The EU finally dropped the other shoe this week in regards to its international data transfer conundrum. On June 21, the European Data Protection Board followed up the European Commission's introduction of revamped standard contractual clauses for personal data transfers with its final recommendations on supplementary measures for transfers.

The recommendations themselves feature a six-step process organizations must take to map data transfers and the mechanisms used for them. The process involves an assessment of data protection equivalence associated with third-country law and practice in order to facilitate transfers abroad. If there are gaps in protection and equivalence, the recommendations offer appropriate supplementary measures that can be applied to maintain equivalent protection.

With so many questions and concerns swirling about the proper implementation of the final recommendations, EDPB Legal Officer Ignacio Gómez Navarro, the board's rapporteur on the recommendations, joined IAPP Research Director Caitlin Fennessy, CIPP/US, for a LinkedIn Live session to address a range of matters.

Before diving into the heart of the recommendations, Navarro was quick to acknowledge some changes made from the prior iteration of the recommendations published November 2020. The most significant changes came in the evaluation of a transfer tool's effectiveness, with Navarro noting an added focus on public authorities' practices with regard to data access on top of an evaluation of third-country legislation.

"The first scenario you may find in Paragraph 43.1 is in those cases where legislation in a third country seems to meet EU standards ... However, the practices of the public authorities indicate in a very clear way that this legislation is not applied in practice. These practices are important and a data exporter cannot simply turn a blind eye and proceed with the transfer," Navarro said.

The second scenario Navarro raised pertained to a lack of any legislation providing for protections, which may suggest a transfer tool under Article 46 of the EU General Data Protection Regulation may not be required. Navarro advised organizations to think twice.

"It doesn't mean that there is no problematic practice," Navarro said. "The data exporter must look at the practices and see if there are any contrary to EU standards. It was already reflected."

Navarro also pointed to an expansion of potential sources organizations can turn to prove a transfer falls out of the scope of a third countries' legislation, highlighting the inclusion of the data importer's experience with transfers. However, importer experience alone cannot justify whether a transfer can be completed.

"The importer could be a newcomer in the market and therefore may not have received requests for access simply because it's been existing in the market for a very short time," Navarro said. "Or it may also be that the legislation of this third country prevents the importer from disclosing the request for access to data. This experience can never be sufficient by itself and always needs to be contrasted or corroborated by other elements." 

On the topic of same-sector experience, Fennessy questioned whether the recommendations should be interpreted as calling for supplementary measures at all times within a sector if at least one industry player has documented data requests. 

"(The recommendations) try to encompass all possible transfers to third countries, so they have a high-level or general view. What the sector is, how narrow or large, I think would depend case by case," said Navarro, stressing the importance of "genuine efforts" with exporter evaluations and avoiding "simple formalism or a box-ticking exercise." He also added the EDPB would carry no thresholds to determine potential risks with a potential transferring, noting even one request would trigger the need for supplementary measures.

Navarro explicitly stated transfers to countries with formal data protection adequacy agreements with the EU will not require evaluations. Along the same line, Navarro offered reassurance the assessments organizations are asked to perform under the recommendations should not mirror the European Commission's adequacy assessments. He said these evaluations should "always be centered on the specific data they are transferring" while mentioning they should not be "based on future assumptions or speculation about what may or may not interest public authorities, but rather on facts or things that have occurred."

The EDPB expects required final reports documenting the assessment and its process to vary by sector, according to Navarro. He indicated the expectations for contents of the reports, including the information they provide and the value of the sources, can be found in the footnotes of the final recommendations, but specific formatting for the reports is "difficult to define" due to the variables that are presented with each sector.

Speaking on the potential use supplementary measures, Navarro noted end-to-end encryption as an obvious starting point given their widespread use already between organizations in the European Economic Area. However, encryption and other measures, including those mentioned in Annex 2 of the final recommendations, are not expected to be standalone solutions.

"The ones that are presented usually come in combination and really only in combination can they be truly effective," Navarro said. "If we're talking about encryption, it also needs appropriate organizational measures. They need to have policies or procedures in place. And even to implement encryption into a transfer, you need a contractual obligation and probably need to bind the importer, not only the exporter, to apply this measure."

As far as the weight of the recommendations, Navarro was quick to ensure they were not binding, but offered a reminder that recommendations were formulated by leaders of EU data protection authorities.

"They reflect the common understanding reached by data protection supervisory authorities. Therefore, when it comes to enforcement, people can expect DPAs will (make decisions) based on the understanding expressed in these recommendations," Navarro said. "Also, it does refer to things that are binding, as it calls to the GDPR and excerpts of the judgement from the Court of Justice of the European Union."