On 11 November 2020, the European Data Protection Board (the "EDPB") published for public consultation new Recommendations 01/2020 on the measures to be taken to supplement the personal data transfer tools organisations currently rely upon to ensure compliance with EU data protection laws when transferring personal data from Europe (the "Recommendations").
The Recommendations describe the steps that businesses must now take to determine if they need to put in place supplementary measures to transfer personal data outside the European Economic Area (the "EEA") in accordance with the General Data Protection Regulation 2016/679 (the "GDPR"). The Recommendations are particularly relevant for businesses who rely on the standard contractual clauses, binding corporate rules or other "appropriate safeguards" in Article 46(2) of the GDPR to transfer personal data outside the EEA to locations that the European Commission has not determined offer adequate data protection.
These Recommendations make it harder for organisations to transfer and process European personal data outside of Europe because of the requirement to conduct an assessment of the local law in the jurisdiction where the European personal data is transferred to and implement supplementary technical measures for such transfers. The Recommendations may ultimately lead to organisations having to locate more European personal data in Europe.
The Recommendations are immediately effective but are open for public consultation until 30 November 2020. They are applicable to the United Kingdom and may have to be considered for transfers of personal data from the EEA to the UK following the end of the Brexit transition period if the European Commission does not make an adequacy decision for the UK.Summary
The Recommendations may mean that personal data cannot be transferred to controllers or processors in jurisdictions outside of the EEA who require unencrypted access to the personal data or access to the encryption keys with which encrypted personal data can be unencrypted (i.e. those controllers or processors that require decryption of the personal data in the jurisdiction to analyse or otherwise process the personal data in circumstances where it is not possible to pseudonymise or divide up the data in a way that it can no longer be attributed to a specific data subject or be used to single out a data subject in a group).
Organisations (data exporters) that transfer personal data from Europe to recipients (data importers) located outside of Europe may only do so under the GDPR if the recipient is located in a country which the European Commission has determined offers adequate data protection, if appropriate safeguards are in place or where a derogation applies under the GDPR.
Businesses relying on standard contractual clauses, binding corporate rules or other Article 46(2) GDPR "appropriate safeguards" are required to conduct an assessment of the local law in the jurisdiction to which they are transferring the personal data to. If businesses conclude, taking into account, in particular, the case law from the Court of Justice of the European Union and the European Court of Human Rights, and the applicable guidance from the EDPB, that the power granted to public authorities to access the transferred data in any jurisdiction "goes beyond what is necessary and proportionate in a democratic society", then the personal data transfer can only occur if the implementation of "supplementary measures" will prevent the public authorities in those jurisdictions from having access to personal data from Europe.
If the implementation of these supplementary measures is not technically possible or practicable, then the personal data transfer is unlikely to comply with the GDPR, unless one of the limited derogations in Article 49(1) GDPR can be relied upon. In other words, the EDPB suggests that some types of personal data transfers to certain jurisdictions cannot be compliant with the GDPR even if they are subject to the standard contractual clauses or the binding corporate rules.
The Recommendations state that additional contractual measures in the contract between the data exporter and the data importer cannot necessarily be relied upon to ensure that the transfer meets the essential equivalence standard that the GDPR requires, because they do not bind the authorities of the third country. However, the EDPB gives some examples of contractual measures in Annex 2 of the Recommendations that businesses might wish to implement in the contract with the data importer to assist compliance with their data protection obligations.
A central challenge for businesses will be to identify those jurisdictions that receive European personal data with a legal regime that provides public authorities with general and indiscriminate access to the transferred data for surveillance purposes (contrary to the principle of necessity and proportionality), and/or without an impartial oversight mechanism provided by a judge or another independent body. Without further guidance from the EDPB, this can result in a costly data compliance exercise for businesses and a patchwork of inconsistent conclusions from controllers and processors with regards to the local law analysis required under the Recommendations.
As a result of the Recommendations, we may see an increasing number of businesses relying on Article 49(1)(a) GDPR, i.e. explicit and informed consent specific to the personal data transfer, for transferring personal data to jurisdictions which are not deemed to offer an adequate level of data protection by the European Commission. Obtaining a valid consent for international personal data transfer is difficult and will not be appropriate in all circumstances (for example, in an employer-employee relationship). Businesses wishing to rely on this option might wish to consult the EDPB's Guidelines 2/2018 on derogations of Article 49 GDPR, which remain valid and unchanged according to the EDPB.
The EDPB announced it would publish the Recommendations following the judgment of the Court of Justice of the European Union of 16 July 2020 which invalidated the EU-US Privacy Shield and required parties using the standard contractual clauses as a tool to transfer personal data to third countries to assess if the personal data would be afforded an adequate level of data protection (for a further analysis of the judgment see our client alert and further commentary).
In the judgment, the Court noted that due to their contractual nature, standard contractual clauses cannot bind public authorities of third countries, since they are not party to the contract. Consequently, data exporters may need to supplement the guarantees contained in those standard contractual clauses with "supplementary measures" to ensure compliance with the level of protection required under EU law in a particular third country.
The Recommendations outline six steps that businesses should take to assess if "supplementary measures" are required for a particular transfer, and to identify appropriate supplementary measures so that the personal data is afforded an adequate level of data protection in the country where the data is being transferred to. Although they do not have legislative status, the Recommendations have been endorsed by the data protection supervisory authorities in the EEA (whose representatives make up the EDPB) and, in the absence of further case law from the courts, they are likely to be used by the supervisory authorities to interpret GDPR obligations relating to international personal data transfers.
The six steps
1. Know your transfers
- Businesses should map all international personal data transfers (including any onward transfers of personal data by their processors to sub-processors).
- Businesses should also verify that the personal data they transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.
