16 Nov 2020
We reported on 16 July 2020, (US Privacy Shield Broken) that the CJEU had struck down the EU-US Privacy Shield, leading to uncertainty about future exports of personal data to the US and other countries unless it could be shown that they provided a level of data protection equivalent to that of the EU. The judgement left it to data controllers to assess the third party country's adequacy on a case-by-case basis and was not specific on supplementary measures to protect the data if the level of protection was not adequate.
Now the European Data Protection Board (EDPB), made up of EU member state regulators (excluding the UK) has issued guidance that is open for consultation until the end of November.
The guidance is intended to assist controllers and processors in complying with the CJEU’s ruling that ‘data exporters’ seeking to rely on the EU’s Standard Contractual Clauses* must: (1) conduct a risk assessment of the transfer; and (2) if necessary, implement “supplementary measures” to protect the data in the recipient country. However, although future CJEU rulings could make a difference and UK organisations will also need to take into account advice from their own regulator, the ICO.
Thus, where a country does not have a current 'adequacy agreement' (and the USA for example does not), organisations must assess their data exports to that country on a case-by-case basis and take any necessary steps to reduce the risks or not go ahead with exporting personal data.
* Revised SCCs are open for public consultation until 10 December 2020. Adoption requires an opinion of the European Data Protection Board and the European Data Protection Supervisor, followed by a positive vote of EU Member States. Consequently, the final SCCs are not expected to be adopted before early 2021.
Read on for a summary of the Board's suggested 'Six-step Plan' and some examples of Supplementary Measures.
The EDPB 'Six-step Plan'
- Know your transfers – map your data transfers, verifying that data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred and processed in the third country.
- Verify the transfer tool your transfer relies on – if you are relying on an EU adequacy decision, then the only obligation is to monitor its ongoing validity.
- Assess whether there is any law or practice of the third country that may affect the effectiveness of the appropriate safeguards in the transfer tools being relied on - this should be focused on relevant third country legislation, following the EDPB European Essential Guarantees recommendations (see below). Subjective factors such as the likelihood of the third country public authorities accessing the data being transferred in a manner not in line with EU standards should not be taken into account. The process should be done with due diligence and documented
- Identify and adopt supplementary measures needed to bring the level of protection up to one equivalent to that provided in the EU - the EDPB makes recommendations as to what this might be in annex 2 of the recommendations (see below). If these are not sufficient, the transfer must be avoided or suspended. This process should be carried out with due diligence and documented.
- Take any formal procedural steps needed to adopt any required supplementary measures.
- Re-evaluate the level of protection given to the data and monitor developments which may affect it in line with the accountability process.
It also gives some examples of supplementary measures to adopt (under step 4) and advises that controllers consider:
- the format of the data to be transferred (i.e. in plain text/pseudonymised or encrypted)
- the nature of the data
- the length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them
- the possibility that the data may be subject to onward transfers within or to other third countries
However, it also makes it clear that whether or not the data is likely to be of interest to a foreign government is not a relevant factor, despite the US government raising it in response to the Schrems II decision.
Example Supplementary Measures
Brexit affects the EDPB's guidance in two ways:
- Unless and until there EU makes an ‘adequacy decision’ in relation to the UK, transfers of personal data from the EEA to the UK should follow the 'six-step' process. EEA exporters will need to assess the UK legal framework (which includes the controversial Investigatory Powers Act 2016) to decide whether the SCCs can be effective, and whether any supplementary measures are needed.
- For transfers from the UK to third countries, the ICO may issue guidance that differs from the EDPB's and take a more pragmatic approach to Schrems II. Without a seat on the EDPB, the ICO had no input in forming the Guidance, and it is possible that in the end UK exporters will not be burdened by the strict assessments required in the EEA.