On Nov. 11, 2020, the European Data Protection Board handed companies around the globe a new map to guide global data flows. The EDPB published their anxiously-awaited recommendations on supplementary measures alongside a second document on EU essential guarantees. Taken together these two documents outline an assessment process for the sufficiency of foreign protections under EU law when personal data is sent abroad and a set of EU-approved safeguards that companies can implement even when foreign protections are judged lacking compared to EU legal standards.

The “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” are applicable immediately, but open for public consultation until Nov. 30. Information on submitting public comments is accessible here.

A step-by-step guide to assess and protect global data flows

The EDPB tailored its recommendations directly to the companies charged with implementing them, attempting to offer a step-by-step roadmap for implementation. They offer companies the EDPB’s six-step plan for assessing and protecting global data flows in line with EU law following the July 16 ruling by the Court of Justice of the EU in Data Protection Commission v. Facebook Ireland, Schrems, aka "Schrems II."

Steps 1 and 2: Map your transfers and pick your transfer mechanism

The new recommendations state, “[a]s a first step, the EDPB advises you, exporters, to know your transfers. ... A second step is to verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR.”

Currently, in practice, this means standard contracts, ad hoc contractual clauses, adequacy, binding corporate rules, consent or another GDPR Article 49 derogation. The EDPB adds that if the transfer is to a country deemed adequate by the European Commission “as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid.”

In other words, if the transfer is to the United States, a country whose partial adequacy determination has now been twice invalidated by the CJEU, keep reading.

If your transfer is to one of the 12 countries or territories deemed adequate, at first, the EDPB seems to suggest that you are good to go, but are on notice that a CJEU decision could always change the equation. Later in the recommendations (see use case 3); however, the EDPB describes encryption safeguards appropriate for data routed through a non-adequate country in transit to an adequate one, potentially suggesting a nearly universal need for additional safeguards.

Step 3: Assess the sufficiency of non-EEA protections

The “third step,” according to the EDPB, “is to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.”

This is where the EDPB’s second document — the European Union Essential Guarantees recommendations — comes into play, outlining the elements to be taken into account when evaluating foreign laws. The EDPB summarizes these essential guarantees as follows:

  • Processing should be based on clear, precise and accessible rules.
  • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
  • An independent oversight mechanism should exist.
  • Effective remedies need to be available to the individual.

As part of its recommendations, the EDPB cautions against relying “on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards” rather than considering the laws governing access and protection directly.

In other words, legal requirements and authorities should be given greater weight in assessments than the practical likelihood that your data will be of interest to and accessed by authorities. Following the CJEU’s July 16 decision, many organizations did consider such likelihood as part of their assessments, having few other options at their disposal. This EDPB statement suggests that many companies will need to reassess their approach.

In addition to the Recommendations on Essential Guarantees, the EDPB offers organizations, in annex 3 of the recommendations on safeguards, a very brief list of possible sources of information to assess foreign protections. These include case law of the CJEU and European Court of Human Rights, European Commission adequacy decisions, resolutions and reports from intergovernmental organizations and regional bodies, such as the Council of Europe and UN agencies, as well as national case-law, and reports from academic institutions and civil society organizations, without naming specific sources directly.

Step 4: Identify and adopt supplementary measures

Ultimately, the fourth step of EDPB recommendations gets to the heart of the matter.

The fourth step, the EDPB says, “is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.”

This step is necessary only where an organization’s assessment in step three reveals that the third country legislation “impinges on the effectiveness of the Article 46 GDPR transfer tool” on which the transfer relies. The EDPB provides a non-exhaustive list of such measures in annex two of the recommendations. This annex will likely be the focus of the greatest attention and scrutiny in the days ahead. Where no supplementary measure can remedy the deficiencies identified, the EDPB says that transfers must be stopped.

This annex will likely be the focus of the greatest attention and scrutiny in the days ahead. Where no supplementary measure can remedy the deficiencies identified, the EDPB says that transfers must be stopped.

The heart of the natter: Examples of supplementary measures

Importantly, the examples of supplementary measures provided by the EDPB fit nicely into the buckets or categories recommended by privacy experts since the "Schrems II" ruling, nearly four months ago. These are technical, contractual and organizational measures. In each category, the EDPB outlines appropriate additional safeguards, as well as scenarios in which none might be available, suggesting that data transfers should be stopped.

Technical safeguards

In the technical category, it will come as no surprise that encryption is the first safeguard mentioned.

