Final EDPB Recommendations published on supplementary measures for international personal data transfers from Europe

Today, 21 June 2021, the European Data Protection Board (the "EDPB") has published its final Recommendations 01/2020 on supplementary measures to ensure compliance with data protection laws when transferring personal data from Europe (the "Recommendations").

The adoption of these Recommendations is the latest in a series of developments which demonstrate that it is becoming increasingly difficult for organisations to transfer personal data internationally from Europe. 

The challenges posed with implementing the Recommendations may ultimately lead to organisations deciding to instead locate more European personal data in the European Economic Area (the "EEA") or a jurisdiction which is recognised as offering an adequate level of data protection by the European Commission¹.

Background

The Recommendations build on the draft recommendations published on 11 November 2020 for public consultation (the "Draft Recommendations") – see our previous client alert on the Draft Recommendations.

The Recommendations describe the steps that businesses should now take to determine if they need to put in place supplementary measures to transfer personal data outside the EEA in accordance with the General Data Protection Regulation 2016/679 (the "GDPR").

The Recommendations are particularly relevant for businesses who rely on the standard contractual clauses (the "SCCs"), binding corporate rules or other "appropriate safeguards" in Article 46(2) of the GDPR to transfer personal data outside the EEA to locations that the European Commission has not determined offer adequate data protection.

What do the Recommendations require businesses to do?

The Recommendations explain the steps that businesses are expected to take from a compliance perspective to navigate the tougher requirements on international transfers of personal data from Europe when relying on the SCCs, binding corporate rules or other "appropriate safeguards" to do so. Such organisations are required to:

1. conduct a local law assessment in the jurisdiction where the European personal data is transferred to (also referred to as a "transfer impact assessment"); and
2. where necessary, implement supplementary technical measures for such transfers.

The local law assessments are expected to highlight whether data protection legislation is being applied, if there are practices in that jurisdiction making the safeguards (such as the new EU SCCs) insufficient, and if there is so called "problematic legislation" which prevents European Union ("EU") standards being met. Legislation granting disproportionate powers to public authorities to access the transferred data is considered as "problematic legislation" and is dealt with explicitly by the Recommendations.

Where an issue is identified, personal data transfers can only occur if the implementation of "supplementary measures" will address it, or where it can be documented that the "problematic legislation" would not apply to the transfer.

The EDPB gives some examples of contractual measures in Annex 2 of the Recommendations that businesses might wish to implement in the contract with the data importer to assist compliance with their data protection obligations.

If these supplementary measures are not possible, then the personal data transfer is unlikely to comply with the GDPR, unless one of the limited derogations in Article 49(1) GDPR can be relied upon – although the EDPB have stressed that these are restricted to specific situations.

What are the major changes for businesses from the Draft Recommendations?

• When carrying out the local law assessment, practices in the third country must be considered alongside the relevant legislation in force in the third country. If there are practices in force which are incompatible with EU law and the commitments of the Article 46 GDPR transfer tool, adequate supplementary measures will need to be implemented if businesses wish to proceed with the transfers.
• Where the local law assessment reveals that the relevant legislation in the third country may be problematic, businesses may decide to proceed with the transfer without being required to implement supplementary measures if they consider that they have no reason to believe that the relevant and problematic legislation will be applied in practice to the transfer and / or the data importer based on the practical experience of the data importer. However, businesses will be required to demonstrate and document in detail, taking into account the experience of other actors, that the law is not interpreted and / or applied in practice to the transferred data and/or data importer so as to prevent the data importer from fulfilling its obligations under the Article 46 transfer tool (such as the SCCs). Similar wording also appears in the new EU SCCs which require that any such documentation must be certified at a senior management level.
• The Recommendations include further detail about possible sources of information that businesses should consider when carrying out the local law assessment.
• The Recommendations clarify that supplementary measures might be required for some personal data transfers to third countries (e.g. those including special category or criminal offences data), while transfers of other personal data to that jurisdiction might not require implementation of the supplementary measures (taking into account the local laws and practices).
• The final Recommendations now also include additional guidance on how to assess the strength of encryption algorithms (see footnotes 80 and 81 of the Recommendations) and how cryptographic algorithms may be utilised to pseudonymise personal data (see footnote 83 of the Recommendations). Pseudonymisation might be relevant to businesses that require decryption of this data to process it in one of these jurisdictions, for example a transfer to a cloud services provider, particularly where the personal data cannot be effectively encrypted.

What should businesses be doing right now?

Where businesses transfer personal data outside Europe to a jurisdiction which is not considered to offer an adequate level of data protection by the European Commission, businesses should follow the below six step process:

1. Know your transfers (by mapping all international personal data transfers);
2. Identify the appropriate safeguard or tool each transfer relies upon;
3. Carry out the local law assessment to assess whether the safeguard is effective;
4. Identify and adopt any supplementary measures required;
5. Take procedural steps such as documenting the measures implemented or renegotiating relationships with third parties; and
6. Re-evaluate your analysis regularly.

Businesses will need to take immediate steps to undertake this process, starting with a review of all international data transfers currently undertaken from Europe, which must also include any onward transfers of personal data by their processors to sub-processors.