On June 21, the European Data Protection Board issued its highly anticipated final recommendations on supplementary measures for data transfers. The recommendations outline a process organizations can follow to transfer personal data outside the European Economic Area to ensure compliance with the "Schrems II" judgment.
The initial draft of the recommendations, released in 200 companies, trade associations, civil liberties groups, and scholars filed comments on the draft recommendations. On June 4, the European Commission finalized its updated standard contractual clauses, which appeared to permit organizations to consider broader factors bearing on the risk of unlawful access.
All eyes turned to the EDPB.
The EDPB embraces a 'subjective' assessment, but be careful what you wish for
Those who hoped to see the EDPB move away from the dogmatic position it had staked out in its draft recommendations will be pleased to see that the final recommendations embrace a more risk-sensitive approach. Gone is the EDPB’s previous statement that organizations could not “rely on subjective [factors] such as the likelihood of public authorities’ access to your data” when assessing the lawfulness of a transfer.
In its place, the EDPB will allow organizations to consider the “practices in force in the third country” that bear on whether “in practice, the effective protection of the personal data” will be maintained.
This risk-based approach broadens the scope of permitted transfers, allowing certain data transfers to proceed, even where the text of the laws of the importing country do not satisfy EU requirements, so long as certain conditions described below are met. But, conversely, taking risk into account could also limit transfers that otherwise might appear lawful on paper, “if there are indications of practices in force in the country that are incompatible with EU law.”
The EDPB’s revised risk-based approach is also reflected in the "Use Cases" that the EDPB developed to assist companies identifying issues and possible remedies for their international transfers. The addition of the words "in practice,” among others in Use Case 7, will be a relief to many companies engaged in intra-company or third party transfers of personal data for business purposes.
The subjective assessment must be based on objective factors and documented
Although subjective factors such as practical experience may now play a role in assessing the adequacy of a transfer, the final recommendations carefully circumscribe the manner in which organizations may conduct this broader analysis. In addition to reviewing the legal framework that applies in the receiving country, organizations should take into account “relevant, objective, reliable, verifiable and publicly available or otherwise accessible” information that reveals whether the transferred data will be appropriately safeguarded in practice.
An expanded annex to the recommendations outlines the types of sources that may be used when conducting this analysis, including reports from regulators, parliamentary and independent oversight bodies, reports from providers of business intelligence, as well as from business, professional and trade associations, and “warrant canaries” (i.e., public statements indicating that law enforcement and national security requests have not been received) from the importer or entities in the same industry sector.
Published transparency reports can also support an argument that the practical risks are low, but only if the reports expressly state whether law enforcement and national security requests for transferred data have been received — silence as to whether data has been accessed is insufficient. Similarly, an importer’s internal statements or records may serve as evidence, and it is helpful for them to be made by personnel that have a degree of autonomy, such as an organization’s audit function or DPO.
The recommendations emphasize that an organization’s assessment should be documented in reports that describe (1) the law and practices of the third country that are relevant to the transfer, (2) the procedure that was followed to produce the assessment, and (3) the dates on which the assessment and any subsequent checks took place. The recommendations observe that these reports could be requested by data protection regulators or judicial authorities in the EU.
What about the nature and sensitivity of the data?
The process outlined in the recommendations focuses on the nature of the legal protections in the receiving country, as well as the practical likelihood of access to transferred data by public authorities. But can organizations consider the factual circumstances of the transfer, such as the sensitivity of the data being transferred, when analyzing the potential risks?
The draft recommendations already indicated the type of data transferred can be taken into account when assessing the envisaged transfer. At the time, the EDPB specifically referred to children’s data. In the final draft, the EDPB added a helpful footnote (footnote 42) with a specific reference to sensitive data as defined in the EU General Data Protection Regulation's Articles 9 and 10, and confirmed that “categories of data transferred and their sensitiveness will be relevant to the assessment of the risk and the appropriateness of the measures.”
The final recommendations also add several references to Article 32 of the GDPR in order to explain how to determine whether supplementary measures offer sufficient protection. Article 32’s general security requirement enables controllers and processors to “[t]ake into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” when implementing appropriate security. Thus, it appears that organizations can factor the sensitivity of the data and potentially other contextual factors into the transfer analysis, at least with respect to what supplementary measures will be sufficient.
Encryption may not last forever
As with the first draft of the recommendations, encryption is offered as an example of a supplementary measure that can ensure adequate protection, provided that the cryptographic function is sufficiently strong and the encryption key is not accessible by public authorities within the receiving country.
The final recommendations, however, introduce a degree of uncertainty concerning the use of encryption.
Specifically, footnote 81 highlights that “protective capacity of cryptographic algorithms is subject to decline over time” as computing power and techniques improve. As a result, encryption must be viewed as a time-limited solution: an implicit call for shorter retention periods to prevent the risk of encryption algorithms being cracked over time.
This also has implications for pseudonimyzation — another frequently used technique — at least to the extent that attributes contained in the personal data are transformed using a cryptographic algorithm. The EDPB indicates that “[h]enceforth it is recommended to forego the exclusive use of cryptography, and apply transformations based on table look-up mechanisms.” Although at other points the EDPB continues to describe encryption as a sufficient supplementary measure (provided the cryptographic function is sufficiently strong and the key is not accessible to the data importer), this passage could suggest a preference for mixing encryption with pseudonymization.
Reimagining the concept of a transfer?
The implementing decision for the European Commission’s updated SCCs raised eyebrows with some by suggesting, in footnote 7, that the SCCs could not be used for transfers from an exporter in the EEA to an importer outside the EEA that is subject to the GDPR by virtue of its extraterritorial scope..
At its root is a fundamental disagreement over whether data transfer requirements are about the physical movements of data — from one country to another — or about jurisdiction over data, regardless of where the data happens to be in physical space.
The recommendations do not address this issue head on (stay tuned for guidelines on the interplay between the GDPR’s territorial scope and data transfer requirements expected later this year), but they do suggest that jurisdiction over data may be relevant, even if no physical transfer takes place.
The issue of redress
Keen observers will recall that one of the primary reasons the Court of Justice of the European Union invalidated the Privacy Shield framework was the absence of sufficient avenues under U.S. laws by which aggrieved data subjects can obtain redress for alleged violations. While redress is primarily determined by the laws applicable in the receiving country, the draft recommendations already identified a number of steps that exporters and importers can take to ensure that this redress is as meaningful as possible.
In the final recommendations, the EDPB offers a new suggested measure: organizations may consider implementing contractual terms that would allow data subjects to recover compensation from the data importer in the event of disclosure of data in violation of the commitments made in the transfer tool or to compensate for some of the difficulties a data subject may face in demonstrating his/her standing before third country courts.
The publication of the EDPB’s final recommendations together with the release of the final revised SCCs by the European Commission earlier this month mark the beginning of new era for international data transfers involving EU data. While companies undoubtedly will welcome the more pragmatic approach of the EDPB in the final recommendations, the fact remains that the new requirements are particularly onerous and complying with them presents formidable challenges for most companies, exporters and importers alike.
Photo by Vlad Kutepov on Unsplash