Organizations should take note of the stringent guidance the EDPB offers regarding encryption as an appropriate safeguard in this context. The EDPB describes six separate facets of the encryption protocols, which must be met for encryption to prove sufficient. These include strong encryption prior to transmission, resilience of the encryption in the face of cryptanalysis by public authorities, “flawless” implementation of the encryption algorithm, and maintenance of the keys in the EEA, among others.

Additional examples include pseudonymization and split or multi-party processing, each subject to delineated protocols and protections.

Organizations should pay particular attention to use cases six and seven in annex two, examples for which the EDPB indicates it has (initially at least) found no effective technical safeguards. These scenarios include data processing in the clear by cloud service providers (i.e., unencrypted processing) or remote access and use of data in the clear from a third country for business purposes, such as human resource processing.  

Contractual safeguards

The EDPB makes clear upfront that since contracts can not bind government authorities, contractual safeguards will often only remedy deficiencies in essentially equivalent protection when implemented as part of a broader package of supplementary measures.

The first type of contractual safeguard the EDPB describes is importer commitments to transparency. The EDPB suggests such commitments could supplement or assist the exporter in conducting its required assessment. One element of this proposed safeguard aligns with an approach already taken by an increasing number of major U.S. tech companies in recent years: the publication of transparency reports, sharing data on the number of requests for data from governments around the world and the companies’ responses, to the extent legally allowed.  The EDPB pairs this approach with a call for transparency regarding the laws governing government access to data in the recipient jurisdiction and potentially certification that the importer has not created “back doors” enabling direct government access to its data.

Other examples include enhanced audits to verify whether data has been provided to government authorities; commitments to notify the data exporter if the importer can no longer comply with its commitments due to changes in law or practice; or a “warrant canary,” meaning continual notification that a government access request has not been received, until and unless it has. The EDPB notes that an importer must notify the EU exporter of its inability to meet its commitments before data is accessed by government authorities in practice — otherwise, the EDPB notes, the rights of the data subject would already have been violated and the safeguard ineffective in practice.

The EDPB also suggests contractual commitments by the data importer to challenge government access to data in court prior to disclosing it, where bases for such challenges exist. The EDPB notes, however, that commitments to challenge government orders will offer “very limited additional protection,” suggesting that despite the increased use of this approach by some major U.S. tech companies, it won’t be particularly helpful to organizations in meeting the EDPB’s standards of essential equivalence.

Finally, the EDPB proposes contractual commitments to enable data subject rights. These include commitments not to discuss data to government authorities voluntarily without data subjects’ express consent, as well as notification to data subjects of such requests, where consistent with law, so that affected individuals can seek redress in the EU, through DPAs or the courts.

Organizational measures

The EDPB again explains that such safeguards often must be paired with contractual guarantees and technical protections to provide essentially equivalent protections, which in each case will depend on the case-by-case assessment in the context of the specific transfers. In other words, the EDPB acknowledges that remedying identified deficiencies in protections with additional safeguards will be a complex process with no silver bullets.

Examples include internal policies for governance of transfers especially with groups of enterprises. The EDPB explains that such policies should provide clear allocation of responsibilities, reporting challenges and procedures for responding to government access requests. According to the EDPB, these could include the appointment of EU-based teams to assess and respond to government access requests, procedural steps to challenge unlawful or disproportionate requests, as well as transparency to the data subject.

Here, the EDPB calls out training of staff as an important component.

Other organizational measures include transparency policies, akin to those discussed under contractual measures, data minimization procedures, internationally recognized security standards, such as ISO standards, as well as policies or commitments not transfer the data onward to other countries which do not provide essentially equivalent protections.

And finally

After organizations have conducted these extensive assessments and put in place sufficient additional safeguards, where that is realistically possible, the EDPB calls on them to document their approach and seek authorization, where required by the chosen transfer mechanism (step five) and to reassess their approach on a regular basis (step six).

The EDPB guidance released today is complex. In the days and weeks ahead, it will demand careful analysis by privacy professionals around the globe.

It will frustrate many due to its onerous demands on companies and lack of perfectly packaged solutions to the very real and practical challenges that companies face — enabling and protecting data flows so that our global economy and society can function, particularly with the increase in remote data-enabled engagement during the pandemic.

And yet while challenging, the EDPB guidance is impressive. It reflects an enormous effort by the EDPB and DPAs to provide concrete examples and options for companies to address a nearly impossible task — finding a way to maintain EU data protection standards in an inherently global and multicultural world in which norms and laws diverge.

We will continue to monitor developments as they evolve to keep privacy professionals everywhere apprised.

Photo by Pierre Pavlovic on Unsplash