After the Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield in the Schrems II judgement, the European Data Protection Board (EDPB) realised that new paths to enable international data transfers must be forged. Thus, in a recent EDPB recommendation, the European Essential Guarantees (EEG) were updated and further developed, with far-reaching implications for international data transfers and for the UK post-Brexit.
Why an update of the European Essential Guarantees?
The EDPB first identified EEG after the Schrems I judgement to reflect the clarifications made by the CJEU and to ensure that specific guarantees are made to respect privacy rights and protect personal data during data transfers in case of interference through surveillance measures.
In the Schrems II judgement, the CJEU decided to invalidate the Privacy Shield as U.S. law is considered incompatible with EU data protection law, mainly due to the U.S.’ surveillance practices. The EU requires third countries to provide a level of protection “essentially equivalent” to that guaranteed under the GDPR.
Why is the EDPB recommendation relevant?
The EDPB recommendations have an impact on how international data transfers should be examined by providing elements to consider when surveillance measures are acceptable or not. Such parameters are not only relevant for data transfers between the EU and the U.S. but also for the UK’s upcoming departure out of the EU, given the lack of an EU Commission adequacy decision for the UK after 1 January 2021.
As highlighted in the EDPB recommendation:
“The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data.”
Accordingly, the EDPB recommendation is not only relevant in guiding the steps organisations should take when transferring personal data outside the EU/EEA; it is also highly relevant in the context of the upcoming Brexit.
What does the recommendation say?
The EDPB recommendation provides guidance on how to implement the decision of the CJEU in Schrems II from a more practical perspective. Accordingly, it explains how to assess third country transfers, as well as subsequent transfers, possible legal grounds for international transfers and practical steps for data exporters to consider:
Oversight of data transfers
First and foremost, any company or organisation exporting data must know all about these transfers. As a data exporter, you must have full oversight of your transfer, which means to understand what data is being transferred, to whom, where and on what legal basis. The latter is especially important to identify, in order to know your next steps and obligations.
Data transfers can be based on (1) an adequacy decision by the European Commission, (2) Standard Contractual Clauses (SCCs), which the CJEU specifically validates as a possible legal basis in the Schrems II decision, Binding Corporate Rules (BCR), another transfer tool provided by Art. 46 GDPR, or a derogation as provided by Art. 49 GDPR.
Equivalent level of protection
In case your data transfers are based on Art. 46 GDPR, you must assess whether it is effective in providing an essentially equivalent level of protection to EU law (as highlighted by the CJEU). Accordingly, you need to assess the surveillance laws of the third country in question to understand the extent to which they undermine EU rights and protections and the effectiveness of any rights granted to data subjects or mechanisms for judicial redress. In that context, data exporters will likely need legal advice to help review the laws in the third country and to validate the responses provided by the data importer. However, please be aware that this step is very challenging even for legal experts, due to national peculiarities unknown to foreign or international lawyers.
Here the EEG become useful in the endeavour to determine if the legal framework governing public authorities access to data for surveillance purposes in third countries can be regarded as a justifiable interference with EU citizens’ rights. Accordingly, the EDPB highlights the following four guarantees, based on the fundamental rights to privacy and data protection, to help assess how the level of interference with the fundamental rights is justifiable and what legal requirements must apply.
- The processing should be based on clear, precise and accessible rules.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
- An independent oversight mechanism should exist.
- Effective remedies need to be available to the individual.
As data exporters need to demonstrate that they evaluated the level of protection of the relevant third country, advice by data protection and legal experts may become indispensable.
In this following step, it must be evaluated if any supplementary measures on a technical, organisational or contractual level could be considered to counteract the interferences with the right to privacy and to the protection of personal data. The EDPB recommendation provides an Annex with examples of where and when technical, contractual and organisational measures are effective. Though those must be applied on a case by case basis, depending on the nature of the transfer, how the laws of the destination territory operate, and the feasibility of technical and operational measures.
If an organisation or company cannot implement supplementary measures that fulfil the requirement to provide a level of protection equivalent to the level of protection provided under the GDPR, such data transfers must be suspended or terminated, and any copies of data in the third country must be destroyed or returned.
For more specific examples of supplementary measures, please refer to the EDPB recommendation paper.
Procedural steps may be necessary to take, especially where cooperation of the data importer in the third country is required. Such formal requirements could include notifying the relevant supervisory authority. Any procedural requirements must be concluded in the necessary agreements. Please remember that changes to the EU SCCs cannot be made in isolation. Rather, changes must be approved by the supervisory authorities. The EU SCCs are currently being revised by the Commission- Please follow our newsletter for any relevant developments.
Monitor and re-evaluate your approach on a regular basis
Lastly, the agreed measures must be monitored and re-evaluated on a regular basis throughout the entire term. This involves not only controlling the agreed measures but also keeping an eye on the legal and actual circumstances in the third country. You must react as soon as any circumstances change that could affect the level of personal data and privacy protection in the respective country.
What does the EDPB recommendation mean for international data transfers?
The EDPB recommendations have a direct meaning for EU-U.S. data transfers, as it specifically states that US surveillance laws do not provide an essentially equivalent level of protection to EU law. Accordingly, data transfers are possible if based on SCCs or another Art. 46 GDPR tools, if additional supplementary measures are in place. Such supplementary measures have to make it ‘technically’ impossible to access the data. Merely ‘contractual’ or ‘organisational’ measures are not sufficient.
After the end of the Brexit transition period on 31 December 2020, the UK will become a third country in the context of EU data protection law. If the European Commission does not find sufficient reason to grant an adequacy decision, EU based organisations transferring personal data to the UK will need to consider the same parameters that apply to the U.S. and other international data transfers, as mentioned above. This includes assessing UK surveillance laws. For UK based organisations and companies importing personal data from the EU/EEA, you will need to take steps to identify what UK surveillance laws apply to your processing activities and what supplementary measures you may need to adopt to make data access ‘technically’ impossible.
For organisations and companies based in the EU, it may be better and less troublesome to choose service providers based in the EU. In that context, the CJEU decision on Schrems II does have far-reaching consequences for anyone who may want to transfer data to a third country whose level of protection is not ascertained. Even if a data exporter follows the above-mentioned steps to evaluate possible transfers to a third country, it is not certain that an adequate level of protection will be reached. All endeavours may be without success; thus, the choice for an EU service provider could be overall an easier and more stable solution.