On 11 November 2020, the European Data Protection Board (EDPB) published their eagerly awaited Guidance on the CJEU’s Schrems II decision. The Guidance, which is open for consultation until the end of November, is intended to assist controllers and processors in complying with the CJEU’s ruling that ‘data exporters’ seeking to rely on the EU’s Standard Contractual Clauses must: (1) conduct a risk assessment of the transfer; and (2) if necessary, implement “supplementary measures” to protect the data in the recipient country.
The Guidance sets out a six step process for relying on the Standard Contractual Clauses (“SCCs”) and, in Annex 2, provides examples of “supplementary measures” which could be implemented.
The guiding principle in the Guidance is that any personal data transferred outside the EEA must be provided with an “essentially equivalent” level of protection, and that it is the responsibility of the controller or processor transferring the data to ensure this essential equivalence is achieved.
If essential equivalence cannot be achieved (either through the SCCs alone, or the SCCs plus supplementary measures), then the EDPB is clear that the controller or processor cannot transfer the data: any existing transfers must stop, previously transferred data must be returned or deleted, and no new transfers can take place.
There is much in the Guidance which many organisations, both in the EEA and outside of it, will find frustrating. Disappointingly, the EDPB appears to leave no scope for a ‘risk-based’ approach which would take into account the specific nature of the data being transferred (e.g. low-risk or publicly available data). The six step process is also extremely burdensome, seeming to disregard the commercial reality that almost all businesses will use some form of cloud-hosted software or services requiring a data transfer.
On 12 November, the EU Commission published its new proposed SCCs (although they won’t be finally approved for several weeks). Presumably, the same risk assessment will be required for transfers based on the new SCCs, albeit this point is not expressly addressed in the Guidance.
The six steps:
Note that, in order to meet the GDPR’s accountability requirements, each of these steps would need to be documented, and the documentation provided to the supervisory authorities on request.
Step 1: Know your transfers
Understand what data you are transferring outside the EEA, including by way of remote access. Perhaps fairly self-evident, but can be challenging when it comes to onward transfers by processors (to sub-, or even sub-sub-processors).
Step 2: Identify your transfer tool(s)
Identify what lawful mechanism you are relying on under GDPR to transfer the data. With Privacy Shield no more, for the overwhelming majority this will be the SCCs. Only a very small number of organisations have BCRs (in respect of which the EDPB indicates more guidance will be forthcoming), and the EDPB again emphasises the derogations in Article 49 of the GDPR must be interpreted restrictively.
Step 3: Assess whether the transfer mechanism is effective in practice
Now we come to the crucial question: in practice, is the transferred personal data afforded a level of protection in the third country that is essentially equivalent to that guaranteed in the EEA? This requires exporters to consider whether anything in the local law potentially thwarts the protection supposedly offered by the SCCs.
The EDPB recommends considering multiple aspects of the third country’s legal system, but in particular the rules granting public authorities rights of access to data. Most countries allow for some form of access for law enforcement and national security, and so the assessment should focus on whether those laws are limited to what is necessary and proportionate in a democratic society. To help with this (somewhat nebulous) assessment, the EDPB has also published a set of four ‘European Essential Guarantees’ (with accompanying guidance) which must be respected for this test to be met.
Notwithstanding these ‘Essential Guarantees’, it is this detailed legal assessment which is likely to pose the greatest challenge for businesses. It is impossible to see how it could be done without instructing local counsel in the third country. The EDPB suggests that, where appropriate, the data importer should provide you with the relevant resources and information about the laws in their country. But whilst no doubt many providers will be eager to reassure their customers, they may be equally nervous about giving legal advice.
Disappointingly, the EDPB appears to rule out the possibility of considering the specific circumstances of your transfer (e.g. the nature of the data), in order to make a risk-based judgment. The Guidance is clear that the assessment must be based only on ‘objective’ factors, and exporters should not rely on “subjective ones such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards”. This feels like a missed opportunity, and to run counter to the general risk-based approach advocated throughout the GDPR.
