The EDPB 'Six-step Plan'
- Know your transfers – map your data transfers, verifying that data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred and processed in the third country.
- Verify the transfer tool your transfer relies on – if you are relying on an EU adequacy decision, then the only obligation is to monitor its ongoing validity.
- Assess whether there is any law or practice of the third country that may affect the effectiveness of the appropriate safeguards in the transfer tools being relied on - this should be focused on relevant third country legislation, following the EDPB European Essential Guarantees recommendations (see below). Subjective factors such as the likelihood of the third country public authorities accessing the data being transferred in a manner not in line with EU standards should not be taken into account. The process should be done with due diligence and documented
- Identify and adopt supplementary measures needed to bring the level of protection up to one equivalent to that provided in the EU - the EDPB makes recommendations as to what this might be in annex 2 of the recommendations (see below). If these are not sufficient, the transfer must be avoided or suspended. This process should be carried out with due diligence and documented.
- Take any formal procedural steps needed to adopt any required supplementary measures.
- Re-evaluate the level of protection given to the data and monitor developments which may affect it in line with the accountability process.
It also gives some examples of supplementary measures to adopt (under step 4) and advises that controllers consider:
- the format of the data to be transferred (i.e. in plain text/pseudonymised or encrypted)
- the nature of the data
- the length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them
- the possibility that the data may be subject to onward transfers within or to other third countries
However, it also makes it clear that whether or not the data is likely to be of interest to a foreign government is not a relevant factor, despite the US government raising it in response to the Schrems II decision.
Example Supplementary Measures
Brexit affects the EDPB's guidance in two ways:
- Unless and until there EU makes an ‘adequacy decision’ in relation to the UK, transfers of personal data from the EEA to the UK should follow the 'six-step' process. EEA exporters will need to assess the UK legal framework (which includes the controversial Investigatory Powers Act 2016) to decide whether the SCCs can be effective, and whether any supplementary measures are needed.
- For transfers from the UK to third countries, the ICO may issue guidance that differs from the EDPB's and take a more pragmatic approach to Schrems II. Without a seat on the EDPB, the ICO had no input in forming the Guidance, and it is possible that in the end UK exporters will not be burdened by the strict assessments required in the EEA.