EDPB guidance on supplementary measures for data transfers

What's the issue?

The CJEU judgment in Schrems II not only struck down the EU-US Privacy Shield, it also cast doubt on the future of data exports to the US and to other third countries which do not provide an adequate level of protection for the data.

The CJEU said it was up to controllers to assess on a case by case basis, whether the data being exported would receive an equivalent level of protection to that in the EU, and to use supplementary measures to protect the data if it did not. Where any additional measures would still fail to ensure adequate protection, the transfer could not take place. No detail was provided about what those supplementary measures might be and under what circumstances they would need to be used.

What's the development?

The European Data Protection Board (EDPB) has issued final guidance on supplementary measures which may help allow transfer tools to ensure personal data transferred to third countries is adequately protected.

The supplementary measures recommendations are intended to help data exporters comply with their duty to identify when supplementary measures are needed to protect data being exported to third countries outside the EEA which do not have an EU adequacy decision. They include a roadmap of steps needed to assess risk and select appropriate supplementary measures, as well as a non-exhaustive list of what those measures might entail.

The EDPB's guidance on this issue is the most authoritative pending any future court rulings, given that the EDPB is made up of Member State regulators. Organisations will also have to consider any guidance published by their own regulators, particularly in the UK given that the UK's ICO no longer sits on the EDPB. The ICO is, however, currently unlikely to diverge significantly from the EDPB and these guidelines will remain relevant to UK businesses exporting personal data to third countries unless it is superseded by ICO guidance.

What does this mean for you?

While the EDPB outlines processes and optional supplementary measures to help make data exports lawful, it also warns that responsibility for assessment rests with data exporters who must proceed with "due diligence and document their process thoroughly", although they can take advice from importers about local law enforcement regimes and practices in relation to the data being transferred.

Even then the EDPB says it may not be possible to implement sufficient measures to allow a transfer to proceed and that there are no quick fixes or 'one size fits all' solutions. Organisations exporting personal data from the UK or EEA to third countries which do not have EU (or UK as the case may be) adequacy agreements will need to give the recommendations careful consideration against their exports on a case by case basis.

It may well be that risk cannot be sufficiently mitigated in which case the transfer must not go ahead and, if it is already happening, must be suspended.

One of the most controversial elements of the EDPB's draft recommendations issued in November 2020, was that there was no allowance for a risk-based approach which took into account the type of data being transferred and the likelihood of it being accessed by the law enforcement in the relevant third country.

In the final version of the guidance, exporters still face the difficult task  of assessing the level of adequacy provided by a third country and analysing whether or not there are steps to reduce risk to the data to a level which matches the European Essential Guarantees. There is, however, scope to to take the particular circumstances of the transfer into account.

Exporters need to ensure the EDPB's six-step plan is in place, and carefully consider Step 3 (assessment of level of protection) and Step 4 (supplementary measures). Documenting the decision-making process is essential and exporters should conduct a Transfer Impact Assessment (TIA).

The TIA process set out in the guidance is also an essential component in the newly published Standard Contractual Clauses (see here for more) so these recommendations from the EDPB will become integral to the data transfer process.

Read more

Six steps to assess and address risk

The EDPB recommends following six steps to assess and mitigate risks associated with third country transfers:

• Know your transfers – map your data transfers, verifying that data transferred is adequate, relevant and limited to what is necessary regarding the purposes for which it is transferred and processed in the third country.
• Verify the transfer tool your transfer relies on – if you are relying on an EU adequacy decision, then the only obligation is to monitor its ongoing validity.
• Assess whether there is any law or practice of the third country that may affect the effectiveness of the appropriate safeguards in the transfer tools being relied on – this should be focused on relevant third country legislation and practices regarding the specific data being transferred, following the EDPB European Essential Guarantees recommendations (see below).
• Identify and adopt supplementary measures needed to bring the level of protection up to one equivalent to that provided in the EU – the EDPB makes recommendations about what this might be in Annex 2 of the recommendations (see below). If these are not enough, the transfer must be avoided or suspended. This process should be carried out with due diligence and documented.
• Take any formal procedural steps needed to adopt any required supplementary measures.
• Re-evaluate the level of protection given to the data and monitor developments which may affect it in line with the accountability process.

Assessing the adequacy of protection afforded to personal data in third countries

One of the most problematic issues for exporters is how to decide whether supplementary measures are required. The EDPB's recommended Step 3 has changed in subtle but significant ways since it was published in draft.

There is now a focus on examining the practices of the relevant third country as well as on the letter of the law, assessing the specifics of the transfer (ie how likely the data is to be accessed or to be the subject of an access request), and taking the experience of the importer in terms of law enforcement access into account although that will not in itself be decisive.

