EDPB Publishes draft recommendations on data transfer post Schrems II - path forward for many transfers remains uncertain

On 10 November the European Data Protection Board (‘EDPB’) published, further to its initial guidance, its recommendations on measures to supplement data transfer rules so to ensure compliance with EEA data protection law (the ‘Guidance’). 

The Guidance follows on from the CJEU’s judgment in Schrems II which invalidated the Privacy Shield and found that organisations relying on the Standard Contractual Clauses (‘SCC’s) may need to implement additional safeguards beyond the SCCs to legitimise transfers to third countries.

Those that were hoping for some leniency from the EDPB will be disappointed. There is no one fits all solution and many transfers will not be resolved on the basis of this guidance (largely reflecting the fact that the requirements laid down by the CJEU in Schrems II, are hard to meet). 

According to the EDPB, Article 46 transfer tools, not just SCCs, must be ‘effective’ and this will not be the case if the importer is prevented from complying with the transfer tools due to laws of the third country. Those exporting data outside the EEA must assess the laws and practice of the third country that may impede upon the effectiveness of the transfer tool and if such impediments exist, supplementary measures - which look like hard work - will need to be implemented. 

These supplementary measures could be contractual, technical or organisational in nature or more likely a combination of the three. However, contractual and organisational measures may not, alone, suffice to provide the essential equivalent standard that EU law requires. Much will therefore rest on technical measures such as encryption and pseudonymisation, but the effectiveness of these tools will depend on the data importer not having access to the re-identification key where the key is also susceptible to public authority access (as is the case under FISA 702 in the US). This leaves a big gap for the innumerable data transfers where the importer needs the data in plain text. For this, the EDPB offers no new solutions. 

Where organisations cannot implement effective supplementary measures, the EDPB confirm the data should not be transferred and existing transfers should be suspended.

Given the limitations of contract - which will also apply to the new draft Commission SCCs - it remains unclear, at least where public authority access is concerned in countries like the US, how transfers can continue compliantly where the data’s needed in clear text.

The Guidance, which his available here, is open to public consultation until 30 November.

1. Carry out a Transfer Assessment

Organisations must, as a first step, map data transfers so they can understand where their data is transferred and what adequacy mechanisms are in place. In carrying out this exercise, the EDPB reminds organisations that even remote access from a third country (such as IT support) constitutes a transfer for these purposes. As part of this exercise, controllers must also consider onwards transfers. For example, the extent to which the controller’s processor outside the EEA subsequently transfers the data to a sub-processor in a third country. Clearly if the transfer is to a destination covered by a Commission adequacy decision, the exporter does not need to implement the supplementary safeguards laid down in the Guidance. On BCRs, the EDPB also flag that more guidance as to whether additional commitments may need to be included in the BCRs, will follow asap.

For non-adequate countries, data exporters must next, with help from importers, assess if there is anything in the law or practice of the third country that may undermine the effectiveness of the relevant transfer mechanism. In carrying out this assessment, organisations need to take into account the specifics of each transfer, in particular the purposes of the transfer (HR, marketing, IT Support or other purposes), the type of entity involved in the transfer (private/public, controller/processor), the personal data transferred (for example, data relating to children may be subject to specific rules), the industry sector of the transfer, whether the data will be stored or be accessible remotely from the third country, whether there will be onward transfers, and the format of the data (i.e. whether it will be encrypted, pseudonymized or clear).

According to the EDPB, the transfer assessment must be based ‘first and foremost’ on publicly available legislation. Organisations must look to the law and practice of the third countries to asses if those laws impinge the commitments in the transfer mechanism, including, for example, confirming that data subjects can effectively exercise their rights and in particular if there are laws permitting public authority access to the data for law enforcement, regulatory supervision and national security purposes. Public authority access must be assessed by reference to Article 47 and 52 of the EU Charter of Fundamental Rights, to determine if those powers are limited to what is necessary and proportionate in a democratic society. This includes providing data subjects with effective redress having regard to the rule of law, the comprehensiveness of the data protection law in the third country and its adherence to international instruments providing for privacy safeguards. To help with this, the EDPB published in parallel to the “Guidance an additional recommendation on the European Essential Guarantees for Surveillance Measures” available here. This outlines the 4 essential guarantees, in this context, that need to be in place to make limitations to data protection and privacy rights justifiable: (1) processing should be based on clear, precise and accessible rules; (2) The necessity and proportionality of the legitimate objective being pursued must be demonstrated; (3) an independent oversight mechanism should exist; and (4) effective remedies need to be available to the individual.

