If you’re a company that has been scratching your head and racking your brain since the Schrems II decision issued on July 16, 2020, invalidating Privacy Shield and calling into question all data transfers between the EU and third countries on surveillance-related grounds, your wish for more guidance has finally come true.
This week, the European Data Protection Board (EDPB) adopted recommendations regarding surveillance measures on the European Essential Guidelines (EEG), and recommendations on measures to supplement transfer tools. Additionally, the European Commission published new draft standard contractual clauses (SCCs) and its draft implementing decision. A discussion of each is below.
Accompanying the recent flurry of activity, the EDPB issued a press release, acknowledging the importance of the issued guidance to companies who have been struggling to know how to conduct cross-border data transfers following the July 2020 Schrems II ruling. In the press release, the EDPB Chair, Andrea Jelinek said:
“The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”
“The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data.”
Recommendations Regarding Surveillance Measures: European Essential Guidelines (EEG)
On November 10, 2020, the EDPB adopted recommendations on the European Essential Guarantees for surveillance measures. These recommendations provide data exporters with a framework for determining if the surveillance practices in a third country with respect to public authorities’ access to data can be regarded as justifiable interference with the rights to privacy and the protection of personal data, such that they do not impinge on the commitments of the Article 46 GDPR transfer tool that the data exporter and importer rely on.
The publication starts out with an introduction, setting forth the historical framework for the issuance of the recommendations, including the Schrems I judgment, the Schrems II judgment, and the fact that the invalidation of Privacy Shield had consequences on other transfer tools as well (i.e., any tools referred to in Article 46 GDPR). The introduction explains that the Schrems II judgment was a determination that US surveillance measures interfered with what are considered “fundamental rights” under EU law, i.e., the rights to respect for private and family life, including communications, and to the protection of personal data. These rights are laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the EU. It is then further explained that Articles 7 and 8 of the Charter are not absolute rights, but must be considered in relation to their function in society, and it points to Article 52(1) of the Charter which specifies the scope of possible limitations to Articles 7 and 8, including: “Subject to the principles of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others.” It further states that legislation involving the interference with the fundamental rights guaranteed by Articles 7 and 8 “must lay down clear and precise rules governing the scope and application of the measure and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse,” in particular where personal data is subjected to automatic processing and “where there is a significant risk of unlawful access to that data.” Finally, the introduction explains that the “four European Essential Guarantees” (set forth in the publication) intend to specify “how to assess the level of interference with the fundamental rights to privacy and data protection in the context of surveillance measures by public authorities in a third country, when transferring personal data, and what legal requirements must consequently apply in order to evaluate whether such interferences would be acceptable under the Charter.”
The four European Essential Guarantees are as follows:
- Processing should be based on clear, precise and accessible rules;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- An independent oversight mechanism should exist; and
- Effective remedies need to be available to the individual.
The paper then goes into detail explaining and developing each of these guarantees, and emphasizes on the fourth guarantee (effective remedies) the language from the Schrems II judgment explaining that “data subjects must have the possibility of bringing legal action before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data,” as well as the court’s point that effective judicial protection against interferences with personal data can be ensured not only by a court, but also by a body which offers guarantees essentially equivalent to those required by Article 47 of the Charter. (Note: Article 47 of the charter sets forth the right to an effective remedy and a fair trial.
Finally, in the “Final Remarks,” the paper acknowledges that the four guarantees require “a certain degree of interpretation, especially since the third country legislation does not have to be identical to the EU legal framework.” Notwithstanding, it concludes that the assessment of third country surveillance measures against the EEG (European Essential Guidelines) may lead to two conclusions: (1) the third country legislation at issue does not ensure the EEG requirements, or (2) the third party legislation satisfies the EEG. Thus, it appears that determinations should be made on a country-by-country basis.
Recommendations on Measures that Supplement Transfer Tools
The same day, November 10, 2020, the European Data Protection Board (EDPB) also adopted “recommended measures” for complying with the GDPR requirements for EU-third party data transfers, including example “supplemental measures” to supplement third country’s laws, if an exporter determines that the laws are or may be insufficient/not comparable to those required by the EU. The publication provides detailed guidance, i.e., a “roadmap”, on how companies can determine whether a particular EU-third party data transfer may occur and what steps are necessary. These recommendations are open for public comment until November 30, 2020.
The Executive Summary of the recommended measures, setting forth the background and purpose of the recommendations, explains: “Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum. The Court [in Schrems II] states that controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures to fill these gaps in the protection and bring it up to the level required by the EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.” (emphasis added).
The recommended measures consist of a series of six steps for exporters to follow, and include potential sources of information and examples of some supplementary measures that could be put in place. Below is an overview of the six steps.
- Exporters should know their transfers. It is strongly advised that exporters map all of their transfers of data to third countries, even though it is a difficult exercise, because it will allow (a) determination of whether there is sufficient levels of protection; and (b) determination of whether the data transferred is adequate, relevant, and limited to what is necessary.
- Exporters should verify the transfer tool being used (e.g., an adequacy decision or some other transfer tool listed under Article 46 GDPR). There is a reminder that the derogations provided in Article 49 GDPR may only be used for occasional and non-repetitive transfers, if conditions are met.
- Exporters should assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools being relied on, in the context of the specific transfer. While this step provides that primary focus should be on the third country legislation that is applicable, and the EEG recommendations (see above) should be used to assess it, this step also provides that “In the absence of legislation governing the circumstances in which public authorities may access personal data, if you still wish to proceed with the transfer, you should look into other relevant and objective factors, and not rely on the subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.” It further provides that such an assessment should be conducted with due diligence and documented thoroughly, “as you will be held accountable to the decision you may take on that basis.”
- Exporters should identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence, if one’s assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on/intend to rely on. Some examples of effective supplementary measures are set forth in annex 2, but it is noted that some of these measures may be effective in some countries but not others, depending on the country’s laws. It is further provided that: “You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.” (emphasis added).
- Exporters should take any formal procedural steps in the adoption of any supplementary measure, and some such formalities are set out in the recommendations. For example, if you intend to modify the SCCs or where supplementary measures added contradict the SSCs, you are no longer deemed to be relying on the SCCs, and must seek authorization from the competent supervisory authority in accordance with Article 46(3)(a) GDPR.
- Exporters should re-evaluate at appropriate intervals the level of protection accorded to the data transferred to third countries and monitor if there have been or will be any developments that will affect those transfers/that data, as the principle of accountability requires continuous vigilance of the level of protection of personal data.
New Draft SSCs and Implementing Decision on SCCs
Yesterday, November 12, 2020, the European Commission published a draft set of new SCCs, as well as a draft implementing decision. The drafts are open for public comment until December 10, 2020. They are expected to be adopted in late 2020 or early 2021.
Importantly to addressing Schrems II, clause 2(a) of the draft SSCs requires the parties to warrant that they “have no reason to believe that the laws in the third country …, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that the laws that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the Clauses.”
Clause 2 further requires:
- the parties to declare that they have taken proper due diligence measures to assess, inter alia, the specific circumstances of the transfer, the laws of the third country of destination, and any safeguards in addition to those under those clauses;
- the data importer to warrant that it has made best efforts to provide the data exporter with relevant information and agrees it will continue to cooperate with the data exporter in ensuring compliance;
- the parties to document their assessment process and make it available to the competent supervisory authority upon request;
- the data importer to notify the data exporter if it has any reason to believe that it has or become subject to laws not in line with the requirements of Clause 2; and
- the data exporter, upon learning or having reason to believe that the data importer cannot fulfill its obligations, to identify appropriate measures to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the competent supervisory authority.