The EDPB’s guidance on supplementary measures for data transfers – answers at last?

 July 9, 2021 | Blog

The transfer of personal data seems to be ‘hot and happening’ this year. Not only did the European Commission publish the – long awaited – updated Standard Contractual Clauses and was the process towards the adoption of the adequacy decision for the Republic of Korea launched, the UK adequacy decision was also adopted recently.

This blog, however, will delve into the European Data Protection Board’s (“EDPB”) most recent (and adopted) recommendation (18 June 2021): the recommendation on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In November 2020, we already provided some information on the draft version of this recommendation. This blog will shed some light on the final version and its implications.

Recap

In July 2020, the European Court of Justice (“CJEU”) did not only invalidate the Privacy Shield mechanism, it also took the current Standard Contractual Clauses (“SCCs”) into consideration. Although the CJEU considered the SCCs valid, it did note that the data exporter had to verify, prior to the transfer, whether the level of data protection granted by the GDPR could in fact be respected in the third country in which the receiving party was located. If not, supplementary measures had to be taken where necessary.

This ruling left data exporters and importers with two main questions:

  1. How is one to know whether a third country is able to provide a sufficient level of protection?
  2. What measures are capable of eliminating possible doubts and dangers?

The EDPB attempted to provide answers to these – valid – questions.

Assessment of practices in a third country (i)

Data exporters should focus not only on the applicable legislation in the receiving country, but also on the practices in that country, as was added to the adopted version of the recommendation. Taking into account the practices is especially relevant if:

  • legislation in the third country formally meeting EU standards is manifestly not complied with in practice
  • there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking
  • the transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool's contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality)

As follows from the recommendation, if either of the first two situations materialises and no adequate supplementary measures can be taken, transfers should be suspended immediately. The EDPB takes a less strict position as to the third situation: “you may decide to (i) suspend the transfer, (ii) implement supplementary measures to proceed with it or alternatively, (iii) you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer.

In any case, the assessment should be documented properly and should cover the entire “chain of transfers” e.g. also onward transfers or the engagement of (sub-)processors. The following information could, in addition to general information such as purposes for processing and relevant categories of personal data, for example be included in the assessment:

  • Elements on whether public authorities of the third country may seek to access the data with or without the data importer's knowledge, in light of legislation, practice and reported precedents;
  • Elements on whether public authorities of the third country may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents.
Supplementary measures (ii)

Supplementary measures must be assessed on a case-by-case basis. However, according to the EDPB, the assessment does not have to be repeated each time a similar transfer is conducted under similar circumstances. Factors to be taken into account when assessing the suitability are:

  • Format of the data to be transferred (e.g. encrypted, pseudonymised or plain text)
  • Nature of the data
  • Length and complexity of the chain of transfer
  • Parameters of practical application of the third country laws
Requirements on the sources of information

The EDPB also provided information on the quality of the sources. Sources of information used for the assessment must meet certain requirements. The sources must be:

  • Relevant to the specific transfer and/or importer instead of being overly general
  • Objective and supported by empirical evidence and knowledge, not assumptions
  • Reliable
  • Verifiable as competent authorities must be able to check the information if needed;
  • Publicly available or otherwise accessible.

Documented practical experience of the importer with relevant prior instances of requests for access received from public authorities in the third country may also be taken into account. However, the absence of prior instances of requests received by the importer can never be considered, by itself, as a decisive factor on the effectiveness of the transfer tool.

Conclusion

Although the EDPB provided some more guidance on how to carry out transfer assessments, it still leaves us with concerns as to the genuine possibility of lawful transfers, as was the conclusion we reached in our previous blog on this topic. It is understandable that no clear-cut solution can be provided by the supervisory authorities; however, leaving the assessment of both applicable law and suitable supplementary measures to the data exporter (and importers) may be too much to ask.

As to the steps to take, we refer to the table below.

Steps

Explanation

Action points

1: know your transfers

The first step is to ensure that you are fully aware of your transfers. Knowing your transfers is an essential first step to fulfilling your obligations under the principle of accountability.

●      Data mapping and record keeping;

●      Do not forget to take into account onward transfers, for instance due to processors engaging sub-processors;

●      You must verify that the transfers are actually adequate, relevant and limited to what is strictly necessary.

2: identify the transfer tools you are relying on

Since the Schrems II-case, the following tools can be used as a basis for data transfers:

●      Adequacy decisions;

●      Standard Contractual Clauses;

●      Binding Corporate Rules;

●      Codes of Conduct;

●      Certification mechanisms;

●      Ad Hoc contractual clauses.

 

In addition, occasional and non-repetitive transfers could in restricted cases be based on the derogations provided for by Article 49 GDPR.

