Significant Regulatory Developments Regarding Data Transfers under the GDPR
15 November 2020
Technology & eCommerce Regulation in the Spotlight
The European Data Protection Board (“EDPB“) has published its recommendations on transfers of personal data from the EU to third countries under the General Data Protection Regulation (“GDPR”).
The recommendations follow up on the ruling of the European Court of Justice (“ECJ“) on the “Schrems II” case in July 2020. As we recently reported, in this case, the ECJ invalidated the Privacy Shield Framework for data transfers between the EU and the US, but reapproved the compliance of the Standard Contractual Clauses (“SCC”) with the GDPR under certain limitations.
As per these limitations, the SCCs can only be relied upon if the controllers or processors, acting as data exporters, ensure the safety of EU citizens’ data on a case-to-case basis. EU data protection authorities have a duty to intervene when they suspect data is flowing to another jurisdiction without appropriate guarantees.
Pursuant to the above, the European Commission has published a draft version of the new SCCs, updated for the GDPR and implementing further requirements under the recent judgement. Once the final version is approved, the new SCCs will have a transitional period of one year from the date of entry into force. During the transition period, companies may continue to use the current SCCs, provided that supplemental measures to ensure that the data transfers are subject to appropriate safeguards are implemented where applicable. The EDPB now provides its guidance regarding these supplemental measures.
The EDPB’s recommendations include a document on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, and a complementing document regarding the European Essential Guarantees (“EEG“) for surveillance measures.
Certain guidelines and examples, aimed to assist and advise data exporters in this task are addressed by the EDPB, which highlights the exporters’ responsibility and obligation to take active measures for compliance, and being able to demonstrate it.
The recommendations offer a circular six-step process, which has to be conducted with due diligence and be fully documented:
- Mapping of data flows: data exporters should map and be aware of all of their transfers of personal data to third countries, and ensure that they are limited to what is necessary in relation to the purposes for which the data is transferred.
- Verifying data transfer tools: the transfer tools that the data transfers rely upon must be verified. Applicable transfer tools are listed in Articles 45, 46 and 49 of the GDPR. Such tools include, inter alia, the European Commission’s adequacy decisions regarding certain regions and the SCCs.
- Assessment of the legal framework at the third country: data exporters need to assess if any laws or practices of the destination country may impinge on the effectiveness of the chosen transfer tool and its safeguards. The EDPB highlights that the focus on the assessment should be the relevant local legislation.
- Identification and adoption of supplemental measures: this fourth step is only required if the previous step revealed that the third country’s laws or practices might impinge on the effectiveness of the transfer tool. The supplemental measures are aimed to raise the level of protection of the data that is transferred, for it to be equivalent with the EU standard. The EDPB provided a non-exhaustive list of measures and scenarios. Such measures include, inter alia, contractual provisions with regard to the data importer (for example transparency obligations), technical measures (for example, encryption with no access to decrypted data at the destination) and organizational measures (such as adopting and imposing international standards and best practices). It is recommended to combine diverse measures to enhance the level of protection, as certain measures alone would not suffice.
- Implementation of formal procedural steps: the supplemental measures that were identified in the previous phase may require additional formal procedural steps, such as execution of SCCs, or consulting with competent regulators where applicable.
- Constant re-evaluation: as part of their accountability, companies are advised to monitor the data transfers and re-evaluate them at appropriate intervals.
With regard to the third step (namely, assessment of the legal framework at the destination country), the EDPB’s document regarding the EEG elaborates on elements that should be considered when assessing laws concerning public authorities’ access to data for purposes of surveillance. There are four EEGs, which together form a non-exhaustive list of elements to be considered when examining if such access to data can be regarded as a justifiable interference.
According to the first EEG, processing should be based on legislation that is clear, precise and accessible. Such legislation should also include minimal safeguards. The second EEG requires the legislation to demonstrate proportionality and necessity with regard to the public objectives of the processing, for instance by indicating under what circumstances such processing may be accepted. The third EEG requires an independent oversight mechanism, for example of courts or other administrative bodies. The fourth and last EEG requires effective remedies to be available to the individuals for them to redress their rights.
Despite the suggested process and measures, the EDPB highlights that there may be cases where a particular data transfer will not be compliant, regardless of any supplementary measures that data exporters may implement. In such cases, the data transfer must be avoided or terminated.
Both of the recommendations are applicable immediately but are open for public comments until 30 November 2020. The European Commission is accepting public comments on the draft SCCs until 10 December 2020.
These regulatory developments require organizations to review their data transfer practices and develop operational procedures to ensure an ongoing compliance with the applicable regulatory requirements. Please feel free to contact us for assistance with such a review or if you have any other questions regarding the effect of the recent regulatory changes on your company’s data flows.
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman