The CJEU judgment in Schrems II not only struck down the EU-US Privacy Shield, it also cast doubt on the future of data exports to the US and to other third countries which do not provide an adequate level of protection for the data.
The CJEU said it was up to controllers to assess on a case by case basis, whether the data being exported would receive an equivalent level of protection to that in the EU, and to use supplementary measures to protect the data if it did not. Where any additional measures would still fail to ensure adequate protection, the transfer could not take place. No detail was provided about what those supplementary measures might be and under what circumstances they would need to be used.
The European Data Protection Board (EDPB) has issued final guidance on supplementary measures which may help allow transfer tools to ensure personal data transferred to third countries is adequately protected.
The supplementary measures recommendations are intended to help data exporters comply with their duty to identify when supplementary measures are needed to protect data being exported to third countries outside the EEA which do not have an EU adequacy decision. They include a roadmap of steps needed to assess risk and select appropriate supplementary measures, as well as a non-exhaustive list of what those measures might entail.
The EDPB's guidance on this issue is the most authoritative pending any future court rulings, given that the EDPB is made up of Member State regulators. Organisations will also have to consider any guidance published by their own regulators, particularly in the UK given that the UK's ICO no longer sits on the EDPB. The ICO is, however, currently unlikely to diverge significantly from the EDPB and these guidelines will remain relevant to UK businesses exporting personal data to third countries unless it is superseded by ICO guidance.
While the EDPB outlines processes and optional supplementary measures to help make data exports lawful, it also warns that responsibility for assessment rests with data exporters who must proceed with "due diligence and document their process thoroughly", although they can take advice from importers about local law enforcement regimes and practices in relation to the data being transferred.
Even then the EDPB says it may not be possible to implement sufficient measures to allow a transfer to proceed and that there are no quick fixes or 'one size fits all' solutions. Organisations exporting personal data from the UK or EEA to third countries which do not have EU (or UK as the case may be) adequacy agreements will need to give the recommendations careful consideration against their exports on a case by case basis.
It may well be that risk cannot be sufficiently mitigated in which case the transfer must not go ahead and, if it is already happening, must be suspended.
One of the most controversial elements of the EDPB's draft recommendations issued in November 2020, was that there was no allowance for a risk-based approach which took into account the type of data being transferred and the likelihood of it being accessed by the law enforcement in the relevant third country.
In the final version of the guidance, exporters still face the difficult task of assessing the level of adequacy provided by a third country and analysing whether or not there are steps to reduce risk to the data to a level which matches the European Essential Guarantees. There is, however, scope to to take the particular circumstances of the transfer into account.
Exporters need to ensure the EDPB's six-step plan is in place, and carefully consider Step 3 (assessment of level of protection) and Step 4 (supplementary measures). Documenting the decision-making process is essential and exporters should conduct a Transfer Impact Assessment (TIA).
The TIA process set out in the guidance is also an essential component in the newly published Standard Contractual Clauses (see here for more) so these recommendations from the EDPB will become integral to the data transfer process.
The EDPB recommends following six steps to assess and mitigate risks associated with third country transfers:
One of the most problematic issues for exporters is how to decide whether supplementary measures are required. The EDPB's recommended Step 3 has changed in subtle but significant ways since it was published in draft.
There is now a focus on examining the practices of the relevant third country as well as on the letter of the law, assessing the specifics of the transfer (ie how likely the data is to be accessed or to be the subject of an access request), and taking the experience of the importer in terms of law enforcement access into account although that will not in itself be decisive.
The TIA is now explicitly specific to the legislation and practices relevant to the specific data being transferred.
Step 3 involves assessing whether there is anything in the law and/or practices in the third country which may reduce the effectiveness of the transfer tool being used. This examination will be particularly relevant where:
In the first two situations, the controller will have to suspend the transfer or implement adequate supplementary measures to proceed.
In the third situation, in light of uncertainties around the potential application of problematic legislation, the controller may decide to suspend the transfer, implement supplementary measures, or proceed with the transfer without implementing supplementary measures if the controller considers and is able to demonstrate and document that there is no reason to believe the relevant and problematic legislation will be interpreted and/or applied in practice to cover the transferred data and importer.
The TIA should initially be based on publicly available legislation. It must contain elements concerning access to data by public authorities of the third country of the importer such as:
While publicly available legislation is the starting point, the controller must also look at practices in force in the third country. This includes where:
The annexes have not changed significantly beyond clarifying some of the examples and giving a more detailed list of possible sources of information to assess a third country (Annex 3).
To help exporters, in addition to the supplementary measures guidance, the EDPB also adopted recommendations on the European Essential Guarantees for surveillance measures. The EDPB summarises the elements needed to preserve EU privacy rights in four "European Essential Guarantees":
The guidance goes on to analyse what this means in the context of European jurisprudence and the EDPB also provides a (now extended) list of resources in Annex 3 of the supplementary measures recommendations although this falls short of a more useful analysis of country by country protections.
The exception concerns the USA. The guidance states that if the data importer or any further recipient of the data falls under s702 FISA, then transfer tools can only be relied upon for the transfer if additional supplementary technical measures make access to the data transferred impossible or ineffective.
If you decide that supplementary measures are needed to protect exported data, what are they and when will they be considered effective enough to allow the transfers to proceed? Annex 2 of the supplementary measures recommendations contains a non-exhaustive list of examples of measures which might lead to an effective guarantee that exported data will receive an equivalent level of protection to the one it enjoys in the EEA under EU law. These will not be universally effective and may need to be used in combination.
Both organisational and contractual measures must be used in conjunction with technical measures. In particular, contractual elements help complement and reinforce safeguards in transfer tools but the EDPB underlines that, as they are not binding on government authorities, they cannot by themselves remedy adequacy issues.
The following factors should be taken into account when identifying supplementary measures to adopt:
The EDPB recommendations provide specific use cases for types of technical measures and the EDPB stresses that the recommended measure may not be effective if used in a different context to the one provided by way of example in the recommendations.
There are also two examples of situations in which there will be no appropriate technical safeguards available should the third country not provide an equivalent level of protection. These are unencrypted processing (processing in the clear) by cloud service providers, and remote access and use of unencrypted data by a third country importer for business purposes including human resources processing. This will be the case even where both transport encryption and data-at-rest encryption are used.
Now the task of applying these guidelines to individual export operations can begin in earnest, even for organisations which have already put elements of them into action.
To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.
Elaine Fletcher looks at new uses of personal data in the real estate sector, with a focus on data exports.
1 of 5 Insights
2 of 5 Insights
Debbie Heywood looks at the current picture on data transfers following publication of the new SCCs, the EU-UK adequacy decisions, and the EDPB recommendations on supplementary measures.
3 of 5 Insights
Paul Voigt takes an in-depth look at the EC's recently published new Standard Contractual Clauses.
5 of 5 Insights