In July this year, the European Court of Justice (“ECJ”) thoroughly shook up the international data transfer regime when handing down its decision in the Schrems II case. In that case, the ECJ invalidated the Privacy Shield as a transfer mechanism. However, perhaps even more significantly, the ECJ upheld the validity of standard contractual clauses (“SCCs”) but only with major conditions attached, with the court effectively ruling that:
- organisations seeking to rely on SCCs must carry out a transfer impact assessment to determine whether the SCCs guarantee an equivalent level of protection for the transferred data as applies under GDPR; and
- if implementation of SCCs alone would not guarantee an equivalent level of protection, then “supplementary measures” need to be put in place to ensure such a level of protection.
Since the ruling, organisations transferring personal data on the basis of SCCs have been left somewhat in the dark about how exactly to conduct transfer impact assessments and what any “supplementary measures” may look like.
However, the European Data Protection Board (“EDPB”) has now issued its much awaited guidance on these issues (“EDPB guidance”) (available here), which we discuss below.
Transfer impact assessments
Transfer impact assessments essentially amount to a review of the laws and practices of the country where the recipient of the data is based, to determine whether these would prevent the SCCs from ensuring an equivalent level of protection for the transferred data to that provided in the EU. The EDPB guidance provides that these should be conducted by the transferring entity in conjunction with the entity receiving the data.
Laws which the EDPB guidance suggests should present major red flags for organisations seeking to transfer personal data to third countries include those which impose requirements on organisations to disclose personal data to public authorities, or which grant public authorities’ powers of access to personal data.
To help organisations assess whether the surveillance laws in place in the country of the recipient of the data are compatible with EU laws, the EDPB has published separate guidance on the European Essential Guarantees for surveillance measures (accessible here). The key criteria to be taken into account are as follows:
- Processing should be based on clear, precise and accessible rules.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
- An independent oversight mechanism should exist.
- Effective remedies need to be available to the individual.
Separately, the EDPB guidance also stresses that transfer impact assessments should be objective in nature rather than subjective, meaning organisations should not give weight to factors such as the likelihood of the transferred personal data being accessed by surveillance authorities and handled inappropriately. This is interesting as it contrasts with a white paper published by the US government in September in response to the Schrems II ruling. In that paper, the US government attempted to appease concerns in relation to data transfers to the US by stating that US intelligence authorities are not interested in the vast majority of data transferred from Europe to the US despite them often having the power to access that data.
If, following a transfer impact assessment, it is clear that the SCCs alone would not ensure an equivalent level of protection for the transferred personal data, supplementary measures must be implemented to protect against the risks identified. The EDPB guidance provides for three types of supplementary measures which can be taken: technical measures; contractual measures; and organisational measures. The exact supplementary measures to be implemented should be decided on a case-by-case basis depending on the specific issues raised by the transfer impact assessment.
The EDPB guidance contains a handful of examples of supplementary measures in the context of specific scenarios which are set out in Annex 2 of the guidance. These include:
- Technical measure: use of “strong encryption” using state-of-the-art techniques whereby only the organisation transferring the data (or an entity entrusted with this task in the UK / EEA) holds the key to decrypt the data.
- Contractual measure: inclusion of a contractual provision committing the transferring entity and receiving entity to assist individuals in exercising their rights in the third country through redress mechanisms and legal counselling.
- Organisational measure: adopting internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of covert or official requests from public authorities to access transferred data.
For transfers to countries with broad surveillance laws, the EDPB guidance suggests that only implementation of technical measures will be sufficient to ensure an equivalent level of protection for the transferred data, irrespective of any contractual or organisational measures applied.
Whilst the EDPB guidance is helpful to a point, the EDPB is forthright in making it known that implementation of supplementary measures will not always be enough to ensure an equivalent level of protection for transferred personal data. The EDPB gives the following two examples of when supplementary measures will not be effective:
- Transfers to cloud service providers or other processors based in countries with broad surveillance laws which require access to data in an unencrypted form.
- Remote access to data for business purposes by an organisation in a country with broad surveillance laws.
This will no doubt frustrate many companies which regularly carry out these transfers and which will now need to consider alternative approaches in relation to these going forward.
Practical steps for organisations
In light of the EDPB guidance, organisations transferring personal data outside the EU or UK will need to:
- Review all existing international transfers they make. The EDPB guidance applies in respect of new and existing transfers.
- Consider the basis upon which transfers are made. If transferring to a third country which is not subject to an adequacy decision, conduct a transfer impact assessment to verify whether the transferred personal data would benefit from an equivalent level of protection on the basis of SCCs alone.
- If the transferred personal data does not benefit from an equivalent level of protection, consider what technical, contractual or organisational measures could be applied to the transfer to ensure an equivalent level of protection and, if applicable, implement such measures.
- If it appears that no supplementary measures are available, consider whether it is possible to transfer the data on the basis of a derogation under Art. 49.
- If Art. 49 does not apply, consider what alternative approaches are available (for example, pursuing a data localisation strategy or using a service provider based in a third country whose laws would not prevent the effectiveness of the SCCs).
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak to your usual Fox Williams contact.