Jocelyn S Paulley
Partner
Co-leader of Retail & Leisure Sector (UK)
Co-leader of Data Protection and Cyber Security sector (UK)
Article
10
Following on from the landmark decision of the Court of Justice of the European Union ('CJEU') in Schrems II earlier this year, the European Data Protection Board ('EDPB') recently issued its guidance ("Guidance") on the measures that organisations should take to legitimise transfers of data to third countries (i.e. countries outside the UK and the European Economic Area that do not have an adequacy decision from the European Commission).
In Schrems II, the CJEU invalidated the EU-US Privacy Shield and held that organisations relying on the standard contractual clauses ("SCCs"), or other transfer tools under Article 46 GDPR such as binding corporate rules, for transfers of data to third countries must review the laws and practices of the data importer's country to assess whether such laws could undermine the protection to data subjects afforded by the SCCs. If the protection is not assessed to be adequate then data exporters must put in place additional safeguards in the SCCs. Whilst the assessment required was relatively clear (and the CJEU had done a worked example with the laws of United States), there was no indication of what the additional safeguards should be to address the CJEU's concerns.
The EDPB issued the Guidance with the objective of providing much needed clarity as to what those safeguards should be. Those who were expecting the EDPB to provide immediately actionable solutions are likely to be disappointed. Whilst the Guidance does provide a clear explanation of how data exporters should assess a third country's laws, the conclusions ultimately drawn by the EDPB leave data exporters with much to think about and may require significant change to current practices.
The Guidance is open to public consultation until 21 December 2020.
The Guidance breaks down the assessment of a third country's laws and identifying appropriate supplementary measures into six steps, as explained below.
No. | Action item | Explanation |
---|---|---|
1. | Know your transfers |
|
2. | Identify the transfer tools you are relying on |
|
3. | Article 46 assessment |
|
4. | Adopt supplementary measures |
|
5. | Procedural steps |
|
6. | Ongoing re-evaluation |
|
To assist organisations carrying out the assessment in step three (Article 46 Assessment) in the above table, the EDPB has separately published its guidance on the European Essential Guarantees for surveillance measures.
In this guidance, the EDPB sets out the core elements organisations should examine when assessing the level of interference with the fundamental rights to privacy and data protection. These elements are:
The European Commission has also published its draft new Standard Contractual Clauses for the transfer of personal data to third countries, which were open for consultation until 10 December 2020. Once approved, these will replace the previous SCCs used by organisations, and could become standard practice for transfers from the EEA to the UK if the European Commission rules that the UK is not an adequate country following Brexit (and if adopted by the Information Commissioner in the UK following Brexit) - see our latest guidance.
Whilst the Guidance explains the steps that organisations need to take in a clear and comprehensive manner, it reinforces the notion that Schrems II has presented a challenging legal framework for data exporters in relation to international transfer of data to a third country where that country does not have an adequacy decision. Carrying out the necessary third country law assessments and negotiating with data importers to put in place the relevant supplementary measures are likely to require much planning and thought, potentially with heightened cost implications.
An area which may be significantly affected by this framework is the transfer of data to group affiliates based in a third country for routine business needs (e.g. HR) and using service providers located in a third country (e.g. SaaS providers). The Guidance states that where the data importers need to use the data in unencrypted form and the level of protection in the third country is assessed to not be 'essentially equivalent' to that guaranteed in the EU, then the EDPB considers that no measures would be effective to prevent government access from infringing on the data subjects' rights.
With the end of the Brexit transition period looming, it is not yet clear as to how the Guidance will apply in the UK. The ICO stated that they are currently reviewing the Guidance and the recommendations on the European Essential Guarantees. The regulator's message to organisations for now is to take stock of the international transfers that are made and update such activities as guidance and advice become available. In terms of steps that organisations can take now, our recommendation is to make a start to the six steps outlined above, given the scale of the task this could pose.
If you would like to discuss how this development may impact you, please feel free to reach out to any members of our team.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.