The General Data Protection Regulation (GDPR) sets a high bar in relation to transfers of personal data from the EEA to non-EU recipient countries. Following the Court of Justice's decision in Schrems II, discussed here, the onus is on data exporters to assess on a case-by-case basis whether, in the absence of an adequacy decision relating to that jurisdiction, there is an essentially equivalent level of protection in the recipient country for the particular transfer. Where there is not, the data exporter must consider whether effective supplementary measures can be implemented – however, where these do not provide the appropriate level of protection, the transfer cannot take place. Indeed, it can be suspended by a competent supervisory authority and may lead to a claim for damages by affected data subjects.
European Data Protection Board Guidance on Supplementary Measures
Since the Schrems II decision, businesses have been on tenterhooks waiting for guidance as to how they should approach transfers to non-EEA countries. This has extra significance given the forthcoming end of the Brexit transition period and in circumstances where the UK still awaits an outcome on adequacy. Aside from Brexit, particular concern is directed to the issue of EEA to US transfers, but this issue applies to transfers to any non-EEA country where there may be concerns about the data protection standards in the recipient country.
On 10 November 2020, the European Data Protection Board (EDPB) issued its proposed recommendations on supplementary measures for consultation (the deadline for responding has been extended from 30 November to 21 December 2020). Data exporters using Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to 'fill gaps' in protection identified in relation to transfers to recipient non-EEA countries should consider this guidance carefully. Given the case-by-case assessment required of them, the EDPB guidance provides a roadmap for exporters, together with examples of supplementary measures that may be suitable in particular scenarios. The EDPB guidance is undoubtedly helpful in allowing controllers, processors and – indeed – data subjects to understand the European data protection supervisory authorities' likely approach to these matters. On a full analysis, however, its implications might not feel helpful to those wishing to engage in affected transfers.
It will be crucial for any UK company which is involved in the movement of personal data across borders to understand this issue, which will only become of more intense importance from January 2021.
Whilst the data exporter is primarily responsible for ensuring that data transferred is afforded an essentially equivalent level of protection in the recipient non-EEA country, it should also ensure its data importers collaborate in this process, for example by being kept informed of developments that may affect the level of protection in the importer's country.
The EDPB roadmap
The EDPB's roadmap comprises six steps for data exporters, with a reminder to document the process and to make both the documentation and the supplementary measures adopted available to a competent supervisory authority should they ask.
Step 1: Know your transfers
Data exporters should record and map the destinations of all their transfers, including onward transfers (for example, where processors outside the EEA transfer data to a sub-processor also outside the EEA) before any transfer is made. Whilst the EDPB accepts this can be a difficult exercise, it is a necessary first step and can in some cases build upon the records of processing activities already required under Article 30 GDPR. As part of this assessment, a data exporter should analyse whether the data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred and processed in the recipient country.
Importantly, the EDPB notes that remote access from a third country (such as in a support situation), and/or storage in a cloud situated outside the EEA, is a relevant transfer. Where an international cloud structure is used, the data exporter must assess if the data will be transferred to third countries, and where.
Step 2: Identify the transfer tools relied upon
In the absence of an up to date adequacy decision in relation to the recipient country (or area or sector), an appropriate safeguard must be used for regular and repetitive transfers by reference to Article 46 GDPR. For occasional and non-repetitive transfers, it may be possible to rely on one of the exceptional derogations in Article 49 such as data subject consent.
The transfer tool mechanisms in Article 46 GDPR are of a contractual nature. Following the CJEU decision in Schrems II, the situation in the recipient country may require data exporters to supplement the relevant Article 46 transfer tool with 'supplementary measures' to ensure an essentially equivalent level of protection.
Step 3: Assess whether the Article 46 transfer tool is effective in light of all circumstances of the transfer
In some cases, it will not be sufficient to rely upon a transfer tool due to the third country's legislation and practices applicable to the transfer. Accordingly, and where appropriate in collaboration with the data importer, the data exporter must assess whether there is anything in the law or practice of the recipient country that may impinge on the effectiveness of the appropriate safeguard, in the context of the specific transfer.
The assessment should track the publicly available legislation but, where this is lacking, should include other relevant and objective factors (as opposed to subjective ones). As with all aspects of the process, data exporters should conduct the assessment with due diligence and document it thoroughly. The assessment may involve the data importer providing relevant sources and information relating to the recipient country and its laws. This assessment needs to include all relevant parties involved in the transfer, and any onward transfer that may occur.
