Analysis : “The reset of international data transfers following the publication of EDPB guidance” by Diana Calciu and Hélène Blaison
Last week, the European Data Protection Board (‘EDPB’) released guidelines on a highly topical and sensitive matter : the transfer of personal data outside the EU.
This Analysis takes a closer look at how EU law frames and regulates the processing of personal data from EU citizens, as well as explaining the latest developments on the matter.
How does the EU regulate Europeans’ personal data?
The General Data Protection Regulation is the current legal framework under which organisations are allowed to transfer personal data of EU citizens to third countries. It was adopted on 14 April 2016, designed to harmonise data privacy laws across all the Member States as well as providing greater protection and rights to individuals. The Regulation is viewed as the toughest privacy and security law in the world, because it imposes numerous obligations on organisations which process EU-based personal data, regardless of whether the processing takes place in the Union or not.
One crucial component of the GDPR is Chapter V, related to the transfer of data from EU-based citizens to third countries. Under this section, three different mechanisms are set out for companies that wish to transfer the personal data of their clients, suppliers or staff, outside the EEA.
The first is the adoption of an Adequacy Decision, under which the European Commission decides that a third country ensures a level of protection equivalent to that guaranteed within the EU. Once an Adequacy Decision is adopted by the Commission, companies can transfer personal data towards a third country without any prior authorisation.
If there is no such Adequacy Decision, a company can still transfer the data of its clients by providing ‘appropriate safeguards’ which consist mainly of Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCCs), but can also include approved codes of conduct or certification mechanisms. This mechanism has to be approved by a supervisory data protection authority prior to any transfer.
Finally, Article 49 of the GDPR provides a third mechanism entitled ‘Derogations for specific situations’ which is applicable under very limited conditions and mainly for occasional and non-repetitive transfers, such as the transfers needed for protection of important reasons of public interest, for the establishment or exercise of defence of a legal person, or for the vital interest of data subject.
Chapter V is the most sensitive and therefore contentious part of the GDPR. Since it regulates the processing of personal data beyond the territory of Europe, Chapter V must strike a balance between the needs of European citizens who seek protection for their data and those of companies for which data processing and transfer is a fundamental aspect of their business. For these reasons, the GDPR gave rise to lawsuits that reached the Court of Justice of the European Union, which subsequently issued two major judgments – Schrems I (C-362/14) and Schrems II (C-311/18).
What were the Schrems’ judgments about?
Maximilian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. On 25 June 2013, he lodged a complaint with the Irish Data Protection Commissioner, considering that the US legislation does not offer sufficient protection against surveillance by the American public authorities of his data transferred to the country.
The complaint led to a first CJEU judgment, by which the Court considered that the EU-US Adequacy Decision (‘the Safe Harbour Decision’) based on which Schrems’ and the other EU citizens’ personal data were transferred, was invalid. The judgment, known as Schrems I, was rendered in October 2015. The legal dispute did not stop there for two reasons:
- Facebook continued to transfer personal data to the US, this time based on Standard Contractual Clauses (SCCs). As a reminder, the SCCs constitute the second mechanism created by the GDPR under which the European Commission is entitled to decide that standard contractual clauses offer sufficient safeguards for the data to be transferred internationally. It has so far issued three sets of templates of SCCs. The latest set, adopted by the Commission in 2010, is the legal framework under which Facebook carried out the transfer of personal data to the US.
- Following the annulment of the Safe Harbour Decision, the Commission decided to adopt a second Adequacy Decision in July 2016 (‘the EU-US Privacy Shield Decision’), thereby re-enabling the transfer by companies of personal data to the US under the first GDPR mechanism.
After having scrutinized these two legal data transfer tools adopted by the Commission, the CJEU handed down its decision (‘Schrems II’) on 16 July 2020. In its judgment, the Court declared the Privacy Shield Decision invalid in its entirety but upheld the SCC Decision of 2010.
The Court considered that the Privacy Shield decision did not comply with the GDPR requirements for two main reasons. Firstly, the Privacy Shield did not provide the required limitations and guarantees against the interferences allowed by the US surveillance programs, making it impossible to limit the interference to what is strictly necessary. Secondly, none of the provisions granted data subjects rights actionable in the courts against the US authorities, from which it follows that the Privacy Shield did not foresee any effective judicial recourse for non-US citizens, whereas the US citizens do have this right.
As for the SCC Decision of 2010, the Court approved the clauses adopted by the Commission, because they imposed on the data controller an obligation to verify, prior to any transfer, the level of personal data protection of the third country where the data is transferred as well as an obligation to suspend or prohibit the transfer if the level of protection of the third country cannot be or is no longer ensured.
What has Schrems II changed for the transfer of personal data outside the EU?
The Court’s judgment is fundamental for EU companies because they can no longer legally transfer data to the US based on the Privacy Shield mechanism. Companies that wish to continue transferring data to the US must now rely on the other two mechanisms provided for in the GDPR – the specific derogations set out by Article 49 and the appropriate safeguards of Article 46 including the standard contractual clauses (‘SCCs’).