If primary legislation is lacking, exporters in their assessments must look to ‘other relevant and objective factors’ and must not rely on subjective factors such as the likelihood of public authorities actually accessing the data. This focus on objective rather than subjective factors will make it more difficult for organisations to form their own risk based view.

The transfer assessment must be documented, with the EDPB warning that organisations may be held accountable for decisions they make on the basis of the assessment. The assessments should also be re-evaluated at appropriate intervals given that accountability is an ongoing obligation under GDPR.

In light of the foregoing, the burden of transfer assessments, even for the most sophisticated organisations, is an extremely heavy one and it is difficult see how assessments of this complexity and scale would be achievable for smaller organisations, at least in the absence of assistance from a centralised body such as the European Commission.

2. Adopt supplementary measures

If the transfer assessment finds that the transfer mechanism is not effective alone, then supplementary measures need to be implemented. Contractual and organisational measures only go so far with the EDPB recognising that  - while they can complement technical safeguards - there will be cases ‘where only technical measures might impede or render ineffective access by public authorities in third countries… in particular for surveillance purposes.’

a. What are technical supplementary measures?

The Guidance gives a ‘non-exhaustive’ list of technical measures which may supplement safeguards of transfer tools. These measures are of particular importance where the law of the third country impinges on the contractual guarantees of essential equivalent protection as a result of access to the data by public authorities. Importantly, these technical measures apply even if the public authorities’ access complies with local law in the third country, but where in line with the CJEU’s judgment in Schrems II, such access goes beyond what is necessary and appropriate in a democratic society.

The technical measures employed by the exporter and importer should, where appropriate, take account of both public authority access to data in transit, through accessing the lines of communication used to convey the data, and also to public authority access to the data when it is in the custody of the intended recipient.

Examples of scenarios where effective technical measures can be deployed are outlined in the table below.

Use Case

Conditions to effectiveness

A data exporter uses a hosting provider in a third country to store personal data for back-up purposes

  • the data is strongly encrypted before transmission;

  • the encryption technique conforms to the state of the art and is considered robust against cryptanalysis performed by public authorities;

  • the strength of the encryption takes into account the specific time period for which the confidentiality of the personal data must be preserved;

  • the encryption algorithm is flawlessly implemented with the keys being reliably managed; and

  • the keys are retained solely under the control of the data exporter, or other entities entrusted with this task which reside in the EEA or an EU Commission established adequate country.

 

Transfer of pseudonymised data

  • the data exporter transfers pseudonymized data - i.e. data that can no longer be attributed to a specific individual nor be used to single out the individual in a larger group, without the use of additional information;

  • the additional information that would permit identification is held only by the exporter, securely, in the EU or an EU Commission established adequate country; and

  • the exporter has established that, through analysis of the data, taking into account the information that it has on the information public authorities possess in the third country, that the pseudonymised data cannot be re-identified via cross reference with such information.

 

The encrypted data merely transiting third countries en route to an adequate country

  • state of the art transport encryption is used that provides protection against active and passive attacks with resources known to be available to public authorities in third countries;

  • decryption is only possible outside the third country;

  • the parties agree on a trustworthy public-key certification authority or infrastructure;

  • as a back-up, in addition to the transport encryption, state of the art end to end encryption is also maintained on the application layer;

  • the encryption techniques are considered robust against cryptanalysis performed by public authorities, and the existence of backdoors (in hardware or software) has been ruled out;

  • the strength of the encryption takes into account the specific time period for which the confidentiality of the personal data needs to be preserved; and

  • the encryption algorithm is flawlessly implemented with the keys being reliably managed by the exporter under a jurisdiction offering an essentially equivalent level of protection.

 

A data exporter transfers personal data to a data importer in a third country specifically protected by that country’s law - for example, to jointly provide medical treatment to a patient or legal services to a client

  • the law of the third country exempts a data importer from potentially infringing access to data held by that recipient for the given purposes for e.g. by virtue of a duty of professional secrecy applying to the importer;

  • the exemption applies to all information in the possession of the data importer that may be used to circumvent the protection of privileged information (e.g. passwords, encryption keys etc.);

  • the importer does not employ a data processor nor forward the data to a non-protected entity, that would allow the public authority to circumvent the protection by accessing the data from third parties further down the chain;

  • the data is end to end encrypted before transmission to state of the art standard;

  • the decryption key is, appropriately secured, in the sole custody of the protected importer; and

  • the exporter has reliably established that the encryption key it intends to use corresponds to the decryption key held by the recipient.