The EDPB suggests that the following will be relevant to consider:
- Purposes for which the data are transferred and processed (such as marketing, HR, storage, IT support, clinical trials)
- Types of entities involved in the processing (public/private, controller/processor)
- Sector (adtech, telecommunications, financial etc)
- Categories of personal data transferred (does it relate to children, for example?)
- Whether the data will be stored in the third country or there is only remote access
- Format of the data to be transferred (in plain text/pseudonymised or encrypted)
- Possibility that the data may be subject to onward transfers to another third country
When assessing applicable laws, data exporters should consider whether any impinge on the commitments contained in the chosen transfer tool. For example, can commitments enabling data subject to exercise their rights of access be effectively applied in practice, or are they thwarted by laws in the third country destination? This involves an assessment of relevant rules of a general nature, and specific attention to any laws laying down requirements to disclose personal data to public authorities or granting those authorities powers of access – as to whether they are limited to what is necessary and proportionate in a democratic society, assessed by reference to the EU standards.
Separately, the EDPB has issued recommendations on European Essential Guarantees (EEG) for surveillance measures which provide guidance on the assessment of whether the legal framework in the recipient country governing access to personal data by third countries can be regarded as a justifiable interference or not.
If the outcome of the assessment is that essentially equivalent protection is provided in the recipient country, the transfer can continue, but the assessment should be re-evaluated at the appropriate time. However, if the outcome is that essentially equivalent protection cannot be afforded, the data exporter must put in place effective supplementary measures, or not make the transfer.
The EDPB notes that, in Schrems II, the CJEU held that Section 702 of the U.S. FISA does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary. Accordingly, if the data importer or any further recipient to which the data importer may disclose the data falls under 702 FISA49, SCCs or other Article 46 GDPR transfer tools may only be relied upon if additional supplementary technical measures make access to the data transferred impossible or ineffective.
Step 4: Adopt supplementary measures
Where supplementary measures are required in order to bring the level of data protection of the data transferred up to the EU standard, these must be identified on a case-by-case basis. Contractual, technical and/or organisational in nature may be adopted, and in combination. However, the EDPB notes that contractual and organisational measures alone will generally not overcome problematic access to personal data by public authorities, and that there will be situations where only technical measures impeding or rendering such access ineffective will suffice (though contractual or organisational measures may provide further security).
The EDPB identifies non-exhaustive factors that data exporters and importers can consider when identifying the most effective supplementary measure/s:
- Format of the data to be transferred (in plain text/pseudonymised or encrypted)
- Nature of the data
- Length and complexity of data processing workflow, number of actors involved in the processing and the relationship between them
- Possibility that the data may be subject to onward transfers
In Annex 2 to its guidance, the EDPB provides some non-exhaustive examples of technical, contractual and organisational measures, together with some of the conditions that they would require to be effective. The EDPB notes that some measures may be effective in some countries, but not in others.
Technical measures will be particularly needed where the law of the recipient country imposes on the data importer obligations contrary to the safeguards of the Article 46 transfer tools, particularly relating to access by public authorities. The EDPB discusses the use of strong encryption, pseudonymisation, transiting of encrypted data through third countries, transfers to a protected recipient, and split or multi-party processing as being scenarios where effective supplementary measures may be used. However, the EDPB also says that it cannot envisage that a transfer to a cloud service provider (or other processor) which requires access to data in the clear (unecrypted) to execute the assigned task – in circumstances where the power of public authorities in that country to access the transferred data goes beyond what is necessary and proportionate in a democratic society – can incorporate an effective technical measure to prevent that access. It reaches the same conclusion in relation to remote access to data granted to entities in a third country for shared business purposes.
Additional contractual measures
These could be unilateral, bilateral or multilateral contractual commitments, going beyond those contained in the relevant Article 46 transfer tool. They may be combined with technical and organisational measures. However, contractual measures will not of course prevent the application of legislation in a third country requiring importers to comply with orders to disclose data to public authorities.