The TIA is now explicitly specific to the legislation and practices relevant to the specific data being transferred.

Step 3 involves assessing whether there is anything in the law and/or practices in the third country which may reduce the effectiveness of the transfer tool being used. This examination will be particularly relevant where:

• Legislation in the third country which appears to meet EU standards is manifestly not applied/complied with in practice.
• There are practices incompatible with the commitments in the transfer tool where relevant legislation in third countries is lacking.
• The transferred data and/or the importer fall or might fall within the scope of problematic legislation (ie legislation which would impinge on the transfer tool's ability to guarantee an essentially equivalent level of protection to that in the EU).

In the first two situations, the controller will have to suspend the transfer or implement adequate supplementary measures to proceed.

In the third situation, in light of uncertainties around the potential application of problematic legislation, the controller may decide to suspend the transfer, implement supplementary measures, or proceed with the transfer without implementing supplementary measures if the controller considers and is able to demonstrate and document that there is no reason to believe the relevant and problematic legislation will be interpreted and/or applied in practice to cover the transferred data and importer.

The TIA should initially be based on publicly available legislation. It must contain elements concerning access to data by public authorities of the third country of the importer such as:

• Elements on whether the public authorities may seek to access the data with or without the importer's knowledge in light of legislation, practice and reported precedents.
• Elements on whether public authorities of the third country of the importer may be able to access the data through the importer or through the telecommunications providers or communications channels in light of legislation, legal powers, technical, financial and human resources at their disposal and of reported precedents.

While publicly available legislation is the starting point, the controller must also look at practices in force in the third country. This includes where:

• Relevant legislation in the third country appears to offer an essentially equivalent regime but does not actually do so.
• Where there doesn't appear to be any relevant legislation but there are indications that practices in force in the country might be incompatible with the EU regime and would lessen the effect of the Article 46 transfer tool.
• Legislation may be problematic and there are uncertainties over whether the data and/or importer might fall within scope (the third situation above).
• Where the data subject rights are not enforceable in practice.

The annexes have not changed significantly beyond clarifying some of the examples and giving a more detailed list of possible sources of information to assess a third country (Annex 3).

Essential Guarantees for surveillance measures

To help exporters, in addition to the supplementary measures guidance, the EDPB also adopted recommendations on the European Essential Guarantees for surveillance measures. The EDPB summarises the elements needed to preserve EU privacy rights in four "European Essential Guarantees":

• Processing should be based on clear, precise and accessible rules.
• Necessity and proportionality regarding the legitimate objectives pursued need to be demonstrated.
• An independent oversight mechanism should exist.
• Effective remedies need to be available to the individual.

The guidance goes on to analyse what this means in the context of European jurisprudence and the EDPB also provides a (now extended) list of resources in Annex 3 of the supplementary measures recommendations although this falls short of a more useful analysis of country by country protections.

The exception concerns the USA. The guidance states that if the data importer or any further recipient of the data falls under s702 FISA, then transfer tools can only be relied upon for the transfer if additional supplementary technical measures make access to the data transferred impossible or ineffective.

What supplementary measures any help adequately protect transferred data?

If you decide that supplementary measures are needed to protect exported data, what are they and when will they be considered effective enough to allow the transfers to proceed? Annex 2 of the supplementary measures recommendations contains a non-exhaustive list of examples of measures which might lead to an effective guarantee that exported data will receive an equivalent level of protection to the one it enjoys in the EEA under EU law. These will not be universally effective and may need to be used in combination.

Both organisational and contractual measures must be used in conjunction with technical measures. In particular, contractual elements help complement and reinforce safeguards in transfer tools but the EDPB underlines that, as they are not binding on government authorities, they cannot by themselves remedy adequacy issues.

Examples of supplementary measures

Which measures should be used when?

The following factors should be taken into account when identifying supplementary measures to adopt:

• Format of the data to be transferred (ie in plain text/pseudonymised or encrypted).
• Nature of the data.
• Length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them.
• The possibility that the data may be subject to onward transfers within or to other third countries.

The EDPB recommendations provide specific use cases for types of technical measures and the EDPB stresses that the recommended measure may not be effective if used in a different context to the one provided by way of example in the recommendations.

When will supplementary technical measures fail to sufficiently increase protection?

There are also two examples of situations in which there will be no appropriate technical safeguards available should the third country not provide an equivalent level of protection. These are unencrypted processing (processing in the clear) by cloud service providers, and remote access and use of unencrypted data by a third country importer for business purposes including human resources processing. This will be the case even where both transport encryption and data-at-rest encryption are used.

Now the task of applying these guidelines to individual export operations can begin in earnest, even for organisations which have already put elements of them into action.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.