●      If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with step 3;

●      If your transfer can legally be based on an adequacy decision, you should keep in mind that you must still monitor whether adequacy decisions relevant to your transfers are revoked or invalidated.

3: assess whether the transfer tool is actually effective given the relevant circumstances

Effective means that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA. This is not the case if the data importer is prevented from complying with their obligations under the chosen Article 46 GDPR transfer tool due to the third country’s legislation and practices applicable to the transfer.

●      Take into consideration all the actors participating in the transfer;

●      Look into the characteristics of each of your transfers and determine how the domestic legal order of the country to which data is transferred;

●      Pay specific attention to any relevant laws and practices, in particular laws laying down requirements to disclose personal data to public authorities or granting such public authorities powers of access to personal data;

●      The EDPB European Essential Guarantees (EEG) recommendations provide elements which have to be assessed to determine whether the legal framework governing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.

4: adopt supplementary measures

If your assessment under step 3 has revealed that your Article 46 GDPR transfer tool is not effective, then you will need to consider if supplementary measures exist, which, when added to the safeguards contained in transfer tools, could ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that guaranteed within the EU.

 

In principle, supplementary measures may have a contractual, technical or organisational nature. Contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country.

●      Identify on a case-by-case basis which supplementary measures could be effective for a set of transfers to a specific third country when using a specific Article 46 GDPR transfer tool;

●      If you decide to continue with the transfer notwithstanding the fact that the importer is unable to comply with the commitments taken in the transfer tool, you should notify the competent supervisory authority in accordance with the specific provisions inserted in the relevant Article 46 GDPR transfer tool.

5: procedural steps

The procedural steps you may have to take in case you have identified effective supplementary measures to be put in place may differ depending on the Article 46 GDPR transfer tool you are using or you envisage using.

 

●      Take the necessary procedural steps.

6: re-evaluate at appropriate intervals

You must monitor, on an ongoing basis, and where appropriate in collaboration with data importers, developments in the third country to which you have transferred personal data that could affect your initial assessment of the level of protection and the decisions you may have taken accordingly on your transfers. Accountability is a continuing obligation (Article 5(2) GDPR).

●      You should put sufficiently sound mechanisms in place to ensure that you promptly suspend or end transfers where:

- the importer has breached or is unable to honour the commitments it has taken in the Article 46 GDPR transfer tool; or

- the supplementary measures are no longer effective in that third country.

 

 

The transfer of personal data seems to be ‘hot and happening’ this year. Not only did the European Commission publish the – long awaited – updated Standard Contractual Clauses and was the process towards the adoption of the adequacy decision for the Republic of Korea launched, the UK adequacy decision was also adopted recently.

This blog, however, will delve into the European Data Protection Board’s (“EDPB”) most recent (and adopted) recommendation (18 June 2021): the recommendation on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In November 2020, we already provided some information on the draft version of this recommendation. This blog will shed some light on the final version and its implications.

Recap

In July 2020, the European Court of Justice (“CJEU”) did not only invalidate the Privacy Shield mechanism, it also took the current Standard Contractual Clauses (“SCCs”) into consideration. Although the CJEU considered the SCCs valid, it did note that the data exporter had to verify, prior to the transfer, whether the level of data protection granted by the GDPR could in fact be respected in the third country in which the receiving party was located. If not, supplementary measures had to be taken where necessary.

This ruling left data exporters and importers with two main questions:

  1. How is one to know whether a third country is able to provide a sufficient level of protection?
  2. What measures are capable of eliminating possible doubts and dangers?

The EDPB attempted to provide answers to these – valid – questions.

Assessment of practices in a third country (i)

Data exporters should focus not only on the applicable legislation in the receiving country, but also on the practices in that country, as was added to the adopted version of the recommendation. Taking into account the practices is especially relevant if:

  • legislation in the third country formally meeting EU standards is manifestly not complied with in practice
  • there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking
  • the transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool's contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality)

As follows from the recommendation, if either of the first two situations materialises and no adequate supplementary measures can be taken, transfers should be suspended immediately. The EDPB takes a less strict position as to the third situation: “you may decide to (i) suspend the transfer, (ii) implement supplementary measures to proceed with it or alternatively, (iii) you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer.

