On June 21, 2021, the European Data Protection Board (“EDPB”) published its finalized recommendations on measures that supplement transfer tools to ensure compliance with the General Data Protection Regulation (“GDPR”), where organizations transfer personal data from the European Economic Area (“EEA“) to a country outside the EEA (“third country”) (see here).  While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.

When finalizing the SCCs, the EDPB took into account the feedback submitted by stakeholders during the public consultation period.  The recommendations also reflect the EDPB’s intense discussions with the European Commission in the last six months to ensure alignment between these recommendations and the finalized version of the new standard contractual clauses (“SCCs”) published by the European Commission on June 4, 2021 (see here).

In its finalized recommendations, the EDPB expands on the six-step process first set out in its draft version, which organizations should follow when they transfer personal data from the EEA to a third country.  Below, we outline that six-step process in greater detail.

Step 1: Know your transfers

Data exporters should know their transfers by recording and mapping them, including onward transfers—for instance, where processors outside the EEA transfer personal data to a sub-processor in the same or another third country.

Step 2: Identify the transfer tools you are relying on

Data exporters should identify the transfer tools relied on for their transfers, which may include adequacy decisions by the European Commission, Article 46 GDPR transfer tools (including the SCCs and Binding Corporate Rules), or derogations under Article 49 GDPR.

In its finalized recommendations, the EDPB reaffirms that derogations “cannot become ‘the rule’ in practice, but need to be restricted to specific situations”, such that they are used “in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place”.

Step 3: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer

If relying on an Article 46 GDPR transfer tool (such as SCCs), data exporters should assess whether the mechanism affords a level of protection in the third country that is “essentially equivalent” to that guaranteed in the EEA (as established by the CJEU in the Schrems II decision).  This includes assessing, where appropriate and in collaboration with the data importer, whether there is anything in the law and/or practices in force in the third country that:

  • may limit the effectiveness of the transfer tool relied on; or
  • does not respect the essence of the fundamental rights and freedoms recognized by the EU Charter of Fundamental Rights, or exceeds what is necessary and proportionate in a democratic society to safeguard one of the important objectives recognized in EU or a Member State’s law, such as those listed in Article 23(1) GDPR.

The EDPB refers to such laws as “problematic legislation”.  It highlights that data exporters should, taking into account the specific circumstances of the transfer, pay close attention to:

  • laws in the third country that lay down requirements to disclose personal data to public authorities or grant public authorities powers to access personal data (e.g., for criminal law enforcement, regulatory supervision or national security purposes);
  • practices in force in the third country that result in equivalent access; and
  • the effectiveness of available mechanisms for individuals to obtain judicial redress against unlawful government access to personal data.

Notably, in contrast to the draft version, the final recommendations state that the assessment may also take into account the documented practical experience of the data importer with respect to relevant prior access requests from public authorities in the third country.  This is an important concession on the EDPB’s part, which is in line with the new SCCs.

The EDPB adopts similar wording to the Commission in its new SCCs for data transfers to third countries, noting the relevant and documented experience of the data importer should be corroborated and not contradicted by the existence or absence of requests for access by other organizations within the same sector and/or case law and reports by independent oversight bodies.  However, the recommendations also state that such real-world experience can only be used as an additional source of information for the assessment, if the third country legal framework does not prohibit the data importer from providing information on access requests, or on the absence of such requests.

The EDPB clarifies in this final version of the recommendations that the scope of the assessment should be limited to the third country’s laws and practices that: (1) are relevant to the protection of the specific data transferred and (2) could impact the effective application of the safeguards contained in the Article 46 transfer tool.  Accordingly, the EDPB states that a data exporter may decide to proceed with a transfer without being required to implement supplementary measures, if it considers that there is no reason to believe that relevant and problematic legislation and practices will be applied, in practice, to the transferred data and/or the data importer.  To demonstrate what this means in practice, the recommendations include an example involving a data importer subject to Section 702 FISA.

According to this example, the data exporter and data importer should assess if Section 702 FISA applies in practice to the transfer, taking into account—among other factors—whether:

  • FISA prohibits the data importer from disclosing that it received (or not) a request from a public authority to access personal data or restricts providing general information about this;
  • the data importer received requests from public authorities in the past to access data similar to that being transferred; and
  • publicly available information on U.S. case law and reports from oversight bodies, civil society organizations, and academic institutions indicating that data importers in the same sector as the data importer have received requests for access to data similar to the transferred data in the past.

