20.11.2020

Following the “Schrems II” decision of the European Court of Justice: on the permissibility of international data transfers

Recommendations 01/2020 and 02/2020 of the European Data Protection Board

Background

In its “Schrems II” landmark ruling (cf. https://www.luther-lawfirm.com/en/newsroom/blog/detail/ecj-overturns-eu-us-privacy-shield-regulatory-authorities-and-companies-comment-on-the-ruling-overview​​​​​​​ )), the European Court of Justice (ECJ) confirmed the general validity of the standard contractual clauses. It also stressed, however, that concluding standard contractual clauses, which, by their nature, cannot bind third country public authorities, will not suffice if the law in force in the third country jeopardises the effectiveness of the protection of personal data afforded by the agreed standard contractual clauses. According to the ECJ, supplementary measures need to be taken in such a case. However, the Court did not specify these measures.

On 10 November 2020, the European Data Protection Board (EDPB) published two sets of recommendations (“Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” and “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures”) which are intended to help companies (data exporters) assess the lawfulness of their data transfers to third countries. These recommendations contain information about how to deal with surveillance measures in third countries and suggestions for the identification of the supplementary measures that should be put into place in addition to concluding standard contractual clauses. To this end, the EDPB suggests carrying out an assessment in 6 steps.

Roadmap of the European Data Protection Board

Step 1: Identifying one’s own data transfers to third countries

Data exporters need to be aware of all their transfers of personal data to third countries.

This should be a matter of course; however, practice shows that many companies do not have a complete overview of their own data processing activities. Things are easier for companies that comply with the obligation to keep records of processing activities, as these processing records contain information about whether transfers are made to third countries (cf. Article 30(1)(e) GDPR). A company’s own privacy notices may also contain information about data transfers to third countries (Article 13(1)(f), Article 14(1)(f) GDPR). Please note that also data transfers carried out by European processors to their subcontractors need to be taken into account as data transfers to third countries; such transfers might, for example, take place in connection with the use of cloud services if the data centre as such is located within the EU and the US parent has access (for example, for support purposes).

Step 2: Identifying/verifying the transfer tools relied upon

If none of the derogations listed in Article 49 GDPR (for example, any consent given) can be relied upon, data exporters need to verify which of the transfer tools referred to in Article 46 GDPR (for example, adequacy decisions, Binding Corporate Rules (BCRs) or standard contractual clauses) are being used as a basis for their identified transfers of personal data to third countries and check whether these transfer tools that are being relied upon continue to be valid.

Step 3: Examining the law of the third country to assess the effectiveness of the transfer tool relied upon

The third step is then to examine whether the transfer tool relied upon provides sufficient protection in practice.

Data exporters should carefully assess, where appropriate in collaboration with the data importer, whether the law of the third country or any practices there might impair the effectiveness of the transfer tool that is being relied upon to create an adequate level of protection for personal data in the third country.

The ECJ and the EDPB expect data exporters to carry out a comprehensive assessment of the lawfulness of their data transfers which takes into account the elements listed in Article 45(2) GDPR (ECJ, Judgment of 16 July 2020 – Schrems II, paragraph 105) and which, therefore, ultimately corresponds to the assessment of the adequacy of the data protection level in a third country carried out by the Commission before issuing an adequacy decision.

Priority should be given to examining whether and to what extent (surveillance) legislation exists that deals with access to data by public authorities (for example, intelligence services, law enforcement authorities or regulatory authorities).

Requirements to be met by surveillance legislation – European Guarantees

According to the EDPB, an assessment should be carried out with regard to such statutory rights of access for public authorities to determine whether the relevant legislation meets the requirements under the “European Essential Guarantees” (Guarantees), as described in more detail in the EDPB Recommendations 02/2020. Only if this is the case can the legislation that provides for rights of access for public authorities be considered acceptable; otherwise, the level of data protection provided in the third country cannot be considered to be essentially equivalent to that guaranteed in the EU and, therefore, no data transfers may be carried out.

According to the above, any surveillance legislation must meet the following requirements:

Guarantee A: the processing described in the legislation must be based on clear, precise and accessible statutory rules;

Guarantee B: the processing carried out in pursuit of legitimate objectives must be necessary and proportionate;

Guarantee C: there must be an independent oversight mechanism; and

Guarantee D: effective remedies need to be available to the person concerned.

This is, for example, not the case with Section 702 of the US Foreign Intelligence Surveillance Amendment Act (FISA), whose provisions interfere disproportionately with the fundamental freedoms of the person concerned; this is why a data transfer to a data importer who is subject to this legislation can only be carried out if additional technical measures are put into place that render access by the US authorities to the transferred data impossible or ineffective.