A transfer under Article 49 is conceivable, but the overall restrictive character of the provision must be taken into account. A transfer under Article 46 is also still possible but must now incorporate the Schrems II ruling. This means that, when using SCCs, the data exporters and data importers have to assess the level of personal data protection offered by the third country prior to any transfer (namely if there is essentially equivalent level of protection). Depending on the prevailing position of the third country concerned, transfers may then require the adoption of ‘supplementary measures’ by the controller in order to ensure compliance with the level of protection guaranteed within the EU.
Schrems II was handed down in July, and for several months, companies were left with uncertainty as to what the Court meant by ‘supplementary measures’. It was not until 11 November 2020, that the European Data Protection Supervisor (‘EDPS’) decided to issue specific guidelines on what these measures could consist of and how businesses should put them into practice.
The new practical recommendations of the EDPB
The guidelines provide data exporters with a series of steps to follow and some examples of supplementary measures. As first steps, the EDPB advises data exporters to map all transfers of personal data occurring outside the EEA and to verify the transfer tool they rely on, amongst those listed under Chapter V of the GDPR. If the European Commission has already declared the country to which the data is transferred as adequate, no further step is required. In the absence of an adequacy decision, however, a crucial third step is required.
This step consists of assessing if there is anything in the law or practice of the third country that impinges on the effectiveness of the appropriate safeguards of the transfer tools relied on. This step is fundamental because if the assessment reveals any insufficiencies of the third country to provide an adequate level of data protection, the transfer of EU-based personal data is no longer compliant with the GDPR and must be suspended. If there is any uncertainty arising from the assessment, the EDPB European Essential Guarantees recommendations help to examine whether the applicable law interferes with the data importer’s obligations to ensure essential equivalence.
If that happens to be the case, a fourth step is needed: the adoption of supplementary measures. The measures can have a contractual, technical or organisational nature. The technical measures are of the greatest importance, as the EDPB considers that there will be situations where only technical measures can render ineffective access by the third country’s public authorities to personal data. In fact, EDPB’s underlying purpose is to provide technical measures which prevent the authorities from identifying the data subjects and inferring information about them.
Technical measures are especially important for US data transfers, as the EDPB explicitly stated in the guidelines that SCCs can only be relied upon for transfers to the US if additional supplementary technical measures are taken. The EDPB sets out three main types of technical measures: encryption, pseudonymisation and split processing. For each type, the recommendations lay down a roadmap to be followed by the data exporters. It is worth noting that the EDPB also provides use cases where no technical measures would be deemed effective, such as the transfer to cloud service providers or other processors which require access to unencrypted data.
The contractual and organisational measures are of less importance, given their inherent nature, not being capable of binding the third country’s authorities. They are therefore viewed as complementary to the technical measures by the EDPB. Contractual measures can consist of transparency obligations or obligations which empower data subjects to exercise their rights, while organisational measures can touch upon internal policies within groups of enterprises or organisational methods.
The adoption of the guidelines is a positive step towards a clearer legal framework under which personal data of Europeans can be processed and transferred. Yet the guidelines also imply a considerable amount of work on the part of organisations, which must review all their existing data transfer contracts involving third countries and verify for each one that a sufficient level of protection is ensured, including, if necessary, taking the ‘supplementary measures’. Thus, the implementation of these guidelines could be considerably time-intensive and costly for businesses, especially for those which do not have a dedicated legal department. Due diligence and accountability will be key to ensure compliance, and pre-empt complaints and risks of sanctions by national data protection authorities.
The EDPB recommendations apply to any transfers occurring under Article 46 GDPR but that were primarily intended to address EU-US transfers, following the annulment of the Privacy Shield Decision. In fact, more than 5,000 US companies relied on it to receive data from the EU. For companies involved in US transfers, the best way out would be the adoption of a new Adequacy Decision. The European Commission and the US Department of Commerce have reportedly initiated discussions on it, but no timeline has been set.
From the Commission’s perspective however, it seems clear that the adoption of an Adequacy Decision cannot provide an immediate response to the current situation. The institution would not risk diving into drafting and negotiating with the US for the third time, having experienced the annulment of both the Safe Harbor and Privacy Shield decisions by the Court. The GDPR’s alternative transfer mechanisms of Articles 46 and 49 therefore remain the EDPB’s primary focus, while the discussions on a new Adequacy Decision are motivated by the view of the long-term. Even if such a decision is adopted by the Commission in the upcoming years, the latter won’t be immune from a third backlash by the Court, given the CJEU’s strong scepticism of the US’s level of data protection.
Diana Calciu is a Senior Regulatory Lawyer advising on tech regulation in an international business law firm. Hélène Blaison is studying for a Master’s Degree in Economic law at Sciences Po Paris, and currently doing her traineeship in the same business law firm.