- EDPB recommends a six-step procedure for checking and securing data transfers to third countries in accordance with Schrems II.
- Focus on examination of the foreign legal system and identification of supplementary technical, contractual and organizational measures.
- High requirements remain unclear; recommendations offer little concrete guidance as to which measures are sufficient.
As previously announced, the European Data Protection Board (EDSA) published further recommendations, dated November 10, 2020, on how data exporters who wish to continue to transfer personal data to third countries outside the EEA (third countries) under the Schrems II judgment should proceed (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data).
In the Schrems II ruling, the European Court of Justice (ECJ) stated that the EU-US Privacy Shield is invalid, that the transfer of data to a third country remains possible on the basis of the Standard Contractual Clauses (SCC), but that additional protective measures may be required. These have now been specified in the published recommendations.
With this in mind, EDSA recommends a six-step approach:
- “Know your transfers”: Determination of the data transfers concerned;
- “Verify the transfer tool your transfer relies on”: Determination of the guarantees on which the data transfers concerned will take place;
- “Assess the law or practice of the third country”: Examine foreign legal provisions and official practices that may jeopardize compliance with the safeguards (e.g., extensive and disproportionate access to personal data by local authorities);
- “Identify and adopt supplemental measures”: Identify the additional measures required to comply with the requirements of the GDPR when transferring data;
- “Take any formal procedure steps”: Implementation of the additional measures, if necessary with consultation of the responsible supervisory authorities (e.g., checking whether the implemented encryption techniques meet the requirements for secure transmission);
- “Re-evaluate your data transfer at appropriate intervals”: Regularly check whether the measures taken continue to meet the requirements.
The focus here is on an examination of the foreign legal system (step 3) and the measures to be implemented on the basis of this (step 4).
In Annex 2, the EDSA then uses various scenarios (use cases) to provide examples of possible protective measures which guarantee a DSGVO-compliant data transfer in addition to the guarantee made in accordance with Art. 46 GDPR can additionally ensure (concretization of step 4 above; whereby references to US law (step 3) can also be found.
In particular, the EDSA identifies the following measures, some of which it elaborates on:
- Technical Measureswhich, however, are not necessarily sufficient, for example, when a cloud provider needs to access clear data in or from a state with excess access capabilities or when a foreign group company needs clear data for common business purposes. Examples of such measures are:
- robust and correctly implemented state-of-the-artEncryption, e.g.
- of data prior to its transfer to a foreign hosting provider, where the EDSA appears to require that the key be maintained by the customer or by a country located in the EEA or a country with adequate protection;
- of data in transit (if necessary, in combination with end-to-end encryption of the data), if the data is merely routed through a third country;
- Pseudonymization of the data prior to their transfer (e.g. for research purposes), provided that sufficient information for re-identification is available exclusively to the exporter – and not also to foreign authorities, for example – are kept in an EEA state or a state with an adequate level of protection and are protected by sufficient measures.
- robust and correctly implemented state-of-the-artEncryption, e.g.
- Contractual measures, such as those aimed at the following, each of which is conditional on local law not preventing the fulfillment of these obligations:
- the duty to provide special technical measures to meet;
- Duty to inform of the importer in the event of intervention by the authorities (which, however, cannot counter the risk if the local law complies with the “European Essential Guarantees”);
- Assurances of the importer, e.g., that it has not installed backdoors, that it has not facilitated access to personal data, or that its local law does not require it to install backdoors or otherwise provide access to personal data (e.g., by issuing a key);
- extended Testing rights des Eporteurs (Audit);
- the duty to inform about access to authorities inform or that no accesses have been made up to a certain point in time (“Warrant Canary„);
- Obligations of the importer to certain Actionse.g., to exhaust legal remedies against surrender orders, to inform the requesting authority of the barriers under the GDPR, and to inform the importer of accesses;
- Measures for the Protection of the persons concernedThe data protection regulations include, for example, the proviso that access to clear data, e.g. in maintenance cases, is only permitted with the consent of the data subject; the obligation to inform the data subjects about access by the authorities; and to support the data subject in asserting his or her rights.
- Organizational measures: e.g., implementation of policies, processes, and standards of the data exporter that the data importer must also adhere to, such as the following:
- Intra-Group policies relating to cross-border transfers;
- Documentation of accesses or requests by the importer and corresponding information of the exporter (and on request also of the persons concerned);
- regular publication of Transparency Reports;
- Reinforce existing data minimization measures;
- Processes for involving the data protection officer, legal department and internal audit, if available;
- Application of strict data security and data protection standards (e.g. ISO standards);
- Adopt and regularly review internal policies to assess the adequacy of the measures.
In other words, the requirements for the additional guarantees are high. Above all, however, it remains open which measures or which combinations of measures can provide sufficient protection under which circumstances. Thus, the EDSA’s recommendations are of little help to practitioners.