 

Split or multi-party processing i.e. exporter wants data to be processed jointly by two or more independent processors located in different jurisdictions without disclosing identifiable data to either of them

  • prior to the transmission, the exporter splits data into different buckets such that no bucket an individual processor receives suffices to reconstruct the personal data in whole or in part;

  • each bucket of data is transferred to a separate processor located in a different jurisdiction;

  • the processors optionally process the data jointly, using secure multi-party computation, in a way that no information is revealed to them that they do not possess prior to the computation;

  • there is no evidence of collaboration between the public authorities located in the respective jurisdictions where each of the processors is located that would allow them to access all sets and reconstitute and exploit the data in a way that would not respect the fundamental rights and freedoms of a data subject;

  • the controller has established by means of a thorough analysis of the data transferred to the processors, taking into account any information that the public authorities of the recipient countries may possess, cannot be attributed to an individual.

 

The EDPB also give examples of scenarios where no effective measures could be found to legitimise the transfers.

The examples - both of which are ubiquitous -  include an EEA exporter transferring personal data to a cloud service provider where the data is needed in clear text by the processor for it to carry out its assigned task and where the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society.

The second example given by the EDPB is that of a data exporter making personal data available to entities in third countries for shared business purposes, for example an EU subsidiary sharing employee data with its parent in a third country. If the importer uses the data in clear form for its own purposes in a jurisdiction such as the US, where the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society, then the EDPB conclude that it is incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights. However, the EDPB acknowledge that this may change as technologies advance.

Similarly, if the data importer is in possession of the cryptographic key then transport encryption and data-at-rest encryption - even taken together - do not, according to the EDPB constitute a supplementary measure that ensures an essentially equivalent level of protection in countries where public authority access to personal data may extend to cryptographic keys (as in the case under FISA 702 in the US).

b. What are contractual supplementary measures?

Contractual measures will generally consist of unilateral, bilateral or multilateral contractual commitments. Such measures are subject to significant limitation, in that they will not bind public authorities in the third country nor rule out the application of third country legislation which does not align with the EDPB’s European Essential Guarantees Standard. However, supplementary contractual measures can nonetheless complement and reinforce the safeguards in Article 46 transfer mechanisms.

The EDPB also clarify that where organisations add supplementary contractual safeguards to the SCCs, there is no need to request approval from a supervisory authority, provided the supplementary measures do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR in not undermined.

Annex 2 of the Guidance gives a number of examples of contractual clauses that exporters could add to their contracts with importers, some of which are outlined in the table below.

Contractual Clause

Details

Conditions to the effectiveness of the clause

Contractual obligations to implement technical measures

Contract could provide that the transfer will only take place if specific technical measures are put in place

 

Transparency obligations - information on public authority access

The exporter could add annexes to the contract that would require the data importer, based on its best efforts, to provide information on access to the data by public authorities in the third country including for surveillance purposes.


This could include requiring the importer to outline:

  • the laws and regulations in the third country that would permit access by public authorities;
  • in the absence of laws governing public authority access, provide information and statistics based on the importers experience or reports from various sources(such as open source, national case law, oversight bodies etc.) on access by public authorities;
  • what measures are in place to prevent access to the transferred data;
  • details of access to the personal data by public authorities which the importer has received over a specified period of time; and
  • specify to what extent the importer may actually be prohibited from providing the list of information in the bullets above (as in this case the clause may be wholly or partly redundant).

 

Such a clause would only be effective where the importer is able, under the laws of the third country, to provide this information to the exporter.

The EDPB also note that this type of clause is only a means to flush out the risks attached to the data transfer. Such a clause, of itself, can neither justify the importer’s disclosure of personal data nor give rise to the expectation that there will be no further public authority access.

 

Transparency obligations - no back doors

The exporter could add a clause requiring that the data importer certifies that (a) it has not purposefully created backdoors that could be used to access the personal data or systems; (b) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems; and (c) that national law or government policy does not require the importer to create or maintain back doors or to facilitate access to personal data or systems.

 

For this clause to be effective, there would have to be no legislation or government policy in the third country preventing the importer from disclosing the information required by this clause. In addition, according to the EDPB, the contract would need to include penalties and/or the ability for the data exporter to terminate on short notice in cases where the importer fails to reveal such backdoors.

Transparency obligations - flagging changes in law

While the law of the third country may have initially been deemed to provide an equivalent level of protection, things change, and the exporter could strengthen the obligations on the importer to inform the exporter of its inability to comply with the contractual commitments and as a result with the required standard of ‘essentially equivalent level of data protection’.