If the data exporter and data importer conclude that FISA applies in practice, then the transfer tool (e.g., SCCs) can only be relied on with supplementary measures that ensure a level of protection essentially equivalent to that guaranteed in the EEA.  If the data exporter and data importer cannot identify such measures, then the transfer should not take place.

The final version of the recommendations also more clearly articulate expectations for the data importer’s involvement in the assessment.  The final version states that the data importer should provide the data exporter with the relevant sources of information relating to the third country’s laws and practices (and in this regard,  the words “where possible” found in the draft version have been omitted).  However, the recommendations do not clarify whether the data exporter and data importer should each prepare an assessment or whether it is sufficient for them to collaborate on an assessment.

The EDPB emphasizes that the sources of the information to be taken into account in the assessment should be relevant (i.e., to the specific transfer and/or data importer), objective (i.e., information that is supported by empirical evidence), reliable, verifiable (i.e., enabling data supervisory authorities to check the reliability of the information, if needed), and publicly available.

Step 4: Adopt supplementary measures

If the assessment under step 3 reveals that the Article 46 GDPR transfer tool is not effective in and of itself, data exporters should—in collaboration with the data importer—adopt supplementary measures to ensure that the transferred data is afforded in the third country a level of protection “essentially equivalent” to that in the EEA.  These supplemental measures may be of a contractual, technical or organizational nature.  The EDPB emphasizes, in particular, the important role that technical measures can play in the finalized recommendations, and Annex 2 of the recommendations sets out detailed examples of supplementary measures that may be adopted in specific transfer scenarios.

Step 5: Procedural steps if you have identified effective supplementary measures

Data exporters should take any necessary procedural steps required to implement effective supplementary measures.

Step 6: Re-evaluate at appropriate intervals

Data exporters, in collaboration with data importers, should re-evaluate at appropriate intervals the developments in the third country to which the personal data has been transferred.  Data transfers should be promptly suspended or terminated if the data importer has breached or is unable to honor the commitments it has assumed under the Article 46 GDPR transfer tool, or if the supplementary measures are no longer effective in the third country.

Conclusion

The finalized EDPB recommendations provide welcomed clarity for companies conducting their transfer assessments, specifically in relation to incorporating into the assessments any practical experience of data importers in receiving access requests from public authorities.  We encourage companies to consider the impact of the finalized recommendations and the new SCCs on their data transfers, and whether any updates to their transfer assessments or transfer tools are necessary.  If you have any questions concerning the material discussed in this blog post or require assistance with such transfer assessments, please contact the Covington Data Privacy & Cybersecurity team.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Jasmine Agyekum Jasmine Agyekum

Jasmine Agyekum advises clients on a broad range of technology, AI, data protection, privacy and cybersecurity issues. She focuses her practice on providing practical and strategic advice on compliance with the EU and UK General Data Protection Regulations (GDPR), EU e-Privacy laws and…

Jasmine Agyekum advises clients on a broad range of technology, AI, data protection, privacy and cybersecurity issues. She focuses her practice on providing practical and strategic advice on compliance with the EU and UK General Data Protection Regulations (GDPR), EU e-Privacy laws and the UK Data Protection Act. Jasmine also advises on a variety of policy proposals and developments in Europe, including on the EU’s proposed Data Governance Act and AI Regulation.

Jasmine’s experience includes:

  • Advising a leading technology company on GDPR compliance in connection with the launch of an ad supported video on demand and live streaming service.
  • Advising global technology companies on the territorial application of the GDPR and EU Member State data localization laws.
  • Representing clients in numerous industries, including, life sciences, consumer products, digital health and technology and gaming, in connection with privacy due diligence in cross-border corporate mergers & acquisitions.
  • Advising clients on responding to data breaches and security incidents, including rapid incident response planning and notifications to data protection authorities and data subjects.

Jasmine’s pro bono work includes providing data protection advice to a mental health charity in connection with their launch of a directory of mental health and wellbeing support to children and working with a social mobility non-profit organization focused on widening access to opportunities in the law to individuals from various socio-economic backgrounds.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.