If, after this assessment, you decide the SCCs, notwithstanding the local law, ensure an equivalent level of protection, you can stop there. If, however, you decide that the local law does impinge on the protections granted by the SCCs, you must proceed to Step 4.
One point to note about the US and the impact of Schrems II: ultimately, in Schrems II, the CJEU conducted the precise risk assessment required by Step 3 in respect of the US, at least where the recipient is classified as an “electronic communications service” (“ECS”) under US law. If the recipient is an ECS provider in the US, Step 3 is probably a foregone conclusion: you are going to need supplementary measures.
Step 4: Adopt supplementary measures
If your assessment of the local law at Step 3 led to the conclusion SCCs alone would not be sufficient, then you must adopt supplementary measures to protect the data. The EDPB separates potential supplementary measures into three categories: technical, contractual, or organisational.
Annex 2 of the Guidance lists examples of the supplementary measures which fall into each of the three categories, but the EDPB’s primary focus is clearly on the technical measures, with the EDPB stating that “contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country”.
The technical measures are those aimed at preventing access by public authorities altogether, or at least preventing access to data which is identified or identifiable, such as state-of-the-art encryption (where the key is stored by the exporter in the EEA); pseudonymisation (where the exporter is comfortable that the data would not be identifiable even if combined or cross-referenced with other data available to the public authority); or splitting data between multiple separate processors in separate jurisdictions.
However, the Guidance then gives two examples where it has been unable to identify an effective technical measure to protect the data. These are:
- Sending data to a cloud provider or other processor who requires access to data in the clear. The difficulty faced by a great many providers is that access to the data is inherent to the service they offer, and so encryption at rest is simply not an option.
- Transfer of data for a shared business purpose, for example between companies in the same group. Again, the issue here is that the recipient will need the data in a usable format, and so none of the measures above would be viable.
In these circumstances, the exporter can only look to contractual and organisational measures, knowing that the EDPB has doubts as to how effective they can be on their own.
The contractual measures primarily focus on transparency by the importer to the exporter, e.g. certifying that no backdoors have been created, offering enhanced audit rights, and notifying the exporter if it is required to disclose data. The organisational measures include internal policies (rather like BCRs), documented processes for responding to disclosure requests, and data minimisation.
The challenge with the contractual and organisational suggestions is that they are accompanied in the Guidance by very restrictive “Conditions for effectiveness” which, in practice, seem unlikely to be met in any country which did not satisfy the essential equivalence test in Step 3. For example, a great many disclosure orders will prohibit the recipient from disclosing the existence of the order, cutting across any transparency commitments in a contract.
Given, however, the absence of technical measures for the two scenarios listed above, many exporters will be left with little option but to implement all the contractual and organisational measures they can, and hope for the best.
Step 5: Procedural steps if you identified any supplementary measures
This step is only applicable if your supplementary measures contradict the SCCs (which hopefully they won’t), and so seems a bit of a red herring. It is, however, the section of the Guidance where the EDPB suggests they may add more requirements to the BCRs in due course…
Step 6: Re-evaluate at appropriate intervals
Monitor developments in the recipient country which could impact your initial assessment. The obligations on the data importer under the SCCs should help here, as it is required to inform the data exporter of a change of law which impacts its ability to comply with the SCCs.
A quick note on the impact of Brexit
Brexit has the potential to impact this Guidance in two critical ways:
- Transfers from the EEA to the UK, pending a UK ‘adequacy decision’ will require the 6 step process outlined above. EEA exporters will need to assess the UK legal framework (including presumably the controversial Investigatory Powers Act 2016) to determine whether the SCCs can be effective, and whether any supplementary measures are needed.
- For transfers from the UK to a third country, this may be an opportunity for the ICO to diverge from the EDPB and take a more pragmatic approach to Schrems II. As the ICO no longer has a seat on the EDPB, it had no say in the Guidance, and so it remains to be seen whether UK exporters will need to make the same strict assessment as their EEA counterparts.