This clause is only effective where:

  • the notification is made before access is granted to the data;
  • the data importer monitors legal and policy developments so that its in a position to flag relevant changes; and
  • the clauses provide a mechanism for the exporter to promptly secure or retrieve the data from the importer

 

Transparency obligations - increased audit rights

The exporter could strengthen its audit and inspection rights over the data processing facilities of the importer (either on site/or remotely) so as to verify if data was disclosed to public authorities and under what conditions.

 

 

For this clause to be effective the scope of the audit should legally and technically cover any processing by the data importer’s processor or sub-processors. There would also need to be appropriate tamper proof access logs and audit trails which distinguish between access due to regular business operations and access due to public authority orders or requests for access.

Transparency obligations - warrant canary

The contract could reinforce the transparency obligations of the data importer by providing for a ‘warrant canary’ i.e. where the importer is required to regularly publish (e.g. at least every 24 hours) a cryptographically signed message informing the exporter that as of a certain date and time it has received no order to disclose personal data. Absence of the notice will signify to the exporter that the importer may have received an order.

 

This clause is only effective where:

  • the law of the third country permits the importer to make such notification;
  • the data exporter automatically monitors the notifications on an ongoing basis; and
  • the importer ensures that its private key for signing the warrant canary is kept safe so that it cannot be forced to provide false notifications.

Obligations to take specific actions - such as agreeing to review the legality of any order to disclose data

The importer could commit to reviewing the legality of any order from public authorities to disclose data including challenging the order where appropriate. This would also include an obligation on the importer to only provide the minimum amount of information possible when responding to the access order.

 

 

This clause would only be effective where, among other matters,

  • the laws in the third country permit effective legal challenge of orders to disclose data;
  • the challenge to the order would suspend the effect of the law i.e. and prevent the public authority accessing the data pending the outcome of challenge; and
  • the importer is able to document and demonstrate to the exporter the action is has taken.

Obligations to take specific actions - agreeing to flag local law inconsistencies with the Article 46 transfer tool

The importer could commit to inform a requesting public authority of the incompatibility of any data access order from the public authority, with the safeguards contained in the transfer tool (such as the SCCs) and the existing conflicting contractual obligations to the exporter. The importer would also simultaneously notify the exporter and/or the competent supervisory authority from the EEA.

 

 

This clause would only be effective where:

  • raising the conflicting obligations of the data importer has some legal effect in the legal order of the third country for example, permitting a judicial or administrative review of the order;
  • the legal system of the importer does not prevent the importer from notifying the exporter or at least the competent supervisory authority from the EEA of the order; and
  • the importer is able to document and demonstrate to the exporter the actions it has taken.

Obligations to empower data subject rights - restrictions on data access without consent

The contract could provide that data transferred in plain text may only be accessed with the express or implied consent of the exporter/data subject.



(although in practice a model based on asking for the data subject’s consent is unlikely to be amenable to most controllers.)

 

 

This clause would only be effective where:

  • the public authority request is on a voluntary basis and not based on access that occurs without the importer’s knowledge or against its will;
  • the data subject is capable of giving a valid freely given GDPR consent - this may not always be the case, the EDPB gives the example of an employer - employee relationship; and
  • §national laws prohibiting the importer from disclosing the order for access could render the clause redundant.

 

Obligations to empower data subject rights - notifying data subjects of public authority access

The contract could oblige the importer and/or exporter to notify the data subject promptly of a public authority request in the third country or of the importer’s inability to comply with the contractual commitments so as to enable the data subject to see information as an effective redress.

 

The clause would only be effective where national regulations and policies do not prevent the importer making the notification to the data subject.

Obligations to empower data subject rights - commit importer and exporter to assist the data subject in exercising their rights

The contract could commit the exporter and importer to assist the data subject in exercising his/her rights in the third country jurisdiction through ad hoc redress mechanisms and legal counselling.

 

This clause would only be effective where the law in the third country does not impose conditions that would undermine the effectiveness of the ad hoc redress mechanisms.


Further, the provision of legal assistance to the data subject in exercising their rights does not itself remedy the third country’s failure to provide for a level of protection essentially equivalent to that guaranteed in the EU. Therefore, the EDPB acknowledge that this contractual measure would need to be complementary to other supplementary measures.

c. What are organisational supplementary measures

Additional safeguards may also include organisational measures. Organisational measures consist of internal policies, organisational methods, and standards that organisations can implement and also impose on importers in third countries. The implementation of these policies helps ensure consistency and risk awareness within organisations. However, the Guidance notes that the introduction of organisational measures alone, will not necessarily ensure that transfers meet the essential equivalence standards that EU law requires, but again, they can complement the other contractual and/or technical measures in place.

