On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”).  (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).

The two recommendations adopted by the EDPB are:

Draft Recommendations on Supplementary Measures

The EDPB in its Draft Recommendations on Supplementary Measures sets out a six-step process that organizations should follow when they transfer personal data from the EU to a third country.

The six steps are as follows:

  1. Data exporters should know their transfers, by recording and mapping their transfers, including onward transfers—for instance, where processors outside the EEA transfer personal data to a sub-processor in the same or another third country.
  2. Data exporters should identify the transfer tools relied on for their transfers, which may include adequacy decisions, Article 46 GDPR transfer tools (including the SCCs and Binding Corporate Rules), or derogations under Article 49 GDPR.
  3. If relying on an Article 46 GDPR transfer tool (such as SCCs), data exporters should assess whether the mechanism affords a level of protection in the third country that is “essentially equivalent” to that guaranteed in the EU. (The CJEU in Schrems II established this principle that the protections in the third country should be “essentially equivalent” to that in the EU.)  The EDPB states that this assessment should be conducted with due diligence and thoroughly documented (paragraph 42).
    • The EDPB emphasises that this assessment should pay close attention to any laws in the third country that lay down requirements to disclose personal data to public authorities or grant public authorities powers to access personal data (e.g., for criminal law enforcement, regulatory supervision, and national security purposes). The EDPB emphasises that such assessments should be based on publicly available legislation as well as other sources of information, including “precedent” and “practice”.
    • The EDPB’s Recommendations on EEG (discussed below) set out the specific elements to be considered when determining whether such requirements or powers granted to public authorities are limited to what is regarded as justifiable interference—and therefore not impinging on the commitments taken in the Article 46 GDPR transfer tool.
  4. If the assessment under step 3 reveals that the Article 46 GDPR transfer tool is not effective, data exporters should, in collaboration with the data importer, adopt supplementary measures to ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that in the EU.
    • The EDPB considers that supplementary measures may have a contractual, technical or organizational nature, and emphasises the role of technical measures.
    • Annex 2 of the Draft Recommendations sets out detailed guidance on supplementary measures that may be adopted in specific scenarios.
  5. Data exporters should take any procedural steps required to implement effective supplementary measures—for example, by obtaining authorization from a competent EU supervisory authority to adopt any supplementary measures that contradict the SCCs.
  6. Data exporters, in collaboration with data importers, should re-evaluate at appropriate intervals the developments in the third country to which the personal data has been transferred. Data transfers should be promptly suspended or ended where the data importer has breached or is unable to honour the commitments it has taken in the Article 46 GDPR transfer tool or the supplementary measures are no longer effective in that country.

Recommendations on EEG

The Recommendations on EEG identify four European Essential Guarantees, which must be respected to ensure that interferences with the rights to privacy and protection of personal data do not go beyond what is necessary and proportionate in a democratic society, as required by settled CJEU and European Court of Human Rights (“ECtHR”) case law.  These European Essential Guarantees are:

  1. The processing should be based on clear, precise and accessible rules;
  2. The measures adopted must be necessary and proportionate with regard to the legitimate objectives pursued, and the necessity and proportionality of such measures need to be demonstrated;
  3. An independent oversight mechanism must be in place; and
  4. Individuals whose data is processed must have access to effective remedies.

When data exporters assess a third country’s laws to determine whether the level of protection in the third country that is essentially equivalent to that are guaranteed in the EU, they must assess whether any laws allowing public authorities to demand disclosure or obtain access to personal data meet these European Essential Guarantees.  These European Essential Guarantees should therefore form the backbone of transfer impact assessments that organizations carry out following the Schrems II decision and to take the third step outlined in the Draft Recommendations on Supplementary Measures discussed above.

Next Steps

Taken together, the Draft Recommendations on Supplementary Measures and the Recommendations on EEG raise a number of practical challenges. We encourage companies to provide their feedback on the Recommendations on Supplementary Measures as part of the public consultation process, which is open from 11 November 2020 to 30 November 2020.  If you have any questions concerning the material discussed in this blog post, please contact the Covington team.