue in Schrems II, specifically Executive Order 12333 (“EO 12333”); and (2) Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702), would not apply to most companies transferring date to the US. As such, under the Recommendations, these laws would not be taken into account when assessing the receiving country’s laws.
4. Identify and Adopt Supplemental Measures
The Recommendations state that if “[t]his step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer.” Recommendations, p. 3. Annex 2 of the Recommendations layout carious scenarios with corresponding supplemental measures that may be used to alleviate the privacy and legal risks associated with the continued transfer of the personal data.
Ultimately, each data transfer is analyzed, and the appropriate supplementary measures, are assess on a case-by-case basis. Recommendations, ¶ 46. This ties into the first factor, data mapping. Without a deeper understanding of where the data is going, and what is happening to the data once transferred, it is challenging to even start to identify the appropriate supplemental measures. It is the combination of the appropriate legal transfer tool plus the supplemental measures that allow the transfer to move forward. Recommendations, ¶ 51.
5. Formal Procedural Steps
Once a path forward is determined, the companies transferring the personal data must execute formal documentation of such transfer, and comply with the requirements of the chosen transfer tool.
6. Accountability
A key component of all data protection requirements under the GDPR is documentation and accountability. The Recommendations make clear that accountability requires active participation by all parties involved in the transfer:
“The right to data protection has an active nature. It requires exporters and importers (whether they are controllers and/or processors) to go beyond an acknowledgement or passive compliance with this right. Recommendations, ¶ 3.
A “set it and forget it” approach is not permissible: the company must continue to monitor legal and regulatory developments in the recipient country to continue to confirm that the legal tool used to transfer the personal data and the supplementary measures remain valid.
Taking the First Steps
While the Recommendations are still under consideration, they do point to a need for deep analysis of both your data flows and the reason for those data transfers. For many companies, the inclusion of Standard Contractual Clauses to all agreements has become standard. But, those agreements, and the legal tool to transfer data uner those agreements, need to be addressed on a case-by-case basis, with an understanding of the legal requirements and the corresponding risks. Start today with an assessment of your current infrastructure, and identifying the international data transfers. This information will be key in helping to identify the necessary next steps.