EDPB adopts suggestions on further measures for information transmission following the Schrems II choice
On November 11, 2020, the European Data Protection Board (“EDPB”) published its long-awaited recommendations following the Schrems II judgment on supplementary measures within the framework of international transfer guarantees such as standard contractual clauses (“SCCs”) (the “Recommendations”). In addition, the EDPB published recommendations on the European basic guarantees for monitoring measures (the “EEG recommendations”), which complement the recommendations. The recommendations are subject to a public consultation ending November 30, 2020.
Due to the Schrems II judgment, the data controllers rely on a transfer mechanism in accordance with Article 46 of the General Data Protection Regulation of the EU (“GDPR”) to transfer personal data outside the European Economic Area (“EEA”) (“data exporters”). must check on a case-by-case basis and, if necessary, in cooperation with the data importers, whether the law of the importer’s country guarantees a level of protection for personal data that essentially corresponds to that of the EEA. If not, data exporters need to consider whether they can take additional measures to ensure the required level of protection.
The recommendations are intended to help data exporters with the challenge of identifying and implementing such supplementary measures. Accordingly, the Recommendations contain a 6-step process that describes the steps data exporters must take to determine whether they need to identify and implement effective complementary measures. The recommendations also provide examples of complementary measures, which set out some of the conditions they must meet in order to be effective. In the recommendations, the EDPB is informed that it may not be possible in every case to implement sufficient supplementary measures. In this case, transfers may not be possible.
The recommendations provide that, in international data transfers, organizations:
Card data transfers
Map the data transfers they make, taking into account that access from a third country (e.g. storage in the cloud outside the EU) is a transfer and ensure that the data transferred is appropriate, relevant and are limited to what is necessary in relation to the purposes for which it is transferred. The mapping exercise should include referrals from processors to whom data is shared.
Identify data transfer mechanisms
Review the transmission mechanism you will be relying on as per Chapter V of the GDPR. No transfer mechanisms or further steps are required if a valid adequacy decision by the European Commission is in force with respect to the recipient country. The recommendations emphasize that the transmission instruments listed in Article 46 of the GDPR, e.g. B. SCCs and Binding Company Rules, should be used with regular and repetitive transfers and that the exemptions provided for in Article 49 of the GDPR should only be used occasionally, not repeated transfers and “must be interpreted restrictively”.
Assessment of the legal system of the recipient country
Check whether the law or practice of the country of the data importer can affect the effectiveness of the appropriate safeguards for the transmission tools listed in the context of the specific transfer, in particular in the context of legal provisions that prevent the data importer from fulfilling their obligations from the relevant transfer tool . The recommendations stipulate that this should be checked particularly carefully if laws or regulations governing access by authorities to data are “not clearly or not publicly available”. Redirects should also be taken into account.
The Recommendations highlight that the recognition of the rule of law in the data importer’s country can be important in assessing the effectiveness of redress mechanisms available to individuals with regard to unlawful government access to personal data. Having a comprehensive data protection law or independent data protection authority in place can help ensure the proportionality of government access. Organizations should consult the EEG recommendations in assessing whether or not unjustified government access to data is likely.
The recommendations also state that Section 702 of the US FISA “does not comply with the minimum guarantees that result from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary”, ie data importers or Recipients of onward transmissions are subject to Section 702 of FISA. In addition to a transmission instrument in accordance with Article 46 of the GDPR, additional technical measures are required.
Add additional measures
If the legal assessment shows that the legal provisions of the recipient third country impair the effectiveness of the protective measures transferred in Article 46 GDPR, the data exporters must identify and take additional measures, as they must offer a standard of protection for the essentially essential data in accordance with EU law . Which supplementary measures you may take will depend on a number of factors, including the nature of the data being transferred and the possibility that it may be transferred further. Examples of additional measures in the recommendations are:
- Technical measures: such as forms of encryption, in which encryption keys are kept outside the reach of the competent authorities, and pseudonymization, which does not allow data to be re-identified.
- Additional contractual measures: Obligations to implement the technical measures discussed above, transparency obligations with regard to the level of access to government authorities in the recipient jurisdiction and the measures to prevent access to personal data, as well as increased authority of the data exporter to carry out audits of the data importer. Data exporters should also consider contractually obliging data importers to review the legality of received access requests and, if necessary, to contest them.
- Organizational measures: Adoption of internal guidelines with a clear division of responsibilities for data transfers and operating procedures in the event of an access request, transparency and accountability measures including documentation of access requests and ensuring data minimization.
The recommendations also contain examples where supplementary measures cannot guarantee an adequate level of protection, for example if the authority of the recipient country’s authorities to access the transmitted data goes beyond what is necessary and proportionate in a democratic society. In these circumstances, organizations must avoid, suspend or end the relevant transfer, and data already transferred should be returned or destroyed by the data importer.
Take any formal procedural steps that may be necessary for the adoption of additional measures, such as: B. the approval of the competent supervisory authority if it is intended to change the SCC.
Review the data transfer agreements
Re-examine the level of protection at appropriate intervals and monitor any developments that could affect it. The recommendations emphasize that the principle of accountability requires “continuous vigilance” about the level of protection of personal data.
In addition, the EDPB accepted the EEG recommendations in order to provide data exporters with criteria that can be used to determine whether the legal framework of a recipient country, which regulates the authorities’ access to personal data for monitoring purposes, is a legitimate interference with their rights Can be viewed by EU individuals to protect privacy and to protect their personal information.
The EEG guarantees provide that “the applicable legal requirements to limit the restrictions on data protection and data protection rights recognized in the charter [of Fundamental Rights of the EU] justifiable can be summarized in four basic European guarantees:
- Processing should be based on clear, precise and accessible rules.
- The necessity and proportionality of the legitimate objectives pursued must be demonstrated;
- There should be an independent oversight mechanism. and
- Effective means must be available to the individual. “
The EDPB provides that these “core elements” should not be assessed independently but holistically by reviewing the relevant legal provisions with regard to monitoring measures, the minimum level of protective measures to protect the rights of the individual and the legal remedies provided for under national law the recipient jurisdiction.
The recommendations can be publicly consulted until November 30, 2020. Feedback can be given here. The recommendations apply immediately after their publication.