On 16 July 2020, the ECJ overturned the EU-US Privacy Shield with its “Schrems II” decision, concluding that the US does not have an adequate level of data protection. The ruling shows in particular that the US authorities have access to comprehensive and warrantless mass surveillance of US and EU citizens. Another problem is that judicial control of this surveillance and data processing is not possible, or only possible to a limited extent, as the Privacy Shield does not regulate corresponding precautions. The possibility to turn to the ombudsman is not recognised by the ECJ as sufficient, as its independence and binding decision-making power vis-à-vis US intelligence services is doubted. On 8 September 2020, the Federal Data Protection and Information Commissioner (FDPIC) endorsed the ECJ’s view. The legal situation regarding international data transfers is therefore currently characterised by great uncertainty.With its step-by-step plan, the EDPB directly addresses the companies concerned and shows the necessary precautions if personal data are to be transferred to third countries outside the EEA.
In its recommendations, the EDPB specifies a six-stage plan of additional protective measures to ensure a sufficient level of data protection.
Step 1 – «Know your Tranfers»
Data exporters must know about their data transfers (“know your transfers”) by identifying and verifying them. What is meant here, however, is the actual transfer of data, which is why data flows within companies, order processing relationships and subcontractors must also be identified and checked. The practical implementation of this measure is questionable due to a lack of transparency on the part of the providers.
Step 2 – «Verify the Transfer Tool your Transfer relies on»
In a second step, the appropriate safeguards must be determined, which are provided for in Art. 44 et seq. DPA (and also in Art. 6 DPA). A data transfer must be able to be based on these guarantees. These are, for example, standard contracts, binding company rules or consent in individual cases. In addition, an adequacy decision according to Art. 45 GDPR can also be such an instrument, but such an instrument no longer exists, especially for the USA since Schrems II.Step 3 – “Assess the law or practice of the third country”.
In a third step, it must be evaluated whether the foreign legal system and the practice of the third country could jeopardise compliance with and thus the effectiveness of the safeguards on which the data transfer is based. For example, a comprehensive and disproportionate access to personal data by the authorities of the third country must be considered.
Step 4 – «Identify and adopt supplemental Measures»
The fourth step represents the core concern of the EDPB. It applies if the assessment after step 3 shows that the third country legislation and practice poses certain risks. Additional measures must then be identified and taken to bring the level of protection of the transferred data up to the EU standard. These measures are of a technical, contractual or organisational nature. Annex 2 of the recommendations contains detailed guidance on additional protective measures that can be taken in certain scenarios in addition to the safeguards taken pursuant to Art. 46 EU GDPR.
- Technical measures
One should think of the implementation of technical measures to ensure a sufficient level of data protection during data transmission.
An example: A cloud provider or a foreign company uses clear data, which is often not encrypted. Therefore, so-called state-of-the-art encryptions are a possible technical measure. If the data is transferred to a third country outside the EEA, it is necessary to encrypt the data before transfer. The appropriate key must of course also be managed through adequate protection. By the so-called end-to-end encryption of the data, it can be securely transmitted through a third country.
Another variant is the pseudonymisation of the data. This can be done, for example, for research purposes before the data is transmitted. In this case, it must be ensured that the information for re-identification is only available to the exporter, that protected storage is guaranteed and that the data is generally protected by sufficient measures.
- Contractual measures & organisational measures
Contractual measures can be used to ensure that the measures taken and guarantees agreed upon are adhered to by the provider or service provider. Organisational measures may include the use of policies, processes and standards of the data exporter.
However, contractual and organisational measures alone cannot prevent access to personal data by authorities of the third country. Only technical measures de facto prevent access to personal data by authorities in third countries. In such situations, contractual or organisational measures can only complement the technical measures and strengthen the general level of data protection.
Step 5 – «Take any formal Procedure Steps»
After step 5, the additional measures taken must be implemented, on the one hand, with the cooperation of the data importer in the third country, if applicable, and, on the other hand, with consultation of the competent supervisory authorities.
Step 6 – «Reevaluate your Data Transfer at appropriate Intervals»
Lastly, the regular review of the measures taken with regard to whether they continue to meet the requirements. This review obligation also applies to the legal and factual circumstances in the third country. If the circumstances in the third country change, the additional measures with regard to this third country may also have to be changed.
We are glad to support you
Although the EDPB’s recommendations make it easier for companies to get an overview of the measures to be taken, it is not easy to implement them. We are happy to support you in analysing and executing the necessary steps to ensure that your data transfers continue to comply with the applicable data protection regulations.