On 18 June, the European Data Protection Board (EDPB) adopted the final version of its recommendations relating to the supplementary measures required for the transfer of personal data outside of the EEA. Such measures are required to ensure the standard of protection given to personal data when organisations export data to 'third countries' located outside the EEA is equivalent to the EU regime. The recommendations were first published in November 2020 (in response to the Schrems II judgment in July 2020) and, following consultation, have now been finalised.
The EU data protection regime is in place to protect the fundamental rights and freedoms of individuals when it comes to their personal data; a principle that underpins the regulatory framework. The GDPR seeks to facilitate the free flow of personal data within the EEA and, to some degree, countries outside the EEA, provided that adequate protection is afforded to the personal data.
The Schrems II judgment reminded us that the EEA level of protection must travel with the personal data. Transferring personal data to another country cannot act as a backdoor to avoiding the EEA measures and the court stressed the need to provide 'essentially equivalent' protection to personal data transferred to countries outside the EEA.
Data exporters are required to identify a valid Article 46 transfer tool (which includes the use of standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs)). Once a transfer tool has been identified, Schrems II reiterated the need for exporters to undertake a case-by-case assessment of the laws and practices of the third country importing the data, to establish whether they limit the effectiveness of the transfer tool being relied upon. Where the effectiveness is undermined, the transfer should only take place if supplemental measures are implemented in order to meet an essentially equivalent standard of protection (so that the personal data, and rights and freedoms of the individuals, continue to be protected to the same degree as they are in the EEA). These supplemental measures may be contractual, organisational or technical in nature.
The EDPB recommendations have been published to help exporters with the complex challenge of assessing third countries' laws and practices and identifying appropriate supplementary measures where needed. The recommendations set out a series of steps, including examples of supplementary measures to consider:
- Know your transfers – exporters should undertake a data mapping exercise which identifies their transfers. This exercise should be used to determine whether the data relating to the proposed transfer is adequate, relevant and limited to what is necessary for the purposes for which it is being processed.
- Verify your transfer tool – these are listed in Chapter V of the GDPR. This is an important step; do not assume that you should use standard contractual clauses, consider all of the options in light of the specific arrangement. If the country importing the data has received an adequacy decision, you will not need to put anything else in place (as the EU Commission has already determined that adequate levels of protection are in place).
- Assess the laws of the importing country - When assessing the laws and practices of a third country, the finalised guidance underlines the need to identify any 'problematic legislation' which amongst other things may create requirements for the importer to disclose personal data to public authorities or may limit an individual's options for a remedy where their rights have been infringed. The assessment may also take into account any 'documented practical experience' from the importer in relation to any prior access requests by public authorities in the third country. The EDPB recommendations stress that in many cases, where laws in the third country undermine the effectiveness of the chosen transfer tool, only technical supplemental measures will be sufficient to provide the required level of protection (see point 4 below). You should clearly document the process you follow and the outcome of your assessment (for example in a data transfer impact assessment).
- Supplementary measures – if you have identified as part of step 3 that supplementary measures are required, you must consider and implement appropriate measures. Annex 2 of the recommendations provides examples of technical measures which may be appropriate including encryption, pseudonymisation and split processing. It is important to bear in mind that some supplementary measures may be effective in some countries, but not others, so there is no ‘one size fits all’ approach. If you determine that none of the supplementary measures can ensure an essentially equivalent level of protection for your transfer, you must not undertake the proposed transfer.
- Formal procedural steps – where you have identified effective supplementary measures, any formal procedural steps which may need to be undertaken (depending on your chosen transfer tool) need to be undertake at this stage. For example, if you are relying on standard contractual clauses, the supplementary measures should be documented in the SCCs, with the parties to be mindful that they cannot contradict the interpretation of the SCCs.
- Re-evaluate – once you have complied with steps 1 to 5, the work doesn’t stop there. You must re-evaluate the level of protection at appropriate intervals to ensure that there is continued compliance. If the arrangement or the laws in the importing country change, you must react accordingly to ensure an equivalent level of protection continues to be in place.
In light of the Schrems II judgment and the adoption of these recommendations, this is an area that is likely to gain attention from the regulator and organisations must carefully consider whether they can satisfy the requirements before engaging in transfers of personal data. Supervisory authorities have the power to suspend or prohibit transfers where the standards are not being met, as well as having the right to impose fines for failing to comply with the obligations.
UK organisations (as well as EU organisations) transferring personal data to third countries should apply the recommendations for international transfers. We await further guidance from the ICO on this from a UK perspective, but we expect it will closely reflect the EDPB recommendations.
If you have any questions regarding international data transfers, please contact our Data Protection team.