This week, the European Data Protection Board (EDPB) released its long-awaited recommendations for assessing and protecting cross-border data transfers in line with EU privacy law. The 2-part recommendations outline a roadmap for businesses that wish to export data from the EU to any third country (like the US).
This blog post provides guidance to US businesses in navigating the EDPB’s roadmap.
Background on the EDPB’s Recommendations
Earlier this year, we reported on the Court of Justice of the European Union’s (CJEU) unexpected invalidation of the EU-US Privacy Shield Framework.
Companies that relied on the Privacy Shield were forced to find alternative data transfer mechanisms, with many falling back on the CJEU-approved Standard Contractual Clauses (SCCs). The CJEU decision foreshadowed that data exporters would need to implement supplementary measures where the effectiveness of the SCCs was undermined by a third country’s surveillance and government access laws or practices.
Businesses to Comply with the EDPB’s Recommendations
If you collect information from or about European Union (EU) residents for your own business purposes (i.e, not on behalf of your customers), you will want to follow the six-step process outlined in the EDPB recommendations.
If you collect or process information from or about EU residents on behalf of your customers, then you should be aware that this is the process your customers will be undertaking before they contract with U.S.-based businesses. Be prepared to discuss adding additional safeguards to your contracts and your processes in accordance with the supplementary measures outlined in Step 4 below.
An Overview of the EDPB’s Recommendations
The First Set of EDPB Recommendations
The EDPB’s first guidance document is designed to help exporters assess data protection in third countries and to take appropriate action (as required) to ensure that the protection granted to EU residents’ personal data is not undermined or watered down when that data is transferred to third countries. Its title is quite a mouthful, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, so we’ll refer to these as the ‘first set of recommendations’ throughout this article.
The EDPB notes that data exporters should read the recommendations with the understanding that ‘an essentially equivalent level of protection to that guaranteed within the EU must accompany the data’ when it leaves the EU. The level of protection referred to is that set out in the EU’s General Data Protection Regulation (the GDPR).
The Second Set of EDPB Recommendations
The Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (the second set of recommendations) clarifies the EU’s position on assessing the ‘proportionality’ of a third country’s surveillance and government access laws. We’ll outline this further under Step 3 of the section below.
Practical Guidance on the EDPB’s Roadmap for Data Transfers
The EDPB outlined six steps to compliance with EU regulations in its first set of recommendations. They are:
Step 1: Know your transfers.
This step requires data exporters to complete a mapping exercise. All data exporters should have a clear overview of where all data they collect and process is transferred, as well as the content and scope of any personal data transfers.
Bear in mind that access from a third country (such as storage in the cloud outside the EU) constitutes a transfer.
First, define the third countries involved in your data transfer
The ‘map’ should outline the recipient country (or countries). The list should also include all of the third-party processors you use to manage your data transfers.
The EDPB notes that this includes remote access from third-country providers, like tech support, cloud storage solutions, or administrative service providers.
Second, determine the scope and content of the data being transferred.
Personal data collected and transferred within the EU is subject to a data minimization clause outlined in the GDPR. It states that personal data processed by businesses shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (Article 5, 1 (c)).
Similarly, data exporters should verify that the data they transfer is limited to only what is necessary for the purposes for which it is being transferred.
Step 2: Verify your transfer tools.
This step requires data exporters to confirm that they have a legitimate data transfer mechanism for the transfer of data from the EU to any other country. The legal mechanisms for legitimate transfers out of the EU are outlined in Chapter V of the GDPR.
In practice, these include: adequacy decisions, standard contractual clauses (SCCs), ad hoc contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms. There are also rules that apply on a case-by-case basis in circumstances that are occasional and non-repetitive. These are known as derogations, and they include consent, public interest, or where the transfer is necessary for legal claims, or the conclusion or performance of a contract.
Article 45: Transfers on the basis of an adequacy decision
As an aside, while transfers on the basis of an adequacy decision are commonly used in some jurisdictions around the world, this transfer mechanism does not currently apply to the US.
What it means is that where a recipient country has been deemed by the EU to have adequate protections in place, no further assessment need be undertaken (assuming that country is the sole destination in the data transfer journey).
At the time of publication, there are just 12 countries on the EU’s ‘adequate’ list. They are: Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. There are ongoing discussions between the EU and South Korea.
This list is subject to change at any time and you should monitor it on an ongoing basis. You can find information about the EU’s Adequacy Decisions here.
Step 3: Assess the law or practice in third country recipients.
Simply having a legitimate transfer tool in place is not sufficient. You must also consider whether the level of protection offered under the GDPR may be undermined by the transfer.
Where the recipient country is not on the list of countries with adequate protections, a risk assessment for the data transfer must be performed. The following factors need to be considered (in order of weight):
- Local legislation;
- Current practices within the jurisdiction;
- Other relevant factors.
At this juncture, you’ll need to consider the second set of recommendations from the EDPB wherein the European Essential Guarantees are outlined. They are:
- Processing should be based on clear, precise and accessible rules.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- An independent oversight mechanism should exist
- Effective remedies need to be available to the individual.
Practically speaking: The EDPB expressly states that Section 702 of the US FISA “does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary.” This means that if you are subject to Section 702 of FISA, you will likely need to implement supplementary measures to ensure that the data provided will not suffer any erosion of data rights when it moves to the US.
Step 4: Identify and adopt supplementary measures.
In circumstances where there are potential shortcomings in the third country’s practices, data exporters should implement measures that beef up the protection of the data being transferred. In the recommendations, the EDPB cautions that it may not be possible to implement sufficient supplementary measures in every case, in which case, transfers might not be possible.
In any event, as a data importer, you will need to consider supplementary measures if your case-by-case risk assessment reveals that they are necessary.
A non-exhaustive list of potential supplementary measures is outlined in Annex 2 of the EDPB Recommendations. They include:
Technical measures, like encryption (with encryption keys kept beyond the reach of relevant public authorities), multi-party processing, and pseudonymization that does not permit re-identification of data.
Contractual safeguards, including commitments to provide transparency and notice about government access requests, commitments to review and challenge such requests, and enhanced rights for data exporters to audit data importers.
Organizational measures, such as accountability and transparency measures, staff training, internal policies, and a culture of data minimization.
Step 5: Seek authorization, as required.
The rights of data subjects cannot be limited by any additional clauses added to the SCCs, or other transfer mechanism.
This means that if you intend to rely on supplementary measures that contradict (directly or indirectly) the SCCs, you need to seek authorization from an approved supervisory body.
Measures that supplement (and strengthen) the SCCs do not require scrutiny from an approved body.
Step 6: Re-evaluate the level of protection at appropriate intervals.
Your obligation to comply with EU privacy law is ongoing. This means data exporters must continuously monitor developments in both the EU and any third country data recipients and respond accordingly to any changes.
Where any breach occurs or where the supplementary measures are no longer effective, the data transfers must immediately suspend or end. It is your responsibility to put appropriate measures in place to ensure this occurs.
The EDPB Recommendations in Practice
This guidance places onerous demands on US companies that rely on a flow of data between the US and the EU. It is not yet set in concrete, with public comments being taken through November 30. But, it is effective as of November 11, so you will need to act in compliance with the guidelines immediately.
For further guidance, don’t hesitate to reach out. We’re here to help.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.