Recommendations of EU authorities for international data transfers

The Court of Justice of the European Union (CJEU) judgment of July 16, 2020 on case c-311/18 (“Schrems II Judgment”) (i) invalidated the Privacy Shield, which provided the basis for most personal data transfers to the United States; and (ii) confirmed the validity, in general terms, of the SCCs or European Commission Standard Contractual Clauses.

Recommendations of EU authorities for international data transfers
November 12, 2020

The Court of Justice of the European Union (CJEU) judgment of July 16, 2020 on case c-311/18 (“Schrems II Judgment”) (i) invalidated the Privacy Shield, which provided the basis for most personal data transfers to the United States; and (ii) confirmed the validity, in general terms, of the SCCs or European Commission Standard Contractual Clauses. As discussed in this blog, the judgment has created an atmosphere of growing tension and uncertainty, commented on by various EU authorities.

In line with this trend, the European Data Protection Supervisor (“EDPS”) recently published a strategic document (mostly addressed to EU institutions and bodies) (i) providing an action plan to achieve medium-term compliance of all international transfers of data with the Schrems II Judgment; and (ii) highlighting the priorities. These priorities include controller to processor contracts and processor to sub-processor contracts involving transfers to third countries. The EDPS also recommends avoiding new processing operations or new agreements with service providers entailing international transfers to the US.

The European Data Protection Board (“EDPB”) just adopted a set of recommendations (the “Recommendations”) on measures supplementing the SCCs to ensure a level of protection for international data transfers equivalent to that of the European Union.

As discussed before, the Schrems II Judgment concluded that, despite the SCCs generally affording safeguards for transfers of data to processors outside the European Economic Area (“EEA”), data controllers relying on these safeguards to transfer data outside the EEA should verify, on a case-by-case basis (and, where appropriate, together with the recipient), that the third country’s legislation ensures an adequate level of protection.

The Recommendations include a roadmap to help data exporters to (i) find out if they need to implement supplementary measures to the SCCs; and (ii) where appropriate, to identify the appropriate measures. See the Recommendations below:

  • “Know your transfers.” Data exporters must be aware of all international data transfers and of the circumstances in which they take place. It is an essential step to fulfill the obligations arising from the accountability principle.
  • “Identify the transfer tools you are relying on.” If your transfer neither relies on an adequacy decision, nor on an article 49 GDPR derogation, pay particular attention to the next recommendation.
  • “Assess whether the article 46 GDPR transfer tool you are relying on is effective in all circumstances,” since it must afford an equivalent level of protection.
  •  “Adopt supplementary measures,” considering aspects such as the format of the data transferred, the nature of these data or the length and complexity of data processing. To do so, the document gives some examples of scenarios that can be helpful.
  • “Implement procedures if you have identified effective supplementary measures,” which will depend on the chosen transfer tool.
  • “Monitor and re-evaluate:” Accountability is a continuing obligation, so data exporters must monitor, on an ongoing basis, any developments in third countries affecting the initial assessment of the level of protection afforded by these countries.

Despite being applicable, these Recommendations are subject to public consultation, which will remain open to the parties concerned until November 30.

Also, the EDPB has adopted Recommendations on the European Essential Guarantees for surveillance measures (supplementing the previous ones). They provide elements to determine if the legal framework regulating access to data for law enforcement purposes by the third country’s authorities can be considered a justifiable interference with the rights to privacy and data protection.

Both the EDPS and the EDPB note that the data processor transferring the data outside the EEA will be ultimately responsible for assessing (i) the context of the transfer; (ii) the third country’s enforcement provisions; and (iii) the transfer tool, according to the accountability principle established in the GDPR.

Authors: Ana Sánchez and Jorge Monclús

November 12, 2020