In any case, the assessment should be documented properly and should cover the entire “chain of transfers” e.g. also onward transfers or the engagement of (sub-)processors. The following information could, in addition to general information such as purposes for processing and relevant categories of personal data, for example be included in the assessment:

  • Elements on whether public authorities of the third country may seek to access the data with or without the data importer's knowledge, in light of legislation, practice and reported precedents;
  • Elements on whether public authorities of the third country may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents.
Supplementary measures (ii)

Supplementary measures must be assessed on a case-by-case basis. However, according to the EDPB, the assessment does not have to be repeated each time a similar transfer is conducted under similar circumstances. Factors to be taken into account when assessing the suitability are:

  • Format of the data to be transferred (e.g. encrypted, pseudonymised or plain text)
  • Nature of the data
  • Length and complexity of the chain of transfer
  • Parameters of practical application of the third country laws
Requirements on the sources of information

The EDPB also provided information on the quality of the sources. Sources of information used for the assessment must meet certain requirements. The sources must be:

  • Relevant to the specific transfer and/or importer instead of being overly general
  • Objective and supported by empirical evidence and knowledge, not assumptions
  • Reliable
  • Verifiable as competent authorities must be able to check the information if needed;
  • Publicly available or otherwise accessible.

Documented practical experience of the importer with relevant prior instances of requests for access received from public authorities in the third country may also be taken into account. However, the absence of prior instances of requests received by the importer can never be considered, by itself, as a decisive factor on the effectiveness of the transfer tool.

Conclusion

Although the EDPB provided some more guidance on how to carry out transfer assessments, it still leaves us with concerns as to the genuine possibility of lawful transfers, as was the conclusion we reached in our previous blog on this topic. It is understandable that no clear-cut solution can be provided by the supervisory authorities; however, leaving the assessment of both applicable law and suitable supplementary measures to the data exporter (and importers) may be too much to ask.

As to the steps to take, we refer to the table below.

Steps

Explanation

Action points

1: know your transfers

The first step is to ensure that you are fully aware of your transfers. Knowing your transfers is an essential first step to fulfilling your obligations under the principle of accountability.

●      Data mapping and record keeping;

●      Do not forget to take into account onward transfers, for instance due to processors engaging sub-processors;

●      You must verify that the transfers are actually adequate, relevant and limited to what is strictly necessary.

2: identify the transfer tools you are relying on

Since the Schrems II-case, the following tools can be used as a basis for data transfers:

●      Adequacy decisions;

●      Standard Contractual Clauses;

●      Binding Corporate Rules;

●      Codes of Conduct;

●      Certification mechanisms;

●      Ad Hoc contractual clauses.

 

In addition, occasional and non-repetitive transfers could in restricted cases be based on the derogations provided for by Article 49 GDPR.

●      If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with step 3;

●      If your transfer can legally be based on an adequacy decision, you should keep in mind that you must still monitor whether adequacy decisions relevant to your transfers are revoked or invalidated.

3: assess whether the transfer tool is actually effective given the relevant circumstances

Effective means that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA. This is not the case if the data importer is prevented from complying with their obligations under the chosen Article 46 GDPR transfer tool due to the third country’s legislation and practices applicable to the transfer.

●      Take into consideration all the actors participating in the transfer;

●      Look into the characteristics of each of your transfers and determine how the domestic legal order of the country to which data is transferred;

●      Pay specific attention to any relevant laws and practices, in particular laws laying down requirements to disclose personal data to public authorities or granting such public authorities powers of access to personal data;

●      The EDPB European Essential Guarantees (EEG) recommendations provide elements which have to be assessed to determine whether the legal framework governing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.

4: adopt supplementary measures

If your assessment under step 3 has revealed that your Article 46 GDPR transfer tool is not effective, then you will need to consider if supplementary measures exist, which, when added to the safeguards contained in transfer tools, could ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that guaranteed within the EU.

 

In principle, supplementary measures may have a contractual, technical or organisational nature. Contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country.

●      Identify on a case-by-case basis which supplementary measures could be effective for a set of transfers to a specific third country when using a specific Article 46 GDPR transfer tool;

●      If you decide to continue with the transfer notwithstanding the fact that the importer is unable to comply with the commitments taken in the transfer tool, you should notify the competent supervisory authority in accordance with the specific provisions inserted in the relevant Article 46 GDPR transfer tool.

5: procedural steps

The procedural steps you may have to take in case you have identified effective supplementary measures to be put in place may differ depending on the Article 46 GDPR transfer tool you are using or you envisage using.

 

●      Take the necessary procedural steps.

6: re-evaluate at appropriate intervals

You must monitor, on an ongoing basis, and where appropriate in collaboration with data importers, developments in the third country to which you have transferred personal data that could affect your initial assessment of the level of protection and the decisions you may have taken accordingly on your transfers. Accountability is a continuing obligation (Article 5(2) GDPR).

●      You should put sufficiently sound mechanisms in place to ensure that you promptly suspend or end transfers where:

- the importer has breached or is unable to honour the commitments it has taken in the Article 46 GDPR transfer tool; or

- the supplementary measures are no longer effective in that third country.

 

 

Sign up for our newsletters
Related expertise