Thanks to Luca Russo for collaborating on this article.
Following the CJEU Schrems II decision, which invalidated the Privacy Shield, the EDPB issued two recommendations to provide guidance to data exporters on how to transfer data outside the EU in compliance with the GDPR.
Following the landmark judgement of the European Court of Justice (“CJEU”) in case C-311/18 Schrems II (the “Schrems II Judgement”), on November 10, 2020, the European Data Protection Board (“EDPB”) adopted two sets of recommendations:
- Recommendations 01/2020 “on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (“Recommendations 1/2020”) and
- “Recommendations 02/2020 on “the European Essential Guarantees for surveillance measures” (“Recommendations 2/2020”).
With the Schrems II Judgement the CJEU invalidated the Commission Implementing Decision (EU) 2016/1250 of July 12, 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (the “Privacy Shield”) on the grounds that (i) the derogations from the protection of personal data provided under U.S. law in the case of overriding national security interests did not guarantee adequate safeguards for European citizens’ personal data, and (ii) the existence of the U.S. Ombudsperson to which the Privacy Shield refers was not an appropriate judicial remedy for data subjects whose data are transferred to the United States.
The CJEU also (re)affirmed the validity of standard contractual clauses for data transfers as provided under Commission Decision 2010/87/EU, as amended by Commission Implementing Decision (EU) 2016/2297 (the “SCC Decision”), subject to additional evaluation to be carried out by the data exporter of the laws and practices of the data recipient’s country, especially if law enforcement authorities may have access to such data. Furthermore, the CJEU determined that the data exporter shall provide safeguards in addition to those offered by such clauses – without, however, specifying what said additional safeguards are.
Given the massive effect of the Schrems II Judgement on thousands of European businesses and the responsibility placed upon data exporters, the EDPB adopted the Recommendations to assist data controllers and processors acting as data exporters in the task of identifying and implementing sufficient safeguards and supplementary measures “to ensure an essentially equivalent level of protection to the data they transfer to third countries.” The Recommendations 01/2020 are still under public consultation until December 21, 2020.
Recommendations 01/2020 come with a “roadmap” with several steps that need to be followed in order to assess whether a data exporter has to enact supplementary measures when exporting data outside of the European Economic Area (“EEA”) to comply with EU law and regulations. Data exporters should follow these steps and the whole procedure with due diligence, as they will be held accountable for any decisions they make, in accordance with the principle of accountability.
- Step 1: Know your transfer
Under the first step, the data exporter should map and keep track of all personal data transfers outside of the EEA. For this purpose, the exporter may build on the record of processing activities. The EDPB clarifies that onward transfers should also be mapped. Moreover, in compliance with the “data minimization” principle set forth in the GDPR, the exporter must verify that the data to be transferred is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.
- Step 2: Identify the transfer tools you are relying on
Among the list of tools that the GDPR envisages, data exporters need to be aware of which tools they are relying upon – i.e., the EU Commission’s adequacy decisions, the other tools listed in Article 46 GDPR (e.g., Standard Contractual Clauses, binding corporate rules, codes of conduct, etc. – “Transfer Tools”). Derogations pursuant to Art. 49 can still take place, although they are exceptional.
The following steps applies only if the transfer cannot legally be based on an adequacy decision or an Article 49 GDPR derogation.
- Step 3: Assess whether the Article 46 GDPR transfer tool you are relying upon is effective in light of all the circumstances of the transfer
While the Transfer Tools are generally effective, data exporters need to evaluate if there are certain circumstances (laws, regulations, etc.) that might impinge upon the effectiveness of such tools. The EDPB provides detailed guidance on how to carry out such an assessment.
Laws allowing disclosure of personal data to public authorities merit particular attention. The Recommendations 2/2020 can be helpful in assessing whether laws governing access to personal data by public authorities in a third country can be regarded as not impinging on the commitments accepted in the Transfer Tool (see next paragraph on this).
- Step 4: Adopt supplementary measures
Under this step, data exporters shall cooperate with importers to enact supplementary measures in case the third country legislation is deemed to impinge on the effectiveness of the Transfer Tools. In essence, the data exporter shall carry out a case-by-case assessment aimed at identifying any supplementary measures that make the Transfer Tools effective for that specific transfer to that specific country. If the supplementary measures are not sufficient to guarantee an equivalent level of protection, the transfer cannot begin or must be suspended.
- Step 5: Procedural steps if you have identified effective supplementary measures
If the data exporter finds any supplementary measures should be adopted under step 4, then it shall follow certain procedural steps in order to implement them. Such measures may vary depending on the Transfer Tools of choice: for instance, in the case of Standard Contractual Clauses, data exporters and importers need to ensure that additional clauses cannot be construed in any way to restrict the rights and obligations in the Standard Contractual Clauses or in any other way to lower the level of data protection.
- Step 6: Reevaluate at appropriate intervals
The final step requires data exporters to periodically monitor developments in the third country that could affect the original assessment and the decision made on the basis of that assessment. Certain mechanisms must be enacted in order to ensure that a transfer is suspended immediately (i) if the importer has breached or is unable to honor the commitments it has undertaken in the Transfer Tool, or (ii) if the supplementary measures are no longer effective in the third country.
Through the Recommendation 2/2020, the EDPB updates the European Essential Guarantees (the “EEG”) adopted by the Article 29 Working Party following the CJEU Schrems I judgement (case C-362/14) in light of recent case-law of the CJEU and the European Court of Human Rights. The purpose of the EEG is to provide guidance to local Data Protection Authorities on how to assess whether surveillance measures allowing public authorities in a third country – be they national security agencies or law enforcement authorities – access to personal data can be regarded as justifiable interference or not.
- Guarantee A – Processing should be based on clear, precise, and accessible rules
Justifiable interference needs to be in compliance with the law. Moreover, data exporters need to assess whether the applicable law of the third country is enforceable by the subject before a court. If data subjects are not given enforceable rights against public authorities, “the level of protection granted cannot be considered as essentially equivalent to that arising from the [Charter of Fundamental Rights of the EU], contrary to the requirement in Article 45(2)(a) of the GDPR.”
- Guarantee B – Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
The principle of proportionality creates a burden of assessing the seriousness of the interference and the importance of the public interest objective concretely pursued: for instance, national security safeguards can be grounds for more serious interference with fundamental rights, while the generic purpose of combating crimes is not considered sufficient. However, evidence and solid grounds are needed to allow such interference, considering that, as per settled CJEU case-law, derogations from the protection of personal data are allowed only if they are strictly necessary.
- Guarantee C – Independent oversight mechanism
An effective, independent, and impartial oversight mechanism must be provided either by a judge or by another independent body in order to rule on any interference with the right to privacy and data protection.
- Guarantee D – Effective remedies need to be available to the individual
Pursuant to Article 47 of the Charter of Fundamental Rights of the EU, effective remedies need to be provided to data subjects. This principle was reiterated by the CJEU in the Decision, where it stated that “data subjects must have the possibility of bringing legal action before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data.”
The EDPB Recommendations highlight once again the importance of the accountability principle within the GDPR system: assessment of the lawfulness of a data transfer is up to the data exporter, who accepts the responsibility for any final decision.
Now, the real challenge for data exporters is to enforce the Recommendations. Will these actually be sufficient to solve any issues regarding the transfer of data outside the EU? The risk is that strict measures and burdensome requirements will be imposed upon private entities lacking the ability of public authorities and institutions to find a solution concerning alleged differences of the level of protection in the foreign countries compared to that of the EU.