International transfer of personal data: EDPB final reccomendation

This is the result of the much debated Schrem cases I (2015) and II (2020) of the CJEU, that lead to the annulment of both the EU-US Safe Harbor and the Privacy Shield.

It is counterintuitive that the flow of personal data be constrained in a natively boundaryless digital world. Yet, while the Internet has no boundaries, nation states have jealously maintained their sovereignty in deciding the extent to which personal data may be accessed, in particular by law enforcement authorities. As the protection of personal data from undue intrusion and mass surveillance is a constitutional fundamental right in the EU, this is where the EU legal framework has put a warning. Data exporters based in the EEA should be conscious about the regulatory environment of the destination of the data they process, because as innocent and well-meant the processing may be, data imported in a given sovereign State are subject to local regulations that may pay much less deference to personal data protection, then is required under the EU framework. Clarification about what should be done by exporters when exporting data is now provided by the EDPB.

The EDBP published in November 2020 a first version of recommendations on supplementary measures for international transfers of personal data. The Board then released on 21 June last its finalized recommendations (the so-called “Version 2.0” that can be found by clicking here ) which include some changes compared to the precedent version, taking into account the comments received during the public consultation phase.

Following these CJEU Schrem decisions, the transfer of personal data outside the EU must now be carried out considering a more stringent test, in the sense that the level of protection in third countries must be “essentially equivalent” to the one existing in the European Economic Area (EEA) based on the GDPR and the EU Charter of Fundamental Rights.

In this framework, the new version of the Board’s recommendations encompasses 6 steps to ensure a proper protection when it comes to data transfer. For each transfer, the effectiveness of the appropriate safeguards provided for in the article 46 GDPR must be verified on a case-by-case basis and, if needed, supplementary measures should be taken to guarantee a sufficient level of protection.

Controllers and processors within structures that export personal data outside the EU should indeed, based on the recommendations:

• Map data transfers during the whole transfer process and check that the data transferred is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (following GDPR principles) ;
• Identify the appropriate data transfer mechanisms such as the standard contractual clauses (SCCs) or the binding corporate rules (BCRs) for repetitive transfers, and derogations are limited to occasional transfers only in “specific situations” that must remain exceptional. When a third country is already declared adequate by the European Commission, the exporter has just to monitor the adequacy and do not need to rely to rely on a further transfer tool ;
• Assess the legal system of recipient countries both at the level of the law itself and of the practices in force to check if personal data and rights of data subjects are effectively protected. Looking at the practices of public authorities and the extent to which they have access to data is particularly relevant according to the Board when the law is not applied or does not comply with the EU standards. Problematic legislation should be identified and should lead to the suspension of the transfer or the implementation of adequate supplementary measures, or in certain cases to the transfer without supplementary measures if the exporter is able to demonstrate that there is no reason to believe that the problematic legislation will be interpreted and/or applied in practice in a way that covers transferred data ;
• Consider the adoption of supplementary measures if it is established that the third country’s legislation or government practices go against the article 46 GDPR safeguards. This can encompass technical (e.g. put in place technological tools such as encryption), contractual (e.g. enshrine in the contract further powers at the benefit of the data exporter to audit the data importer) or organizational (e.g. adopt internal policies with clear allocation of responsibilities for data transfers) measures, to ensure an essentially equivalent protection. Exporters should carry out a diligent case-by-case assessment of the effectiveness of third country’s laws and practices to adopt peculiar and suitable supplementary measures. In some cases, no supplementary measure will be suitable and the transfer will have to be suspended or terminated ;
• Take all kinds of formalities and procedural steps required by the adoption of the chosen supplementary measures. The Board states that it can be useful to consult the competent supervisory authorities on some of the formalities ;
• Keep data transfer arrangements under review that is to say constantly re-evaluate the level of protection they provide at appropriate intervals and monitor if there have been or there will be any developments that may affect personal data.

Recommendations are overall consistent with the principle of accountability (under article 5.2 of the GDPR) to which controllers and processors are subject, recalled by the EDPB in its document.

This 2.0 version shows some changes when compared to the first draft. In particular, more emphasis was put on the importance of examining the practices of third country public authorities in the overall assessment of the level of data protection. The version also provides for an option to consider the practical experience of the third countries in the assessment and gives some further indications concerning the situations in which the importer’s legislation allows its authorities to access the data transferred.

Finally, the document also lists examples of supplementary measures, as well as possible sources of information to assess a third country in annexes.

#international transfer of personal data