Schrems II – European Data Protection Board Guidance

The European Data Protection Board (“EDPB”) has issued a consultation on guidance following on from the Schrems II decision of the Court of Justice of the European Union (“CJEU”). The consultation closes on 30 November 2020.  Even though it is a consultation, the EDPB document indicates the direction of travel and companies can start to lay the groundwork for what is likely to follow.  There is certainly a new tone to the guidance - the EDPB makes clear that action will be required in short order.

In summary the EDPB recommends that companies transferring personal data to countries outside the European Economic Area ("EEA") carry out the following steps:

• Data transfer mapping.
• Establish the legal basis on which the data transfer may be permitted (eg adequacy finding / standard contractual clauses etc).
• Assess and document the law and practices in the importing country and assess whether they will diminish the protection afforded to the data.
• Adopt and document supplementary measures - if the assessment conducted reveals that there will be inadequate protection for the data supplementary measures should be adopted to apply further protection to the data.
• If supplementary measures are not available or cannot address any the shortfall in protection for the data the data transfers should be suspended or stopped.
• Consider whether the GDPR requires any further procedural steps to be taken (eg consultation with the relevant Data Protection Authority in relation to supplementary measures which do or may contradict the SCCs, supplementary contractual clauses or to reliance on a derogation).
• Periodically re-conduct the assessment described above for ongoing data transfers.

In order to satisfy the principle of accountability, the EDPB states that the process and assessments described in their guidance should be documented such that evidence of the exercise can be presented to relevant Data Protection Authorities

Data transfer mapping

The EDPB recognises that it will be a complex exercise for many organisations to map all of the data transfers taking place to other companies in the group, third party processors and processors.  The EDPB recommends that companies start the process based on their Article 30 record of processing activity which should already be in place and the privacy notices previously prepared to inform data subjects about the data processing taking place (including data transfers). 

However, for many companies, neither the Article 30 record nor privacy notices used will record data transfers with sufficient granularity to enable the company to conduct a comprehensive and individual analysis of all data transfers. This means that companies will need to discover and assess transfers to individual data importers (which may involve, among other things, consideration of the nature of the data transferred and the sector-specific laws and regulations which apply to the recipient).

Moreover, the EDPB says that the data controller must also map onward transfers of data to other countries (eg where a processor appoints a sub-processor in another country) and also cover off any remote access to data from other countries as remote access to data from another country is also considered to involve a transfer of the data to that other country. Among other things, the mapping should address whether the importer is storing or merely accessing the data in the third country as that could affect whether or not the importer could receive an order from a public authority which requires access to be granted to the personal data.

The EDPB also reminds companies that they must ensure data minimisation in relation to the personal data which they transfer internationally by limiting the data transferred to that which is relevant, adequate and not excessive. This is a logical step which companies should have implemented anyway, but is divorced from the reality of many international groups which essentially operate without borders.

This is clearly a major exercise for most companies in relation to existing transfers and will require a significant due diligence exercise to be conducted on both internal and external transfers of data.

Establish the legal basis on which the data transfer may be permitted

In the second step in the recommended process companies must look at the legal basis for making a compliant transfer.  This is the traditional analysis that companies will be familiar with as it involves establishing whether there is an EU Commission finding of adequacy, applying adequate protection for the data (eg through use of the standard contractual clauses) or applying a derogation for one off transfers.

Assess the law and practices in the importing country

The transfer mechanism selected through the preceding step must ensure adequate protection for the data in the circumstances and that will not be the case if the data importer is prevented from complying with the requirements of the transfer mechanism as a result of the application of local law.

The EDPB therefore states that companies must assess whether there is anything in the law or practice of the recipient country that may impinge on the effectiveness of the transfer mechanism being relied on, in the context of the specific transfer.  They must also assess whether there is anything in the local law which prevents data subjects from exercising their rights.

The EDPB directs companies to pay particular attention to laws which require disclosure of personal data to public authorities or grant them rights of access to the data.  Whilst the existence of such laws does not automatically create a problem, they must not go beyond what is necessary in a democratic society.  In order to assist in the assessment of that the EDPB has created a summary of "Essential Guarantees" for surveillance measures ("EEGs") which can be viewed here. 

