On Friday 18th June the European Data Protection Board (EDPB) adopted final recommendations on supplementary measures to ensure compliance with the EU level of data protection for personal data in relation to international transfers.
These recommendations follow the recent Schrems 2 case in which the CJEU ruled that, whilst Standard Contractual Clauses (SCCs) are still valid, additional measures need to be put in place to ensure that GDPR levels of data protection effectively travel with the data when it is exported to countries that have no adequacy decision. The intention is that these measures will provide ‘essential equivalence’ with the level of protection required under the GDPR.
Some will be pleased to see that the recommendations are a little less black and white than many had expected. Organisations are permitted to make a subjective assessment of the likelihood of data being accessed by public authorities in the importing country – a clear relaxation from the initial draft recommendations. However, these assessments while subjective, need to be based on a thorough and documented understanding of the potential risks, so there are still plenty of hoops to jump through in order to reach such a conclusion.
There are many references to the GDPR’s Accountability Principle in the recommendations, and the EDPB outline a ‘roadmap’ of the steps required in order to establish whether supplementary measures are required, together with examples of possible measures to implement. Throughout the exercise organisations must document their findings in order to demonstrate accountability.
Essentially organisations first need to understand their transfers, for example by using their Article 30 records of processing activities/data map; decide on their transfer tool under Article 46 (e.g. SCCs, BCR’s, derogations), and look at any initial safeguards, for example data minimisation. Once the transfer tool is decided upon, organisations must then look at whether that transfer tool is or can be made effective in providing ‘essential equivalence’ with EU data protection levels. This entails a risk-based approach with heavy emphasis on government surveillance but also looking at initiatives such as pseudonymisation, encryption etc. In terms of government surveillance, exporters are permitted to assess the likelihood of public bodies seeking access to the data in relation to their particular case, taking into account the sector, categories of data (with higher levels of protection being required for more sensitive Article 9 and 10 data), relevant legislation and practice. So, in documenting the purposes of the processing, any previous requests for access either specifically with the importer or within a similar sector and circumstances, all need to be considered.
Consideration must also be given to onward transfers, either within the same country or to other third countries. Data exporters are expected to collaborate with the importer in order to come to a conclusion an agreement on the risks and the measures to be taken.
The recommendations go on to provide examples of supplementary measures – technical, contractual and organisational as well as several use cases. Measures must be reviewed periodically, and the above exercise must be carried out on a case-by-case basis (though it does not need to be repeated for each transfer of the same type to the same importer). If organisations are unable to put in place measures that in their opinion provide ‘essential equivalence’ with EU data protection levels, then data transfers should be suspended or stopped.
The full recommendations are available here
Feel free to get in touch if you need more information or require help with your international transfers.
Nick Richards CIPP/E CIPM
23rd June 2021