On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”).  (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).

The two recommendations adopted by the EDPB are:

Draft Recommendations on Supplementary Measures

The EDPB in its Draft Recommendations on Supplementary Measures sets out a six-step process that organizations should follow when they transfer personal data from the EU to a third country.

The six steps are as follows:

  1. Data exporters should know their transfers, by recording and mapping their transfers, including onward transfers—for instance, where processors outside the EEA transfer personal data to a sub-processor in the same or another third country.
  2. Data exporters should identify the transfer tools relied on for their transfers, which may include adequacy decisions, Article 46 GDPR transfer tools (including the SCCs and Binding Corporate Rules), or derogations under Article 49 GDPR.
  3. If relying on an Article 46 GDPR transfer tool (such as SCCs), data exporters should assess whether the mechanism affords a level of protection in the third country that is “essentially equivalent” to that guaranteed in the EU. (The CJEU in Schrems II established this principle that the protections in the third country should be “essentially equivalent” to that in the EU.)  The EDPB states that this assessment should be conducted with due diligence and thoroughly documented (paragraph 42).
    • The EDPB emphasises that this assessment should pay close attention to any laws in the third country that lay down requirements to disclose personal data to public authorities or grant public authorities powers to access personal data (e.g., for criminal law enforcement, regulatory supervision, and national security purposes). The EDPB emphasises that such assessments should be based on publicly available legislation as well as other sources of information, including “precedent” and “practice”.
    • The EDPB’s Recommendations on EEG (discussed below) set out the specific elements to be considered when determining whether such requirements or powers granted to public authorities are limited to what is regarded as justifiable interference—and therefore not impinging on the commitments taken in the Article 46 GDPR transfer tool.
  4. If the assessment under step 3 reveals that the Article 46 GDPR transfer tool is not effective, data exporters should, in collaboration with the data importer, adopt supplementary measures to ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that in the EU.
    • The EDPB considers that supplementary measures may have a contractual, technical or organizational nature, and emphasises the role of technical measures.
    • Annex 2 of the Draft Recommendations sets out detailed guidance on supplementary measures that may be adopted in specific scenarios.
  5. Data exporters should take any procedural steps required to implement effective supplementary measures—for example, by obtaining authorization from a competent EU supervisory authority to adopt any supplementary measures that contradict the SCCs.
  6. Data exporters, in collaboration with data importers, should re-evaluate at appropriate intervals the developments in the third country to which the personal data has been transferred. Data transfers should be promptly suspended or ended where the data importer has breached or is unable to honour the commitments it has taken in the Article 46 GDPR transfer tool or the supplementary measures are no longer effective in that country.

Recommendations on EEG

The Recommendations on EEG identify four European Essential Guarantees, which must be respected to ensure that interferences with the rights to privacy and protection of personal data do not go beyond what is necessary and proportionate in a democratic society, as required by settled CJEU and European Court of Human Rights (“ECtHR”) case law.  These European Essential Guarantees are:

  1. The processing should be based on clear, precise and accessible rules;
  2. The measures adopted must be necessary and proportionate with regard to the legitimate objectives pursued, and the necessity and proportionality of such measures need to be demonstrated;
  3. An independent oversight mechanism must be in place; and
  4. Individuals whose data is processed must have access to effective remedies.

When data exporters assess a third country’s laws to determine whether the level of protection in the third country that is essentially equivalent to that are guaranteed in the EU, they must assess whether any laws allowing public authorities to demand disclosure or obtain access to personal data meet these European Essential Guarantees.  These European Essential Guarantees should therefore form the backbone of transfer impact assessments that organizations carry out following the Schrems II decision and to take the third step outlined in the Draft Recommendations on Supplementary Measures discussed above.

Next Steps

Taken together, the Draft Recommendations on Supplementary Measures and the Recommendations on EEG raise a number of practical challenges. We encourage companies to provide their feedback on the Recommendations on Supplementary Measures as part of the public consultation process, which is open from 11 November 2020 to 30 November 2020.  If you have any questions concerning the material discussed in this blog post, please contact the Covington team.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Photo of Marty Hansen Marty Hansen

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade…

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade Organization agreements, treaties administered by the World Intellectual Property Organization, bilateral and regional free trade agreements, and other trade agreements.

Drawing on ten years of experience in Covington’s London and DC offices his practice focuses on helping innovative companies solve challenges on intellectual property and trade matters before U.S. courts, the U.S. government, and foreign governments and tribunals. Martin also represents software companies and a leading IT trade association on electronic commerce, Internet security, and online liability issues.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.