The EDPB has suggested adding contractual provisions under which the data importer is obliged, for example, to enumerate the laws applicable to it that would permit access by public authorities to the data or, in the absence of such laws, to provide the data exporter with information and statistics about access by public authorities to personal data in similar processing situations. Furthermore, the data importer could be required to confirm that the software it uses does not contain any backdoors that would allow national public authorities to access the data and, where the data importer is in possession of the encryption key to the encrypted data, that it is not obliged to deliver this key to any public authorities.

The EDPB has pointed out that the assessment needs to take into account the details of the concrete data transfer, for example:

  • the purpose of the processing;
  • the business sector concerned;
  • the categories of personal data;
  • the details regarding storage and remote access; and
  • the data format used,

as context-specific national rules may exist in the third country.

The assessment should also take into consideration whether, based on precedents, legislation or any other practices known, it appears likely that public authorities will seek to access the data with or without the data importer’s knowledge or even intercept data.

Step 4: Identifying and adopting supplementary measures

If the assessment carried out reveals that the legal system in the third country might impair the effectiveness of the transfer tool relied upon, data exporters will be obliged to identify and adopt technical and organisational measures that are suitable to compensate for this lack of data protection and create an adequate level of protection.

It may be necessary to combine several measures. The EDPB has pointed out that contractual or organisational measures alone will be inadequate, for example, to prevent access by public authorities in the third country. In such a case, only technical measures (such as encryption) might impede access by public authorities (for example, for surveillance purposes) or make such access ineffective. In Annex 2 to the EDPB Recommendations 01/2020, the EDPB has given examples of possible measures based on “use cases”.

One of these use cases concerns data storage for backup purposes that does not require access to data in plain text form. In that case, access to data by public authorities can be prevented by means of strong encryption, provided it is ensured that the key is under the sole control of the data exporter. Another use case concerns data processing for research purposes, where access by public authorities can be prevented by transferring exclusively pseudonymised data, for example.

If, however, the data importer (for example, a cloud service provider) needs to access the real data/plain text data to be able to perform its contractual obligations and public authorities have rights of access that go beyond what could be considered necessary and proportionate, this is a scenario, according to the EDPB, where no effective supplementary measures can be found. The same applies correspondingly to access within a group of companies if a group company in a country that does not have an adequate level of data protection is intended to be granted access to personal data that is in plain text form.

If adequate supplementary measures that could compensate for the jeopardised protective effect of the transfer tool relied upon cannot be found, data exporters must refrain from exporting data.

Step 5: Taking procedural steps

The procedural steps to take depend on which of the Article 46 GDPR transfer tools is being relied upon.

Standard contractual clauses, for example, may be supplemented as long as the supplementary provisions do not directly or indirectly conflict with the standard contractual clauses. If conflicting supplementary provisions are added, the modified clauses will be subject to authorisation from the competent supervisory authority (Article 46(3)(a) GDPR).

The EDPB has rightly pointed out that the “Schrems II” decision also applies to BCRs and has announced it will shortly comment on how to handle BCRs.

Step 6: Re-evaluating continually the level of protection afforded to the data transferred

As a result of its accountability (Article 5(2) GDPR), the data exporter must continually monitor the level of data protection in the third country and, in particular, identify any developments that might impair the protection of the personal data transferred. Sufficient mechanisms should be put into place to ensure that the data transfer can be suspended or ended without undue delay if the data importer breaches any of its obligations arising from the transfer tool that is being relied upon, or if any supplementary measures taken are no longer effective in the third country.

Practical information

In keeping with the “Schrems II” decision, the EDPB defines strict requirements for the assessment to be carried out by companies to ensure the lawfulness of their data transfers to third countries. Many companies will hardly be able to complete this assessment.

At the same time, audits by the supervisory authorities are becoming more and more likely, as already four months have passed since the ECJ issued its “Schrems II” decision and as the supervisory authorities have by now made known their legal view that numerous international data transfers are unlawful. In particular companies that have not documented any activities in this regard are threatened with heavy fines.

What needs to be done?

Companies should, therefore, start without undue delay to identify their international data transfers and (re-)assess the lawfulness of these transfers. They should ensure their technical and organisational measures are in line with the EDPB recommendations; in particular, they should assess whether access to unencrypted data is absolutely necessary.

Depending on the risk a company is prepared to take, it should then be decided in each particular case, upon due consideration of all the circumstances, whether or not to continue the data transfers. We would be happy to assist you with this assessment.

Author
Dr Christian Rabe

Dr Christian Rabe
Senior Associate
Hamburg
christian.rabe@luther-lawfirm.com
+49 40 18067 14946