2. Identify the tool the transfer relies on
- Businesses must identify the appropriate transfer tool in Chapter 5 of the GDPR that they rely on for the international personal data transfer, such as:
- an adequacy decision by the European Commission1;
- an appropriate safeguard in Article 46(2) of the GDPR (e.g. standard contractual clauses or binding corporate rules); or
- one of the limited derogations for specific situations in Article 49(1) of the GDPR.
- Businesses that rely on Article 46(2) GDPR appropriate safeguards for transfers of personal data outside the EEA need to continue with steps 3 to 6 below. Importantly, these further steps are not applicable to transfers which are subject to an adequacy decision or which rely on the derogations for specific situations in Article 49(1) GDPR.
3. Assess if the "appropriate safeguard" the business is relying on is effective in light of all circumstances of the transfer
- The Recommendations are clear that selecting an Article 46(2) GDPR "appropriate safeguard" such as the standard contractual clauses may not be enough. Businesses must assess if there is anything in the domestic legal order of the jurisdiction to which data is transferred that may impinge on the effectiveness of the appropriate safeguards for the specific transfer.
- The EDPB recommends referring to its European Essential Guarantees recommendations to determine whether the legal framework governing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference (and therefore as not impinging on the commitments taken in the appropriate safeguard) or not.
- The EDPB suggests that the appropriate test is if the power granted to public authorities of the recipient country to access the transferred data "goes beyond what is necessary and proportionate in a democratic society".
4. Identify and adopt supplementary measures
- If the "appropriate safeguard" adopted for the transfer is not effective on its own, businesses must consider if any supplementary measures exist, which, when added to the appropriate safeguards, could ensure that the transferred data is afforded a level of protection required under the GDPR.
- The supplementary measures may have a contractual, technical or organisational nature, but the EDPB notes that there will be situations in which only technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes. The Recommendations include a non-exhaustive list of supplementary measures which might be adopted for different transfers in Annex 2.
- Where businesses are not able to find or implement effective supplementary measures that ensure that the transferred personal data enjoys an essentially equivalent level of protection, they should not start transferring personal data to the third country concerned on the basis of the Article 46(2) GDPR appropriate safeguard. If the business is already conducting transfers and none of the derogations in Article 49(1) GDPR applies, the business is required under the Recommendations to suspend or end the transfer of personal data to the third country.
5. Take formal procedural steps
- If the business has identified effective supplementary measures to be put in place, these measures should be adopted and documented, for example, by supplementing the standard contractual clauses with the additional requirements (provided that the additional requirements do not contradict the standard contractual clauses).
6. Re-evaluate the analysis at appropriate intervals
- The EDPB states that businesses must monitor, on an ongoing basis, developments in the jurisdiction to which they have transferred personal data that could affect their initial assessment of the level of protection. For example, if a new data protection or national security law has been passed in the jurisdiction, it might be necessary to repeat the assessment described in step 3 above.
The EDPB gives five examples of personal data transfers which, together with supplementary measures, might offer an adequate level of data protection:
- Encrypted data storage in a third country for backup and other purposes which does not require access to data in the clear and the encryption keys are retained solely under the control of the EEA data exporter.
- Transfer of pseudonymised data where only the EEA data exporter has the key to allow a third party to attribute the personal data to an identified or identifiable natural person (and not even the public authorities in the third country can attribute the personal data to an identified or identifiable natural person).
- Encrypted data merely transiting third countries.
- Encrypted transfers to a protected recipient who is exempted from the infringing access by public authorities (e.g. a lawyer or a health professional).
- Split or multi-party processing where data is split and transferred to two or more processors for further processing so that it cannot be reconstituted / attributable to an individual by the processors, and only the data exporter is able to combine the data to attribute them to an individual.
If technical measures are to act as an effective supplementary measure, strict encryption requirements apply. For example, the Recommendations state that the personal data must be encrypted before transmission using strong state-of-the-art encryption algorithm, that the strength of the encryption must take into account the specific time period during which the confidentiality of the encrypted data must be preserved, the encryption algorithm must be flawlessly implemented, and the cryptographic keys must be reliably managed and retained solely under the control of the data exporter in the EEA (or in a jurisdiction which is subject to an adequacy decision by the European Commission).
Transfers for which supplementary measures are unlikely to be effective
The Recommendations give two examples of when no effective supplementary measures could be found if the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society:
- Transfer to cloud services providers or other processors which require access to data in the clear in order to execute the task assigned.
- Transfer to a data importer, including a group company, by making the data available in a commonly used information system which allows the importer direct access to the personal data in the clear of its own choice and for its own purposes (e.g. for HR or marketing purposes).
The EDPB states that where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, may not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.Brexit and implications for the UK
At the end of the Brexit transition period (currently scheduled for 31 December 2020), the GDPR will become a part of UK law as "UK GDPR". This means that businesses subject to the UK GDPR will continue to have to comply with the requirements on international personal data transfers in Chapter 5 and the six steps set out in the Recommendations. However, it is possible that the UK Government will decide to amend the UK GDPR in the future and/or change the conditions for international personal data transfers to make international flow of personal data less onerous for businesses.
Another important consideration at the end of the Brexit transition period is if transfers of personal data from the EEA to the UK will be subject to an adequacy decision by the European Commission. If the European Commission does not recognise the UK as offering an adequate level of data protection before 31 December 2020, businesses will most likely seek to rely on standard contractual clauses to transfer personal data from the EEA to the UK. This means that businesses will also be required to carry out an assessment of the local law in the UK for transfers of personal data from the EEA to the UK and will need to decide if any supplementary measures should and can be implemented for such transfers in line with the Recommendations.
1 As of November 2020, the European Commission recognises 12 jurisdictions as offering an adequate level of data protection: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Adequacy talks are ongoing with South Korea.