On June 21, 2021, the European Data Protection Board (“EDPB”) published its finalized recommendations on measures that supplement transfer tools to ensure compliance with the General Data Protection Regulation (“GDPR”), where organizations transfer personal data from the European Economic Area (“EEA“) to a country outside the EEA (“third country”) (see here). While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.
When finalizing the SCCs, the EDPB took into account the feedback submitted by stakeholders during the public consultation period. The recommendations also reflect the EDPB’s intense discussions with the European Commission in the last six months to ensure alignment between these recommendations and the finalized version of the new standard contractual clauses (“SCCs”) published by the European Commission on June 4, 2021 (see here).
In its finalized recommendations, the EDPB expands on the six-step process first set out in its draft version, which organizations should follow when they transfer personal data from the EEA to a third country. Below, we outline that six-step process in greater detail.
Step 1: Know your transfers
Data exporters should know their transfers by recording and mapping them, including onward transfers—for instance, where processors outside the EEA transfer personal data to a sub-processor in the same or another third country.
Step 2: Identify the transfer tools you are relying on
Data exporters should identify the transfer tools relied on for their transfers, which may include adequacy decisions by the European Commission, Article 46 GDPR transfer tools (including the SCCs and Binding Corporate Rules), or derogations under Article 49 GDPR.
In its finalized recommendations, the EDPB reaffirms that derogations “cannot become ‘the rule’ in practice, but need to be restricted to specific situations”, such that they are used “in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place”.
Step 3: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
If relying on an Article 46 GDPR transfer tool (such as SCCs), data exporters should assess whether the mechanism affords a level of protection in the third country that is “essentially equivalent” to that guaranteed in the EEA (as established by the CJEU in the Schrems II decision). This includes assessing, where appropriate and in collaboration with the data importer, whether there is anything in the law and/or practices in force in the third country that:
- may limit the effectiveness of the transfer tool relied on; or
- does not respect the essence of the fundamental rights and freedoms recognized by the EU Charter of Fundamental Rights, or exceeds what is necessary and proportionate in a democratic society to safeguard one of the important objectives recognized in EU or a Member State’s law, such as those listed in Article 23(1) GDPR.
The EDPB refers to such laws as “problematic legislation”. It highlights that data exporters should, taking into account the specific circumstances of the transfer, pay close attention to:
- laws in the third country that lay down requirements to disclose personal data to public authorities or grant public authorities powers to access personal data (e.g., for criminal law enforcement, regulatory supervision or national security purposes);
- practices in force in the third country that result in equivalent access; and
- the effectiveness of available mechanisms for individuals to obtain judicial redress against unlawful government access to personal data.
Notably, in contrast to the draft version, the final recommendations state that the assessment may also take into account the documented practical experience of the data importer with respect to relevant prior access requests from public authorities in the third country. This is an important concession on the EDPB’s part, which is in line with the new SCCs.
The EDPB adopts similar wording to the Commission in its new SCCs for data transfers to third countries, noting the relevant and documented experience of the data importer should be corroborated and not contradicted by the existence or absence of requests for access by other organizations within the same sector and/or case law and reports by independent oversight bodies. However, the recommendations also state that such real-world experience can only be used as an additional source of information for the assessment, if the third country legal framework does not prohibit the data importer from providing information on access requests, or on the absence of such requests.
The EDPB clarifies in this final version of the recommendations that the scope of the assessment should be limited to the third country’s laws and practices that: (1) are relevant to the protection of the specific data transferred and (2) could impact the effective application of the safeguards contained in the Article 46 transfer tool. Accordingly, the EDPB states that a data exporter may decide to proceed with a transfer without being required to implement supplementary measures, if it considers that there is no reason to believe that relevant and problematic legislation and practices will be applied, in practice, to the transferred data and/or the data importer. To demonstrate what this means in practice, the recommendations include an example involving a data importer subject to Section 702 FISA.
According to this example, the data exporter and data importer should assess if Section 702 FISA applies in practice to the transfer, taking into account—among other factors—whether:
- FISA prohibits the data importer from disclosing that it received (or not) a request from a public authority to access personal data or restricts providing general information about this;
- the data importer received requests from public authorities in the past to access data similar to that being transferred; and
- publicly available information on U.S. case law and reports from oversight bodies, civil society organizations, and academic institutions indicating that data importers in the same sector as the data importer have received requests for access to data similar to the transferred data in the past.
If the data exporter and data importer conclude that FISA applies in practice, then the transfer tool (e.g., SCCs) can only be relied on with supplementary measures that ensure a level of protection essentially equivalent to that guaranteed in the EEA. If the data exporter and data importer cannot identify such measures, then the transfer should not take place.
The final version of the recommendations also more clearly articulate expectations for the data importer’s involvement in the assessment. The final version states that the data importer should provide the data exporter with the relevant sources of information relating to the third country’s laws and practices (and in this regard, the words “where possible” found in the draft version have been omitted). However, the recommendations do not clarify whether the data exporter and data importer should each prepare an assessment or whether it is sufficient for them to collaborate on an assessment.
The EDPB emphasizes that the sources of the information to be taken into account in the assessment should be relevant (i.e., to the specific transfer and/or data importer), objective (i.e., information that is supported by empirical evidence), reliable, verifiable (i.e., enabling data supervisory authorities to check the reliability of the information, if needed), and publicly available.
Step 4: Adopt supplementary measures
If the assessment under step 3 reveals that the Article 46 GDPR transfer tool is not effective in and of itself, data exporters should—in collaboration with the data importer—adopt supplementary measures to ensure that the transferred data is afforded in the third country a level of protection “essentially equivalent” to that in the EEA. These supplemental measures may be of a contractual, technical or organizational nature. The EDPB emphasizes, in particular, the important role that technical measures can play in the finalized recommendations, and Annex 2 of the recommendations sets out detailed examples of supplementary measures that may be adopted in specific transfer scenarios.
Step 5: Procedural steps if you have identified effective supplementary measures
Data exporters should take any necessary procedural steps required to implement effective supplementary measures.
Step 6: Re-evaluate at appropriate intervals
Data exporters, in collaboration with data importers, should re-evaluate at appropriate intervals the developments in the third country to which the personal data has been transferred. Data transfers should be promptly suspended or terminated if the data importer has breached or is unable to honor the commitments it has assumed under the Article 46 GDPR transfer tool, or if the supplementary measures are no longer effective in the third country.
The finalized EDPB recommendations provide welcomed clarity for companies conducting their transfer assessments, specifically in relation to incorporating into the assessments any practical experience of data importers in receiving access requests from public authorities. We encourage companies to consider the impact of the finalized recommendations and the new SCCs on their data transfers, and whether any updates to their transfer assessments or transfer tools are necessary. If you have any questions concerning the material discussed in this blog post or require assistance with such transfer assessments, please contact the Covington Data Privacy & Cybersecurity team.