An overview of Schrems II
Following on from the landmark decision of the Court of Justice of the European Union ('CJEU') in Schrems II earlier this year, the European Data Protection Board ('EDPB') recently issued its guidance ("Guidance") on the measures that organisations should take to legitimise transfers of data to third countries (i.e. countries outside the UK and the European Economic Area that do not have an adequacy decision from the European Commission).
In Schrems II, the CJEU invalidated the EU-US Privacy Shield and held that organisations relying on the standard contractual clauses ("SCCs"), or other transfer tools under Article 46 GDPR such as binding corporate rules, for transfers of data to third countries must review the laws and practices of the data importer's country to assess whether such laws could undermine the protection to data subjects afforded by the SCCs. If the protection is not assessed to be adequate then data exporters must put in place additional safeguards in the SCCs. Whilst the assessment required was relatively clear (and the CJEU had done a worked example with the laws of United States), there was no indication of what the additional safeguards should be to address the CJEU's concerns.
The EDPB issued the Guidance with the objective of providing much needed clarity as to what those safeguards should be. Those who were expecting the EDPB to provide immediately actionable solutions are likely to be disappointed. Whilst the Guidance does provide a clear explanation of how data exporters should assess a third country's laws, the conclusions ultimately drawn by the EDPB leave data exporters with much to think about and may require significant change to current practices.
The Guidance is open to public consultation until 21 December 2020.
Assessment - six step procedure
The Guidance breaks down the assessment of a third country's laws and identifying appropriate supplementary measures into six steps, as explained below.
Know your transfers
- Data exporters should identify all transfers of personal data to third countries and maintain a written record.
- The record should build on the existing records of processing activities under Article 30 GDPR.
- The record must include "onward transfers" (i.e. further transfers by a processor in a third country to its sub-processor in a third country).
Identify the transfer tools you are relying on
- Data exporters should identify the relevant transfer mechanism relied on for the international transfer as provided in the GDPR (e.g. SCCs).
Article 46 assessment
- If a transfer mechanism in Article 46 GDPR is relied on, then data exporters should assess whether the mechanism affords a level of protection in the third country that is 'essentially equivalent' to that guaranteed in the EU.
- The EDPB emphasises that this assessment is more than a routine exercise. Data exporters should engage with the data importers so that they provide information on the laws applicable to them.
- Data exporters should also review for themselves publicly available legislation as well as information such as CJEU decisions, and resolutions and reports from organisations such as the Council of Europe and the UN.
- To assist organisations carrying out these assessments, the EDPB has separately published Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (discussed further below).
- If the outcome of the assessment is that effective protection cannot be guaranteed, either the data transfer should not proceed or supplementary measures should be adopted (explained in step four just below).
Adopt supplementary measures
- Data exporters should, in collaboration with the data importers, adopt supplementary measures to ensure that the data transferred to the third country is afforded the same level of protection as that within the EU.
- Identifying the appropriate balance requires reviewing all the factual circumstances of the international transfer, including the risk to data subjects.
- The supplementary measures may be technical (e.g. encryption), organisational (e.g. adoption of policies and best practices) or contractual in nature (e.g. report data access requests).
- The Guidance provides examples of scenarios where effective supplementary measures could be adopted.
- Where data exporters are not able to implement effective supplementary measures then the transfer of data must not take place. Proceeding with such transfer could result in the relevant supervisory authority imposing corrective measures (e.g. fine).
- Data exporters must take any formal procedural steps required to deliver effective supplementary measures.
- Data exporters must monitor transfers of data on an ongoing basis, especially in relation to regulatory developments in the third country. This type of continuous monitoring is enshrined in the GDPR principle of accountability.
European Essential Guarantees
To assist organisations carrying out the assessment in step three (Article 46 Assessment) in the above table, the EDPB has separately published its guidance on the European Essential Guarantees for surveillance measures.
In this guidance, the EDPB sets out the core elements organisations should examine when assessing the level of interference with the fundamental rights to privacy and data protection. These elements are:
- The processing should be on clear, precise and accessible rules;
- The measures adopted must be necessary and proportionate with regard to the legitimate objectives pursued, and the necessity and proportionality of such measures need to be demonstrated;
- An independent oversight mechanism must be in place; and
- Effective remedies must be available to the data subjects.
The European Commission has also published its draft new Standard Contractual Clauses for the transfer of personal data to third countries, which were open for consultation until 10 December 2020. Once approved, these will replace the previous SCCs used by organisations, and could become standard practice for transfers from the EEA to the UK if the European Commission rules that the UK is not an adequate country following Brexit (and if adopted by the Information Commissioner in the UK following Brexit) - see our latest guidance.
What could this mean for you?
Whilst the Guidance explains the steps that organisations need to take in a clear and comprehensive manner, it reinforces the notion that Schrems II has presented a challenging legal framework for data exporters in relation to international transfer of data to a third country where that country does not have an adequacy decision. Carrying out the necessary third country law assessments and negotiating with data importers to put in place the relevant supplementary measures are likely to require much planning and thought, potentially with heightened cost implications.
An area which may be significantly affected by this framework is the transfer of data to group affiliates based in a third country for routine business needs (e.g. HR) and using service providers located in a third country (e.g. SaaS providers). The Guidance states that where the data importers need to use the data in unencrypted form and the level of protection in the third country is assessed to not be 'essentially equivalent' to that guaranteed in the EU, then the EDPB considers that no measures would be effective to prevent government access from infringing on the data subjects' rights.
With the end of the Brexit transition period looming, it is not yet clear as to how the Guidance will apply in the UK. The ICO stated that they are currently reviewing the Guidance and the recommendations on the European Essential Guarantees. The regulator's message to organisations for now is to take stock of the international transfers that are made and update such activities as guidance and advice become available. In terms of steps that organisations can take now, our recommendation is to make a start to the six steps outlined above, given the scale of the task this could pose.
If you would like to discuss how this development may impact you, please feel free to reach out to any members of our team.