Data Protection Update: New EDPB Recommendations on International Data Transfers
Update Data Protection No. 100
The European Data Protection Board (EDPB) is the joint body of the data protection supervisory authorities of the EU Member States. It frequently publishes guidelines and recommendations on the application of the GDPR. These provide valuable guidance for practical application, as the national supervisory authorities also align their activities to them.
On June 18, 2021, the EDPB approved its Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, after having published a first draft of these recommendations in November 2020. The new recommendations are based on the “Schrems II” ruling of the ECJ (see our last Update no. 99 on this and the subsequent developments). In its judgment, the Court of Justice ruled – inter alia – that a controller transferring personal data to non-EU countries may have to take additional measures to secure the transfer of data. This also applies if the controller bases the data transfer on, for example, the Standard Contractual Clauses (SCC) of the EU Commission. With its recommendations, the EDPB attempts to answer the question of when and, if necessary, which measures have to be taken.
The EDPB recommendations in detail
The EDPB recommends six steps to ensure GDPR compliance for international data transfers:
1. "Know your transfers“
Data transmissions can only be designed in a legally compliant manner when the controller knows whether and which data it is transmitting and how. Therefore, a careful check is required on which data is being transmitted to third countries and in which way.
2. Review of the legal basis being used
Chapter V GDPR provides a catalog of legal bases for international data transfers. The simplest case for a controller is the existence of an adequacy decision by the EU Commission for the target country (Article 45 GDPR). In this case, the controller only has to continuously check that the decision is still valid. As already reported, the "Privacy Shield" decision regarding transfers to the US is no longer valid. In addition, there are further legal bases in Chapter V. The most relevant are the Standard Contractual Clauses (Article 46 GDPR) and binding corporate rules (Article 47 GDPR).
3. Identification of problematic laws and practices in force in the target country
This is the heart of the assessment. The controller of the specific data transfer – i.e. the party which exports the data – must assess whether the legislation and/or administrative practice in force in the target country means that the transferred data is no longer protected in accordance with the requirements of the legal basis. Disproportionate regulatory access rights would be an example of this. However, these only impinge on the effectiveness of the appropriate safeguards if the contractual partner in the target country is subject to these access rights. In other words, the mere existence of a disproportionate law does not make the data transfer inadmissible.
If no relevant problematic laws or practices have been found, the transfer can take place without further action.
4. If necessary: identify and adopt supplementary measures
If it was determined in Step 3 that problematic laws or practices exist, the chosen legal basis alone cannot provide appropriate safeguards. This also applies to the recently adopted new Standard Contractual Clauses. However, this does not necessarily mean that the transmission is not permitted. It then depends on whether the existing risk can be eliminated through supplementary measures. The EDPB lists some possible measures in its guidelines, but the specific situation is always decisive. No single measure creates appropriate safeguards in every case.
The measures can be divided into technical, contractual and organizational ones. Examples of technical measures are strong encryption or the transmission of pseudonymized data. At the contractual level, a supplementary measure could be to the effect that the data importer agrees to disclose official access requests. In addition, the practices could agree on first checking requests for disclosure from public authorities for their legality and, if necessary, take action against them. Organizational measures could be internal data transfer guidelines or training in dealing with official inquiries.
If no suitable measures can be taken, the transmission must either be discontinued or terminated immediately, as appropriate safeguards are not provided.
In this context, a more detailed statement by the EDPB is of great importance: If a controller transmits data to a cloud provider in a third country, for example, which requires access to the unencrypted data in order to fulfill its task (e.g. to provide support services), but, at the same time, the authorities in the target country have disproportionate access rights, then – according to the opinion of the EDPB – sufficient supplementary measures to create appropriate safeguards are not available. Accordingly, in such situations where data are transmitted in clear such transfer is according to the EDPB simply not possible.
5. Take any formal procedural steps
Depending on the legal basis in the specific case, further procedural steps may be necessary, such as the notification of the supervisory authority (for example, pursuant to Article 46(3) lit. a GDPR).
6. Re-evaluate at appropriate intervals
The measures taken must be evaluated periodically. This already arises from the fact that the legal situation and legal practice in the target country can change.
Conclusion and recommendation
The transmission of data to non-EU countries involves some effort on the part of the controller. The evaluation of the legal situation in the target country is one more item in the already comprehensive catalog of duties of the controller. If data is to be transmitted to non-EU countries, the assessment steps proposed by the EDPB should be followed. They give guidance where nearly everything was very unclear. The assessment should be documented in order to be able to present evidence to a supervisory authority if needed.
Depending on the individual case, companies should check whether the Standard Contractual Clauses are the appropriate means. In particular, a closer look should be taken at the possible use of the application cases of Article 49 GDPR, even if – in the opinion of the EDPB – these only apply in exceptional cases.
In the case of services, a thorough review should be carried out to determine whether there are alternatives within Europe or at least in countries where the powers of the national security authorities are clearly and proportionately regulated.