Post-Schrems II: How To Check The Compliance Of Your Personal Data Transfers?

The European Data Protection Board (EDPB), composed of representatives of European data protection authorities and the European Data Protection Supervisor, issued recommendations on November 10, 2020 to help organizations ensure an adequate level of protection for personal data transferred outside the European Economic Area1.

Background:

On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated Safe Harbor, an agreement between the European Commission and the United States that allowed U.S. companies that adhered to it to transfer the personal data of EU residents to the United States (Schrems I ruling).

On July 16, 2020, the CJEU invalidated, on the one hand, the Privacy Shield, the short-lived successor to Safe Harbor, and validated, on the other hand, the standard contractual clauses adopted by the European Commission and used to transfer personal data from the European Union to a third country (Schrems II judgment). The CJEU recalled, however, that a data transfer based on such clauses must ensure the adequate level of protection required by Article 45 of GDPR, i.e., allow for “a level of protection of fundamental rights and freedoms substantially equivalent” to that guaranteed within the European Union by Regulation (EU) No. 2016/679 of 27 April 2016 (General Data Protection Regulation, GDPR), read in light of the Charter of Fundamental Rights of the European Union.

Standard contractual clauses may thus not be a sufficient means of ensuring, in practice, effective protection of transferred personal data. The law of the receiving country may, for example, allow public authorities to interfere with the rights of individuals. Indeed, these clauses, which are binding on the parties to the contract, are not necessarily binding on the public authorities of third countries.

There therefore arose the question of the practical implementation of this decision, in line with the principle of accountability of the actors (“accountability“), and more specifically the assessment of the level of data protection by organizations wishing to transfer data to third countries as well as the adoption of “complementary measures.” This assessment is required regardless of the legal mechanism used and thus for data transfers made on the basis of standard contractual clauses as well as binding corporate rules (Binding Corporate Rules, BCR).

The steps to follow:

The EDPS has identified the following six steps:

1. Identify transfers

Organizations exporting personal data must first identify all of their data transfers to countries that are not members of the European Economic Area. For example, this could be HR data sent to the parent company or customer data stored in a CRM hosted in the United States.

This mapping can, if necessary, be carried out by referring to the register of processing activities as well as to the information already communicated to the persons in the collection forms, on the website… (Articles 13 and 14 of GDPR do indeed impose an obligation to inform people about transfers towards third countries) and, if the organization has designated one, with the support of the Data Protection Officer, who already has a global knowledge of the implemented transfers.

If you wish, DPO Consulting is there to accompany you as an outsourced data protection officer.

During this step, the data exporter also verifies if the transferred data are adequate, relevant and limited to what is necessary for the purposes for which they are transferred and processed in the recipient country (principle of minimization).

2. Check transfer tools

Once the various transfers have been identified, organizations determine which transfer tool they wish to use and, first, whether the recipient country has received an adequacy decision from the European Commission (Argentina, Israel, Japan, New Zealand, Switzerland, etc.) and for which sector (Canada’s adequacy only concerns processing carried out in the context of commercial activities). The organization then has no further steps to follow, but must regularly verify that the adequacy decision has not been revoked by the Commission or invalidated by the CJEU.

Failing that, the transfer must be framed by other tools, including:

• standard contractual clauses;
• binding corporate rules;
• codes of conduct;
• certification mechanisms;
• ad hoc contractual clauses.

The European Commission, moreover, published its draft new standard contractual clauses2on November 12, 2020. This revision was long overdue, as the template clauses for a transfer between two data controllers (Decisions 2001/497/EC and 2004/915/EC) or from a data controller to a data processor (Decision 2010/87/EU) were adopted before GDPR came into force). These clauses are modular in order to cover all transfer situations:

• Processor to controller;
• Processor to processor;
• Subprocessor to controller.

3. Assess the legal regime of the receiving country

It is the responsibility of the data exporter, if necessary in collaboration with the data recipient, to determine whether the legislation of the third country does not, in practice, hinder the effectiveness of the guarantees provided by the transfer tool used. This assessment is conducted diligently and is documented. The draft new standard contractual clauses take note of the Schrems II ruling by requiring the data exporter to document the analysis performed and make it available to the relevant data protection authority upon request.

This analysis must take into account all actors involved (including subsequent subcontractors), possible subsequent transfers as well as the circumstances of the transfer: the purpose of the transfer (marketing, HR, clinical trials, etc.), the nature of the data transferred (sensitive data, data concerning minors subject to specific legislation in the third country, etc.), whether the data is going to be hosted in the third country or only accessible remotely, etc.

Organizations must also verify whether data subjects will be able to exercise their rights (access, rectification, deletion of transferred data, etc.), including their right to an effective remedy.

