International data transfer
European Data Protection Board publishes recommendations on measures to supplement transfer tools for international data transfer
Background: the CJEU‘s “Schrems II” decision
In a remarkable decision dated 16 July 2020 in the “Schrems II” case, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s Implementation Decision on the “EU-US Privacy Shield” without a transitional period, thus dealing a harsh blow to transatlantic data transfer.
The CJEU’s decision also focused on the EU standard data protection clauses (or “standard contractual clauses”) that have often been used as transfer tools for international data transfers. While clarifying that there was nothing to criticise about the standard data protection clauses as such, the CJEU stated that the competent supervisory authority is required to suspend or prohibit a transfer of personal data to a third country pursuant to standard data protection clauses, if, in its view, in the light of all the circumstances of that transfer, the standard data protection clauses are not or cannot be complied with in that third country. The CJEU also stated that, depending on the prevailing position in a particular third country, the adoption of supplementary measures may be required of the data exporter and data importer in addition to the standard contractual clauses in order to ensure an adequate level of data protection.
Especially in the light of the critical remarks made by the CJEU on the legal situation in the US, the question arises since the decision by the highest European court as to whether supervisory authorities should prevent data transfers to the US even if these transfers are made without supplementary measures solely on the basis of the standard contractual clauses and at the same time it is clear that the specific data importers in question are subject to US law, which makes it impossible for them to comply with the standard contractual clauses.
Recommendations by the European Data Protection Board
As early as 24 July 2020, the European Data Protection Board (EDPB) published short FAQs on the judgment of the CJEU in the “Schrems II” case. On 11 November 2020, the EDPB presented its Recommendations on measures that supplement transfer tools for international data transfers and Recommendations on the European Essential Guarantees for surveillance measures for feedback.
In its recently published recommendations on measures that supplement transfer tools for international data transfers, the EDPB emphasises in particular its opinion that transfers to recipients that are subject to Section 702 of the US Foreign Intelligence Surveillance Act (“FISA”), which was sharply criticised by the CJEU in its “Schrems II” decision, are only permissible on the basis of standard contractual clauses or other transfer tools if additional supplementary technical measures make access to the data transferred impossible. In other words, additional contractual and/or organisational measures are not sufficient as supplementary measures in the EDPB’s opinion.
The EDPB’s recommendations include a number of examples of supplementary measures, including in particular technical measures. The recommendations also describe specific scenarios (use-cases) for which the EDPB believes it is either possible or impossible to find effective technical measures.
In short, for typical cloud-based services in which personal data are processed, the EDPB is of the opinion that the primary decisive factor should be adequately strong encryption for which only the data exporter and not the data importer has the key. In its recommendations, the EDPB also sketches out the essential steps that data exporters should take in the light of their accountability under data protection law:
- Analyse data transfers to third countries (know your transfers)
- Verify the transfer tool your transfer relies upon
- Assess the effectiveness of the appropriate safeguards of the transfer tools
- Identify and adopt adequate supplementary measures where appropriate
- Implement supplementary measures
- Re-evaluate at appropriate intervals
The EDPB has asked for feedback on its recommendations by means of a pubic consultation procedure, which is in effect until 21 December 2020. It is conceivable that the EDPB may make changes in its recommendations based on the feedback. Nevertheless, we recommend beginning now to take into account the requirements the EDPB has issued when complying with the statutory requirements on international data transfers.
European Commission publishes drafts of new standard data protection clauses for international data transfer and standard contractual clauses for contracts between controllers and processors
Shortly thereafter, i.e. on 12 November 2020, in a surprise move, the European Commission published not only new draft standard contractual clauses for transferring personal data to non-EU countries, but also draft standard contractual clauses between controllers and processors located in the EU:
- The Commission intends the new “standard contractual clauses” for contracts between controllers and processors to become the basis for the first EU-wide uniform master contract for contracts between controllers and processors in the EU (see Article 28 (7) GDPR).
- The new “standard data protection clauses” are intended to replace the currently valid standard contractual clauses for controllers from 2001 and standard contractual clauses for processors from 2010 for transferring personal data to third countries (see Article 46 (2) (c) GDPR).
The Commission will be welcoming feedback on the drafts until 10 December 2020. The EDPB will also have the opportunity to state its position. The drafts provide for adoption of the implementing decisions before 2020 ends.
The new “standard data protection clauses” proposed by the Commission provide for a number of changes to the currently applicable standard contractual clauses. In particular, the new “standard data protection clauses” are to be applied in a modular approach to not only transfers to processors but also transfers between controllers. The new clauses are also intended to be used by processors in forwarding data to sub-processors. It remains to be seen whether in actual practice the new draft clauses can accomplish the intended objective of a universally applicable master contract for various scenarios.
In any case, in connection with the CJEU decision in the “Schrems II” case, the Commission clarifies in its new draft standard data protection clauses that, even when the new clauses are used, supplementary measures could be necessary, depending on the legal situation in the relevant third country.
Thus, due to the “standard data protection clauses” proposed by the European Commission, for all transfers to third countries (i.e. not only to the US), even those based on the standard data protection clauses, data-exporting companies will probably have no choice but to examine in detail to which laws the data importer in the third country to which they wish to transfer data and any other recipients are subject and whether these laws impinge on the effectiveness of the appropriate safeguards created by them when they signed the standard contractual clauses. In this process, it is absolutely necessary to analyse each specific data transfer and determine which of the laws of the third country are applicable.
Helpful links:
- CJEU – Press release dated 16 July 2020 - The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (europa.eu)
- CJEU judgment dated 16 July 2020 – Case C-311/18 Data Protection Commissioner against Facebook Ireland Ltd (“Schrems II”)
- EDPB - FAQ on the judgment of the CJEU in the “Schrems II” case
- EDPB - Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
- EDPB - Recommendations 02/2020 on the European Essential Guarantees for surveillance measures
- European Commission – draft implementing act on standard contractual clauses for transferring personal data to non-EU countries
- European Commission – draft implementing act on standard contractual clauses between controllers & processors located in the EU