Examples of appropriate organisational measures are outlined in the table below.

 

Measure

Details

Conditions to the effectiveness of measure

Internal policies for governing transfers especially within groups of enterprises

Organisations should adopt adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of covert or official requests from public authorities to access personal data.


The Guidance suggests that in corporate groups, these policies could include the appointment of a specific team, based in the EEA, made up of experts with IT and data protection expertise, to deal with requests that involve personal data transferred from the EEA.


These policies should be supported by specific and up to date training procedures for staff with responsibility for dealing with public authority data access requests.

Such policies will only work where the request from public authorities is compatible with EU law. When the request is incompatible, these policies would not suffice to ensure an equivalent level of protection,

Transparency and accountability measures - document access requests

Organizations should document and record the requests for access received from public authorities and the response provided, together with the legal reasoning and the parties involved.


In the case of the importer, these records should be made available to the data exporter, who should in turn provide them to concerned data subjects.

The law in the third country may prevent disclosure of the requests or parts thereof, thus undercutting the protection of the clause.


The importer should be required to inform the exporter of its inability to provide such documents and records.

 

Transparency and accountability measures - Regular publication of transparency reports

There should be regular publication of transparency reports or summaries regarding governmental requests for access to data and the type of response submitted, to the extent publication of this information is permitted by local law.

 

The information provided should be relevant, clear and as detailed as possible.


The law in the third country may prevent disclosure of detailed information of this nature - in which case, the data importer should use best efforts to publish aggregated stats.

Organizational measures and data minimization

Organizations should adopt strict access and confidentiality policies and best practices, monitored through regular audits and enforced through disciplinary measures.


In line with the general principle of data minimization, only the minimum amount of personal data necessary should be transferred outside the EEA so as to limit the risk of unauthorized access. For example, if the provision of a service only requires the transfer of a limited dataset, then there is no need to transfer the entire database.

 

 

According to the EDPB strong disciplinary measures should be in place within the organization in order to monitor and enforce compliance with these policies.


Prior to any transfer the data exporter should assess the data to be transferred in order to identify those datasets that are not necessary for the transfer and which won’t therefore be transferred.


Data minimization measures should be accompanied by technical measures so as to ensure the data is not subject to unauthorized access.

Organizational measures - timely provision of data to the data protection officer

Organizations should develop best practices to appropriately involve the data protection officer (where one is appointed)/or relevant internal and audit teams with international data transfers.

The DPO, Legal and audit teams should be provided with the relevant information before the transfer and must be consulted on the necessity of the transfer and the additional safeguards.


Relevant information would according to the EDPB include, for example, the assessment on the necessity of the transfer, an overview of the laws of the third country, and the safeguards the importer has committed to implement.

Adoption of standards and best practices - regular review of internal policies

Organizations should adopt and regularly review internal policies to ensure they remain current and fit for purposes so as to ensure an equivalent level of protection to that guaranteed within the EU.


Organizations should adopt strict data security and data privacy policies, based on EU certifications (such as ISO standards), in line with the state of the art, and having regard to the risk categories of the data being processed and the likelihood of attempts from public authorities to access it.

 

Restrictions on onward transfer

Somewhat overlapping with the contractual measures above, organizations should obtain commitments from the data importer to not engage in any onward transfer of personal data within the same or third countries, or suspend ongoing transfers, when an equivalent level of protection of personal data to that within the EEA cannot be provided in the third country.

 

 


3. To transfer or not to transfer 

If the supplementary measures above, in combination with the transfer tool, provide a level of protection ‘essentially equivalent’ to that guaranteed in the EEA - then the data may be transferred. 

In contrast, where organisations are not able to establish essential equivalence, the EDPB, find that the transfer should not be made and existing transfers should be stopped - if not, the competent supervisory authority may do that for them. The EDPB further advise that if you decide to transfer, notwithstanding lack of essential equivalence, the exporter should notify the competent supervisory authority, in accordance with the specific provisions in the relevant transfer tool. 

For many transfers the guidance will give no comfort. The big question now, is whether regulators will enforce these words and when. In this respect we’ll likely see different enforcement practice across Europe, including in terms of possible fines. Companies should therefore keep developments on this front under review, including at Member State level. 

 

Latest insights

More Insights