The analysis should be based primarily on applicable law and, where this is not sufficient, on relevant objective factors, not subjective factors, such as the likelihood of access by public authorities in the third country, as well as on evidence obtained from other sources, such as precedents or practices demonstrating the ability of public authorities to access data directly from the data recipient or by intercepting data in transit.

The European Essential Safeguards Recommendations adopted by the EDPB on November 10, 2020 will help organizations determine whether access to personal data by public authorities in third countries (national security agencies, law enforcement authorities, etc.) can be viewed as a necessary and proportionate measure in a democratic society. The CJEU has, for example, considered that this was not the case with Section 702 of the Foreign Intelligence Surveillance Act (FISA) adopted by the United States (Schrems II, §184). Therefore, additional measures have to be considered when the importer or any subsequent recipient of the data is subject to this law.

It is recommended that the exporter of the data seek advice from the recipient on the applicable law, if necessary by writing this obligation into the contract. Indeed, the draft revised standard contractual clauses provide for this, in addition to requiring both parties to ensure that they have no reason to believe that such legislation prevents the data importer from fulfilling its contractual obligations.

4. Identify additional measures

If the analysis conducted by the data exporter indicates that the legislation applicable to the data importer could impact the effectiveness of the transfer tool, the agencies shall determine whether additional measures can be deployed to ensure a level of protection substantially equivalent to that guaranteed in the EU, if necessary in collaboration with the data importer. These measures may be (1) technical, (2) contractual, and/or (3) organizational. They are determined on a case-by-case basis for each contemplated transfer and depending on the format (clear, pseudonymized or encrypted) and nature of the data.

(1) The EDPB emphasizes that technical measures are likely to be most effective against the threat of foreign surveillance, for example:

• hosting in a third country of data encrypted in accordance with the state of the art, where the encryption key is held by the data exporter or another entity based in the EU or a country benefiting from an adequacy decision of the European Commission;
• pseudonymization of the data with the retention of the concordance table and any other means of re-identification by the data exporter;
• processing is split between multiple processors based in different countries such that none of the processors alone can reconstruct the data.

(2) The contractual measures will consist, for the EDPB, in putting in place an obligation of transparency of the data importer on the legislation applicable to it, in requiring it to regularly notify the exporter that no request for disclosure of the data has been made by the public authorities (the “Warrant Canary” method), or to monitor the legality of such a request and to challenge it if necessary.

The European Commission’s draft standard contractual clauses, for its part, require the data importer to promptly inform the data exporter and, if possible, the data subjects, when it receives a disclosure request from a public authority or if it becomes aware of direct access by the authority to the transferred data. If the data importer is prohibited from making such a notification, it must make efforts to obtain an exemption from the prohibition and document its efforts. In addition, the data importer will be required to consider the legality of any disclosure request made to it, and to exhaust, if appropriate, available remedies to challenge it and, pending a judgment on the merits, to seek interim relief to suspend its effects.

(3) Organizational measures, finally, will take the form of internal policies, procedures framing access, confidentiality and data minimization, regular audits..

If no additional measures are possible or if the measures identified do not provide a substantially equivalent level of protection (in particular if the third country’s legislation may deprive these measures of effectiveness), the organization must avoid, suspend or terminate the data transfer.

National data protection authorities (in France, the Commission nationale de l’informatique et des libertés) also have jurisdiction to suspend or prohibit transfers to third countries implemented on the basis of standard contractual clauses or binding corporate rules.

5. Adopt these measures

Organizations must adopt any additional measures necessary to ensure a substantially equivalent level of protection for transferred personal data.

Where the transfer is based on standard contractual clauses, it will not be necessary to seek authorization from the data protection authority for additional clauses or measures, as long as they do not directly or indirectly contradict the standard contractual clauses and ensure a substantially equivalent level of protection.

6. Periodically re-evaluate the level of data protection

A duty to monitor the measures taken, their application and changes in the applicable legislation in the third country finally falls on data exporting organizations, where appropriate with the cooperation of the recipient of the data. Accountability is indeed a continuing obligation of the parties.

Reassessment may be necessary with the aim of ensuring a compliant level of protection with, as a consequence, a possible suspension or termination of transfers.

1) These recommendations are subject to public consultation and may therefore be subject to change.

2) These revised standard contractual clauses are also subject to public consultation.

– Maurice Monnot

Our solutions

GDPR and Compliance

• GDPR Software (myDPO)
• GDPR Compliance Audits
• Privacy Impact Assessments (PIA)
• Clinical Trial Compliance

Outsourced DPO & Representation

• Outsourced DPO
• International DPO
• EU Representative
• UK Representative
• US Privacy Services

Training & Support

• Customized DPO Coaching
• GDPR Training

‍