On the 16th of July 2020, the Court of Justice of the EU (“CJEU”) issued its much anticipated Schrems II judgement, whereby it invalidated the EU-US Privacy Shield (one of the main frameworks that was used to legitimize personal data flows between the EU and the USA), casting doubts on the legality of data transfers to the USA, also having a general spill-over effect on the legality of all transfers of personal data to non-EEA countries.
Essentially, the CJEU emphasized the long-established data protection principle that the protection of personal data granted in the EEA must travel with the data wherever it is transferred to, in other words that transferring personal data to third countries cannot undermine the protection afforded within the EEA. The CJEU clarified that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent. The CJEU also upheld the validity of standard contractual clauses (“SCCs”) as a transfer tool that may serve to ensure contractually an essentially equivalent level of protection for data transferred to third countries in principle, although doubt on the responsibilities and supplemental measures that may need to be utilized materialized as a result of this judgement.
Should you wish to read further about the Schrems II judgement, click here.
European Data Protection Board (“EDPB”) Recommendations
On the 10th of November 2020, the EDPB adopted a set of recommendations (“Recommendations”) in an attempt to help data exporters understand their responsibilities in the realm of third country data transfers.
The Recommendations guide personal data exporters by providing a series of 6 steps to be followed. The responsibilities of data exporters largely stem from the principle of accountability established under the GDPR that essentially indicates that exporters must seek to comply with the right to data protection in an active and continuous manner by implementing legal, technical and organisational measures that ensure its effectiveness. Moreover, they must be accountable to such efforts by being able to demonstrate the same.
The main points of the above-mentioned ‘6 steps’ in the Recommendations are set out below:
Step 1: Know your Transfers
Mapping out and having knowledge of all transfers of personal data to third countries is a necessary pre-requisite for exporters to fulfil their duties under the principle of accountability. Moreover, exporters must ensure that they abide by the principle of ‘data minimisation’ in that any data transferred must be adequate, relevant and limited to what is necessary for the purposes for which it is being transferred.
Step 2: Identify the Transfer Tools being relied on
In this regard, the EDPB makes a key distinction based on whether an adequacy decision has or has not been issued by the European Commission. In a nutshell, an adequacy decision recognizes that a third country awards an adequate level of protection for personal data. If an adequacy decision has been issued and is in force, data exporters do not need to take any further action apart from monitoring that the decision remains valid.
On the other hand, in the absence of an adequacy decision, exporters would need to rely on one or more transfer tools containing appropriate safeguards as provided under the GDPR. These include SCCs and binding corporate rules (“BCRs”). It is the duty of the data exporter to confirm that such tools will be sufficient to provide the personal data transferred with an essentially equivalent level of protection. Under GDPR, certain derogations may apply in limited cases of occasional and non-repetitive transfers. Such derogations are exceptional in nature and must be interpreted in a restrictive matter.
Step 3: Assess whether the Transfer Tool being relied upon is effective in light of all circumstances of the Transfer
Exporters are expected to assess the laws and practices of third countries to evaluate whether such may undermine the transfer tools being relied upon actually ensure the necessary levels of protection.
Notably, the EDPB advises referring to their European Essential Guarantees (“EEG”) recommendations when assessing government surveillance laws of third countries (the major ground resulting in the invalidation of the EU-US Privacy Shield in Schrems II).
The EEG recommendations provide guidance to assess whether such interference is justifiable or otherwise. Exporters must exercise added diligence when the legislation governing public authorities’ access to data is ambiguous or not publicly available.
If, even in the absence of such legislation, exporters still wish to transfer data to such countries, then they must base their decision to do so on other relevant and objective factors. The recommendations stress that such assessments should be conducted with due diligence and duly documented.
Step 4: Identify and Adopt Supplementary Measures
This step applies if the assessment made under step 3 proved that data transfer tools may not be effective. Annex 2 of the Recommendations provides a list of examples of such supplementary measures, the effectiveness of which would vary according to the conditions of the case. Critically, technical measures which effectively pseudonymize personal data are specifically mentioned.
Exporters are responsible for assessing the effectiveness of the supplementary measure/s chosen in light of the circumstances of the transfer at hand and such assessment needs to be documented. Where no supplementary measures are found to be adequate to ensure an essentially equivalent level of protection for a particular transfer, then the exporter is bound to suspend or terminate the transfer.
Step 5: Procedural Steps to be taken if Effective Supplementary Measures have been Identified
Data exporters should take formal procedural steps that the chosen supplementary measure may require, as indicated in detail in the Recommendations.
Step 6: Re-Evaluation at Appropriate Intervals
The responsibilities of the exporter do not end once the personal data is transferred. The principle of accountability requires continuous monitoring and observance of the level of protection afforded to such transfers and of any developments that may affect it and thus an established re-evaluation process at appropriate intervals is required and it is suggested that such is documented.
Should you wish to access the Recommendations, you may click here.
This article was written by Senior Associate Dr Terence Cassar and Junior Associate Dr Gigi Gatt.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.