On June 21, 2021, following a public consultation, the European Data Protection Board (“EDPB”) published the final version of its recommendations on supplementary measures in the context of international transfer safeguards, such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”).
The EDPB released its first draft of the Recommendations in November 2020, following the Schrems II judgement. In that case, the Court of Justice of the European Union required organizations relying on appropriate safeguards, such as the SCCs, under Article 46 of the EU General Data Protection Regulation (“GDPR”) to transfer personal data outside the European Economic Area (“EEA”) to verify, on a case-by-case basis, whether the law of the destination country ensures a level of protection for the personal data that is essentially equivalent to that in the EEA. If the level of protection is not essentially equivalent, organizations must assess whether supplementary measures should be implemented.
The final Recommendations retain the six-step process set forth in the first draft of the Recommendations, as described below:
Map Data Transfers
Organizations should map their data transfers, keeping in mind that access from a third country (e.g., storage in the cloud outside the EU) constitutes a transfer, and verify that the data transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred. The mapping exercise should include onward transfers made by processors to whom data is disclosed.
Identify Data Transfer Mechanisms
Organizations should identify the data transfer mechanism relied on under Chapter V of the GDPR, if necessary. Mechanisms such as the SCCs and Binding Corporate Rules should be used for regular, repetitive transfers. While the first draft of the Recommendations stated that the derogations under GDPR Article 49, such as consent or contractual necessity, should only be used for occasional and non-repetitive transfers, and interpreted restrictively, the final draft Recommendations provides a slightly broader scope. The Recommendations state that the derogations must be used: “in a way which does not contradict the very nature of the derogations as being exceptions from the rule…Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.”
Assess Legal System of Recipient Country
It is important to assess whether the transfer mechanism is effective in protecting data in the context of the specific data transfer and the law or practice of the destination country, in particular whether any law would prevent the data importer from complying with its obligations under the relevant transfer mechanism (e.g., to process personal data only in accordance with the instructions of the data exporter).
Organizations should also consider any onward transfers that may be made, and the final Recommendations add that the assessment should address the effectiveness of the mechanism both while the data is in transit and on arrival in the destination country.
Further, the final Recommendations add that an organization’s assessment must consider access to data by public authorities in the destination country, including whether authorities may seek access to the data with or without the importer’s knowledge, and whether access may be sought through telecommunication providers/communication channels in light of authorities’ powers and resources (as well as reported precedent of such access). The assessment should examine the applicability of these laws and practices in the context of the specific data transferred.
In an important softening of the EDPB’s original position, the final Recommendations note that where the powers of authorities under the importing jurisdiction’s laws “restrict the fundamental rights of data subjects while respecting their essence and being necessary and proportionate measures in a democratic society to safeguard important objectives,” they might not impinge on the protections under the transfer tool relied on. Exporting organizations must verify whether the relevant laws of the destination country impinge on the ability of data subjects to exercise their rights under the transfer mechanism in practice. Organizations also should use the EU Charter of Fundamental Rights as a reference when establishing whether authorities’ powers to access data exceed what it necessary and proportionate, and whether data subjects have effective redress.
The final Recommendations also identify instances in which examining the practices of public authorities in force in the destination country will be particularly important, such as where the practices of public authorities clearly indicate that they do not normally comply with legislation that formally meets EU standards on fundamental rights in principle. Where the importing jurisdiction has potentially problematic laws in place but the data exporter does not expect such laws to be applied to the transferred data in practice and therefore continues with the transfer, the exporter will need to document this assessment.
When assessing the risk related to the relevant transfers, organizations must use relevant, objective, reliable, verifiable and publicly available information. Organizations may also take into account the documented practical experience of the data importer with respect to prior requests for access, although the absence of such requests alone should not be considered decisive in establishing the effectiveness of an Article 46 transfer mechanism.
Consider Supplementary Measures
If the legal assessment concludes that the third country’s legislation impinges on the effectiveness of the Article 46 GDPR transfer safeguards relied upon, organizations should implement supplementary measures to ensure a level of protection that is essentially equivalent to that under EU law. Possible measures include technical measures (such as encryption), contractual measures (such as reinforced power for the data exporter to conduct audits of the data importer) and organizational measures (such as adoption of internal policies with clear allocation of responsibilities for data transfers).
Address Formalities
Organizations should take any formal procedural steps that the adoption of supplementary measures may require, such as seeking authorization from the competent supervisory authority if the organization intends to modify the SCCs.
Keep Data Transfer Arrangements Under Review
The final Recommendations also outline the important of re-evaluating data transfer arrangements at appropriate intervals and monitoring any developments that may affect them.
Maintaining the free-flow of data between the EU and U.S. has become more difficult following the Schrems II case. While the final Recommendations still require organizations to analyze applicable laws in the importing jurisdiction and to assess the data flows in some detail, they helpfully permit organizations to apply a subjective approach to the assessment of whether the level of protection is essentially equivalent. This does not remove the need for careful analysis, but does permit exporters to take into account the actual experience of particular data importers in assessing whether they are subject to government access requests.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code