Examples of contractual measures discussed by the EDPB include:
- Obligations to put specific technical measures in place
- Transparency obligations on the importer relating to:
- information about access to data by public authorities
- its system (such as no back doors or similar programming) and business processes in the context of access
- inability to comply as a result of changes in the third country's legislation or practice
- a 'Warrant Canary' method requiring the importer to commit to regularly publishing a cryptographically signed message informing the exporter that it has received no order to disclose personal data
- Obligations to take specific actions: the importer could commit to reviewing the legality of any order to disclose data and to challenge the order where appropriate
- Empowering data subjects to exercise their rights: for example, providing that personal data transmitted in plain text in the normal course of business can only be accessed with the consent of the exporter and/or the data subject; notifications to data subjects of requests or orders received from public authorities; commitment to assisting data subjects in exercising their rights.
Additional organisational measures could include internal policies for the governance of transfers (especially within groups of companies), transparency and accountability measures, organisational methods and data minimisation measures, adoption of standards and best practices – both for the exporter itself and also to be imposed on data importers.
Where no supplementary measure can ensure an essentially equivalent level of protection, the transfer must not take place or must be suspended/terminated. Where the transfer goes ahead without the importer being able to comply with the commitments in the Article 46 GDPR transfer tool, the data exporter must notify the relevant supervisory authority, which will suspend or prohibit the transfer where it finds that an essentially equivalent level of protection cannot be ensured. If the transfer starts or continues, a fine and/or other corrective measures may be imposed (as well as possible claims by data subjects).
Step 5: Take appropriate procedural steps
Where supplementary measures are identified, certain procedural steps may be needed. For example, where the supplementary measures are in addition to the use of SCCs, there is no need to request authorisation from a supervisory authority, provided that the measures identified do not contradict (directly/indirectly) the SCCs and are sufficient to ensure the level of protection guaranteed by GDPR is not undermined. Where however the SCCs are to be modified, or the supplementary measures contradict the SCCs, authorisation must be sought.
Step 6: Re-evaluate at appropriate intervals
Data exporters, in collaboration with importers, should monitor on an ongoing basis developments in the recipient country which could affect the initial assessment of the level of protection and the decisions taken.
European commission issues draft updated SCCs
On 12 November 2020, the European Commission published a draft implementing decision relating to new SCCs, which is open for feedback until 10 December 2020. It is notable, and welcome, that the Commission has finally proposed SCCs which are directly applicable to GDPR – until now, contracting parties have had to use the "old" SCCs made under the prior Data Protection Directive, and effectively "pretend" they apply to GDPR situations. It is also notable that these are proposed to be "wall to wall SCCs": instead of separate sets of clauses for different situations (controller – controller, controller – processor), these aim to cover all situations. That includes processor – sub-processor situations, where the absence of such clauses until now has caused issues for many years (and resulted in unwieldy workarounds).
In light of the Schrems II ruling, the new SCCs will require the parties mutually to warrant that they have no reason to believe that the local laws of the data importer's country prevent the data importer from fulfilling its obligations. By baking this obligation into the clauses, this should mean that parties properly consider all the relevant circumstances before entering into data transfer agreements – for too long some parties have just assumed that the SCCs are a mere formality, rather than a legal agreement with duties and consequences.
In terms of timing, once the European Commission adopts the final version of the new SCCs, there will be a transitional period of one year from the date that the implementing decision enters into force. During that period, controllers and processors may continue to rely on the previous versions of the SCCs for the performance of a contract concluded between them before that date, provided that the contract remains unchanged (and, of course, with any necessary supplementary measures that have been identified). Where there are relevant changes to the contract, the data exporter will be required to rely on a new ground for data transfers, by updating the SCCs to the new version.
Response from the UK ICO
On 13 November 2020, the ICO issued an updated statement that it was reviewing the EDPB recommendations, as well as the European Commission's new and updated SCCs. This should be read in the context that it has previously been indicated that the ICO would adopt the current set of SCCs after Brexit. However, the ICO is yet to provide any further guidance other than that organisations should take stock of their international data transfers and update their practices as guidance and advice become available. It is also not yet clear the extent to which the EDPB recommendations and the new SCCs will be adopted or accepted by the UK after the end of this year. This is far from a satisfactory state of affairs and businesses will rightfully be hoping for much more detailed and specific guidance from government and from the ICO.
The Government meanwhile has recently updated its guidance to businesses noting that "with only weeks to go, the EU has yet to make a decision as to whether they accept the UK's data protection regime is still adequate" and has advised that businesses should "act now in order to keep personal data flowing".