In July this year, the European Court of Justice (“ECJ”) thoroughly shook up the international data transfer regime when handing down its decision in the Schrems II case. In that case, the ECJ invalidated the Privacy Shield as a transfer mechanism. However, perhaps even more significantly, the ECJ upheld the validity of standard contractual clauses (“SCCs”) but only with major conditions attached, with the court effectively ruling that:
Since the ruling, organisations transferring personal data on the basis of SCCs have been left somewhat in the dark about how exactly to conduct transfer impact assessments and what any “supplementary measures” may look like.
However, the European Data Protection Board (“EDPB”) has now issued its much awaited guidance on these issues (“EDPB guidance”) (available here), which we discuss below.
Transfer impact assessments
Transfer impact assessments essentially amount to a review of the laws and practices of the country where the recipient of the data is based, to determine whether these would prevent the SCCs from ensuring an equivalent level of protection for the transferred data to that provided in the EU. The EDPB guidance provides that these should be conducted by the transferring entity in conjunction with the entity receiving the data.
Laws which the EDPB guidance suggests should present major red flags for organisations seeking to transfer personal data to third countries include those which impose requirements on organisations to disclose personal data to public authorities, or which grant public authorities’ powers of access to personal data.
To help organisations assess whether the surveillance laws in place in the country of the recipient of the data are compatible with EU laws, the EDPB has published separate guidance on the European Essential Guarantees for surveillance measures (accessible here). The key criteria to be taken into account are as follows:
Separately, the EDPB guidance also stresses that transfer impact assessments should be objective in nature rather than subjective, meaning organisations should not give weight to factors such as the likelihood of the transferred personal data being accessed by surveillance authorities and handled inappropriately. This is interesting as it contrasts with a white paper published by the US government in September in response to the Schrems II ruling. In that paper, the US government attempted to appease concerns in relation to data transfers to the US by stating that US intelligence authorities are not interested in the vast majority of data transferred from Europe to the US despite them often having the power to access that data.
If, following a transfer impact assessment, it is clear that the SCCs alone would not ensure an equivalent level of protection for the transferred personal data, supplementary measures must be implemented to protect against the risks identified. The EDPB guidance provides for three types of supplementary measures which can be taken: technical measures; contractual measures; and organisational measures. The exact supplementary measures to be implemented should be decided on a case-by-case basis depending on the specific issues raised by the transfer impact assessment.
The EDPB guidance contains a handful of examples of supplementary measures in the context of specific scenarios which are set out in Annex 2 of the guidance. These include:
For transfers to countries with broad surveillance laws, the EDPB guidance suggests that only implementation of technical measures will be sufficient to ensure an equivalent level of protection for the transferred data, irrespective of any contractual or organisational measures applied.
Whilst the EDPB guidance is helpful to a point, the EDPB is forthright in making it known that implementation of supplementary measures will not always be enough to ensure an equivalent level of protection for transferred personal data. The EDPB gives the following two examples of when supplementary measures will not be effective:
This will no doubt frustrate many companies which regularly carry out these transfers and which will now need to consider alternative approaches in relation to these going forward.
Practical steps for organisations
In light of the EDPB guidance, organisations transferring personal data outside the EU or UK will need to:
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak to your usual Fox Williams contact.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.