In essence the EDPB states in that summary that justifiable surveillance should be based on the following principles:

• Processing should be based on clear, precise and accessible rules.
• Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
• An independent oversight mechanism should exist.
• Effective remedies need to be available to the individual.

The EEGs operate as a reference standard when assessing the legitimacy of privacy intrusion stemming from third country surveillance measures.  The EEGs:

• stem from EU law and the case-law of the CJEU and the European Convention on Human Rights; and
• do not aim, on their own, to define all the elements which are necessary to consider in relation to assessing whether a third country's surveillance laws go beyond what would be acceptable in the EU (but they are a foundation for that analysis).In addition, it will be necessary to consider things like remedies provided for individuals under the national law of the third country and the safeguards that exist for individuals' rights.

Whilst the EDPB summary of "Essential Guarantees" provides some more foundation for European companies to conduct an assessment of the law and practices in the recipient country, companies are still being left with the extremely difficult task of making a comparative and objective analysis of laws, jurisprudence and governmental / regulatory practice in foreign countries that most companies will feel ill-equipped to conduct.

Adopt supplementary measures

Supplementary measures will need to be adopted where the assessment conducted reveals that the transfer mechanism is not effective to adequately protect the data.  Such supplementary measures can either be contractual, technical or organisational in nature but the EDPB notes that contractual and / or organisational measures alone will not generally overcome powers of access to data by authorities in the third country.

The EDPB sets out a set of potential supplementary measures (and use cases/scenarios which companies may find helpful) in an Annex to its guidance and these include:

• Technical measures

  • Strong encryption that would resist decryption by public authorities provided that the encryption keys are properly managed and kept under the control of the data exporter.
  • Pseudonymised data formatted in such a way that the data can no longer be attributed to an individual other than through combination with data held by the data exporter.
  • Transfer of data to a protected recipient exempted from authority access to data (eg a medical professional subject to professional secrecy obligations) where the data is encrypted.
  • Splitting of data between two or more processors in different countries where neither the processors nor authorities in the countries can reidentify the individuals.

• Contractual measures

  • Requiring the adoption of relevant technical measures (see above)
  • Requiring the importer to inform the exporter of laws enabling public authority access to data and experience of authority access requests as well as any changes to these things.
  • Certification by the importer that it has not created back doors or otherwise facilitated access by third parties to its systems / data.
  • Including the right to audit to verify whether data has been disclosed to public authorities and in what circumstances.
  • Requiring the importer to notify the exporter if it cannot comply with its contractual commitments with regard to the data.
  • A "warrant canary" notification - a publication at least every 24 hours that no order to disclose personal data to public authorities has been received.
  • Requiring the importer to challenge orders for access to data issued by public authorities and to only provide the minimum amount of data required by the order.
  • Requiring the importer to inform a public authority ordering access to data of the conflict with the GDPR transfer mechanism.
  • Requiring the importer / exporter to promptly inform data subjects of any public authority data access request or the importer's inability to comply with contractual commitments as a result of a public authority access order.
  • Requiring the exporter and importer to assist data subjects in exercising their rights in the importing country through "ad hoc redress mechanisms" (although it's not clear what is meant by this) and "legal counselling".

• Organisational measures

  • Policies / standard operating procedures applicable to surveillance / access to data requests issued by public authorities.
  • Documentation of access requests received by public authorities and the response provided.  This documentation should be disclosed to the exporter who should, in turn, disclose them to data subjects "where required" (but it's not clear when the EDPB thinks that it would be required).
  • Publication of transparency reports setting out public authority access requests.
  • Data minimisation.
  • Data access controls.
  • Confidentiality policies.
  • Data security and data privacy policies based on codes of conduct / standards.

The adoption of supplementary measures will have to be considered on a case by case basis both to assess what is required to fix any shortfall in the protection afforded to data but also to assess whether the supplementary measures are lawful in the relevant countries.  For example, the use of certain encryption technology or informing the data exporter about orders to disclose or grant access to data may be unlawful in the relevant importing country.