In 2016, the European Commission recognised the Privacy Shield as a mechanism providing an adequate level of protection upon the transfer of personal data from the European Union to companies in the USA self-certified as participating organisations. In its recent judgment C-311/18 (Schrems II), the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield. The CJEU articulated that the protection granted to personal data in the European Economic Area (“EEA”) must travel with the data wherever the data goes and emphasised that transferring personal data to third countries must not result in a lessening of the protection the personal data is afforded in the EEA.
On 10 November 2020, the European Data Protection Board (“EDPB”) published a draft of the long-awaited recommendations document on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the “Recommendations”). The Recommendations set out six steps to be followed when transferring personal data outside of the EAA. Because the Recommendations are open for public consultation until 21 December 2020, it is recommended that data exporters continue to monitor the developments. Significant amendments are, however, unlikely and organisations should prepare to implement the EDPB’s six step process described below.
Six Steps to Success
The EDPB set out the following six step plan to be followed by data exporters to ensure the protection of personal data:
- Data transfer recording and mapping;
- Transfer mechanism identification;
- Assessment of the law and practice of the third country;
- Identification and adoption of supplementary measures;
- Formal procedural steps; and
- Regular evaluation.
Data transfer mapping
Data exporters must diligently map out their data transfers, including onward transfers of personal data by the data importer (e.g. transfers by the data importer to a processor in the same third country or another third country).
Transfer mechanism identification
Data exporters must identify which transfer mechanism among those listed in Chapter V of the GDPR they rely on for the purposes of each transfer (e.g. adequacy decisions, standard contractual clauses, codes of conduct, certification mechanisms, ad hoc contractual clauses, derogations).
Assessment of the law and practice of the third country
The Recommendations expressly state that the simple selection of a Chapter V transfer mechanism does not automatically result in fulfilment of the data exporter’s obligations with respect to the protection of the exported data. The data exporter must assess whether the law or practice of the third country could impede the effectiveness of the appropriate safeguards of the transfer mechanism. The EDPB goes as far as to suggest that the data exporter must study the domestic legal order of the country to which the data is transferred in order to ascertain whether the transfer mechanism will be sufficient to ensure an appropriate level of protection of the personal data.
In case the assessment reveals that the transfer mechanism chosen does not effectively ensure an essentially equivalent level of protection, the data export must either put in place effective supplementary measures or refrain from effecting/ discontinue the transfer.
Identification and adoption of supplementary measures
If the assessment of the law and practice of the third country reveals that the transfer mechanism fails to guarantee an equivalent level of protection, the data exporter must identify whether supplementary measures exist which, in conjunction with the transfer mechanism, would secure an essentially equivalent level of protection for the personal data. These supplementary measures may be of a contractual (e.g. transparency obligations, obligations to take specific actions), technical (e.g. encryption, pseudonymisation) or organisational nature (e.g. adoption of internal policies and best practices).
If the assessment reveals that the transfer mechanism fails to guarantee an equivalent level of protection, and the data exporter cannot identify supplementary measures which, in conjunction with the transfer mechanism, would secure an essentially equivalent level of protection for the personal data, the transfer must be suspended or terminated and all data already transferred must be returned or destroyed.
Formal procedural steps
The formal procedural steps a data exporter may need to take (if any) depend on the transfer mechanism chosen. For instance, if the intention is to put in place supplementary measures in addition to the standard contractual clauses, there is no requirement to request an authorisation from a supervisory authority. However, if the data exporter intends to modify the standard contractual clauses, the authorisation of the supervisory authority must be sought.
The data exporter must regularly evaluate the effectiveness of the supplementary measures put in place as well as the commitment of the data importer to the protection of personal data.