The reverberations from the CJEU’s judgment in Schrems II continue with the publication of the EDPB’s final Recommendation on supplementary transfer tools. The Recommendation is uncompromising and intended to ensure the EU’s protective framework “must travel with the [personal] data wherever it goes”.

How did we get here?

The decision in Schrems II (Case C‑311/18) considered the rules on the transfer of personal data to third countries. The Court concluded that, while Standard Contractual Clauses (SCCs) were still valid, the underlying transfers must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected. This is, in effect, a transfer impact assessment.

In light of this decision, the EU Commission recently released a new set of SCCs which had been updated to reflect the GDPR and Schrems II (discussed here). They set out a process whereby the parties to the SCCs must undertake a transfer impact assessment and document the outcome, but provide no real guidance on what the outcome of that process should be.

The EDPB’s Recommendation sits alongside those new SCCs and its earlier Recommendation on European Essential Guarantees. These Recommendations provide guidance on the substance of that assessment - namely the question of whether a transfer can take place. They take a strong stance reflecting the aim that transferring personal data to third countries “cannot be a means to undermine or water down the protection it is afforded in the EEA.”

The six-stage test

The EDPB proposes a six-stage process to assess the risks related to transfers. These steps are:

• Step 1: Identifying your data transfers (including onward transfers). The Recommendation notes that this must include onward transfers and sub-processing chains, and so is a “complex exercise”.
• Step 2: Identifying the transfer tools you are relying on. A risk assessment is required when relying on a safeguard mechanism, e.g. SCCs, BCRs. However, it is not required for transfers to an adequate jurisdiction or where the transfer is based on a derogation such as consent.
• Step 3: Where relying on SCCs or BCRs, assessing whether the transfer tool is effective in light of national law and practice of the importer.
• Step 4: Adopting supplementary measures where necessary, some of which are described in the guidance.
• Step 5: Considering whether any procedural steps are required, e.g. use of ad hoc SCCs might require approval by a data protection authority.
• Step 6: Re-evaluating at appropriate intervals.

The key to any transfer impact assessment is thus Stages 3 and 4.

Stage 3: Assessing local law

In the final Recommendation, the assessment at Stage 3 is demanding, requiring both that:

• Law: The formal law meets the four requirements of the European Essential Guarantees, namely that it: (i) is based on clear, precise and accessible rules; (ii) is necessary and proportionate; (iii) is subject to an independent oversight mechanism; and (iv) provides effective remedies to individuals; and
• Practice: The operation of law enforcement and national security agencies in practice does not undermine that protection, e.g. they do not access personal data in excess of those laws. Importantly, this assessment appears to also allow limited positive weighting. The Recommendation suggests that evidence that “problematic” legislation would not be applied to the relevant personal data can be considered but only where it is documented in a “detailed report” that is “endorsed by the legal representative of the exporter”. Similarly, evidence from the exporter that has not received requests for personal data is of assistance but only if it is corroborated and not contradicted by other evidence.

This assessment should be documented and should be provided to the relevant data protection authority on request.

The assessment is likely to be very burdensome. Local law enforcement and national security laws are typically complex and opaque, requiring specialist (and expensive) advice from local counsel to determine, on a case-by-case basis, which laws apply to the particular transfer and importer in question. The obligation to also consider how law enforcement and national security agencies use their powers in practice adds another difficult gloss, given these bodies do not always operate in the daylight.

This also risks creating a “shadow whitelist” of jurisdictions whose laws meet the European Essential Guarantees (albeit just for a particular transfer) but which are not formally recognised by the EU.

Where the Stage 3 assessment is that personal data will be properly protected, the transfer may go ahead, subject to appropriate safeguards being in place, such as entering into SCCs. If not, supplementary measures are required.

Step 4: Adopting supplementary measures

The Recommendation suggests that the measures might be technical, contractual or operational.

The greatest weight is given to technical measures. This is unfortunate, as the technical measures discussed in the Recommendation are narrow and limited. For example, there is no general acceptance of the use of a customer managed encryption key (CMEK). Instead, use of a CMEK is only considered effective if the data is encrypted in the EU and the CMEK is kept in the EU. To the extent the personal data is translated to plaintext in the third country for processing, even using a CMEK, that will not provide sufficient protection by itself. The other technical options (pseudonymisation, transfers to a protected recipient or sharding across multiple suppliers) are equally only likely to be relevant in limited circumstances or are impractical.

The Recommendation also sets out a range of contractual and organisational measures. Some of these are already set out in the new SCCs. However, surprisingly, there is little consideration of whether the provisions of the SCCs are themselves sufficient or require further enhancement.

Similarly, it is not clear if contractual and operational measures can make up for a lack of approved technical measures. The Recommendation cautions that “[c]ontractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country based on problematic legislation and/or practices”, without providing much by way of guidance on what mitigating effect they will have.

What about transfers to the US?

The Recommendation expressly considers transfers to the US. Interestingly, the analysis appears to hinge on whether the importer is subject to section 702 of FISA.

The example provided in the Recommendation suggests that, where the importer falls outside the scope of section 702, the transfer may proceed without any supplemental measures (other than entering into the new SCCs).

What about de minimis transfers?

In contrast, the Recommendation does not appear to address de minimis transfers or suggest that the analysis can be flexed where the relevant personal data presents very little risk, such as the transfer of business contact information.

While this seems likely to be a factor that can be considered both at Stage 3 and Stage 4, this is not set out expressly and such transfers still seem to require a full transfer impact assessment.

What about transfers from the UK?

The Schrems II judgment still forms part of UK law following Brexit, as it forms part of retained EU law. Thus, the obligation to conduct a case-by-case risk assessment in relation to any transfer under the SCCs applies in the UK just as much as it does in the EU. (Though any transfer it would have to be under the old SCCs, as the new SCCs are not recognised in the UK.)

However, there has been minimal guidance from the UK Information Commissioner on her approach to conducting transfer impact assessments. Given the UK’s stated desire to liberalise international transfers of personal data, it is not clear if the UK Information Commissioner will adopt the strict approach in the EDPB Recommendation.

What next?

There is no doubt that the obligations in the Recommendation are difficult and burdensome, but they flow directly from the Schrems II decision and EU data protection authorities have already started to take steps to clamp down on transfers of personal data outside the EU. That trend is likely to accelerate now that the EDPB has finalised its guidance.

In some cases, this means the best solution may be to just stop transferring personal data outside of the EU altogether (other than to adequate jurisdictions or where a derogation applies). Where this is not possible, it is important to now properly review those transfers to ensure that personal data will continue to be protected.

The EDPB’s final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data is here and the final Recommendations 02/2020 on the European Essential Guarantees for surveillance measures is here.

By Peter Church