International Transfers at Risk – The EDPB’s Guidelines on International Transfers Post-Schrems II

On November 11, 2020, the European Data Protection Board (EDPB) published its long-awaited guidance on what parties to international data transfers should be doing to perform such transfers in a manner compliant with the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) in light of the European Court of Justice’s (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).

Unfortunately, the draft guidelines provide no panacea for companies engaged in international data transfers of personal data from the EEA to third countries. Instead, organizations face 55 pages of guidance that provide few workable solutions for international data transferors—apart from a lengthy protocol for conducting risk assessments.

In this update, we analyze the EDPB’s view on how companies should approach international transfers of personal data in the future and outline its six-step process for assessing the risk associated with the international transfer and putting in place mitigation measures. We consider the non-exhaustive list of potential safeguards to help data exporters ensure that transferred personal data is afforded an “essentially equivalent” standard” of protection to that guaranteed under the GDPR.

The guidance is immediately applicable but open for public consultation until November 30, 2020. While the guidance may change considering responses to the consultation, it would likely be overly optimistic to hope for significant changes to alleviate the pain.

The Good

There is some good news contained in the guidance. The EDPB has set out a straightforward six-stage process that it expects data exporters and data importers to follow when assessing and documenting their international data transfers and the risks to data subjects associated with them.

  1. Know your transfers (aka data mapping): Data exporters should identify all their transfers of personal data outside the European Economic Area (EEA). This should include mapping any onward transfers by recipients, the possibility of remote access and the use of subprocessors.
  2. Verify the legal justification relied on: Confirm which of the lawful bases set out in Chapter 5 of the GDPR are relied on to legitimize the transfer (bearing in mind the EDPB’s prior guidance on the limited nature of derogations under Article 49). If you are not relying on an adequacy decision from the European Commission (such that you are transferring to a third country) or an Article 49 derogation, continue to step 3.
  3. Assess the law or practice of the third country: Assess whether the law applicable to the recipient (data importer) in the third country has effective privacy safeguards in place, taking into account the European Essential Guarantees with respect to access to data by national authorities. The EDPB recommends that data exporters contact their non-EEA data importers to ask for details of the applicable law.
  4. Identify and adopt supplementary measures: Where the assessment under point 3 identified any deficiencies, the exporter should identify and implement any technical, organizational or contractual measures necessary to bring the level of protection of the data transferred up to the EU standard. The EDPB sets out a non-exhaustive list of possible “supplementary measures” in Annex 2 of the recommendations.
  5. Adopt the necessary procedural steps: The exporter should take any formal steps to the extent required to implement the supplementary measures identified.
  6. Reevaluate: Exporters should review and reevaluate the above assessment at appropriate intervals.

The Bad

In short – it’s complicated. While the six-stage process is straightforward, the EDPB emphasized that transfers should be individually assessed, and the analysis needs to be documented in line with the accountability principle under the GDPR. Also, data exporters may be asked to produce their documented analyses to supervisory authorities – and possibly commercial partners – to address potential questions.

The Ugly

The EDPB notes that, as a general rule, transfers to U.S. entities subject to section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a) and Executive Order 12.333 can only be made in a manner compatible with the GDPR if technical measures are in place to preclude the disclosure of personal data to U.S. security authorities (page 14). According to the EDPB, this essentially requires that any data transferred to U.S. entities subject to these laws is unreadable by those entities in the absence of encryption keys or additional data to which such recipients must be denied access.

The use cases set out by the EDPB are of concern, as these flag two very common sets of data transfers as examples of scenarios where the EDPB is unable to identify suitable technical measures to prevent access by foreign intelligence services, namely:

  • Data processing in the clear by cloud service providers (i.e., unencrypted processing) (i.e., the business offering of most SaaS providers)
  • Remote access and use of data in the clear from a third country for business purposes, such as processing through human resource tools implemented at a group level through arrangements entered into by parent companies outside the EEA

What Now?

Many organizations held off on making significant operational changes post-Schrems II in the hope that the guidance published by the EDPB and national data protection authorities would provide some much-needed pragmatism. Unfortunately, the guidance as drafted, has not provided much relief.

What is clear from the EDPB’s guidance is that transferring personal data outside the EEA is more complex than simply identifying a valid transfer mechanism. Where previously both data exporters and data importers have often relied heavily on the contractual protections afforded by the Standard Contractual Clauses or approved binding corporate rules, this is unlikely to be enough going forward. Organizations must now assess, document and implement a combination of technical, organizational and additional contractual measures to mitigate the risk of processing in a manner incompatible with EU law.  While the new draft set of Standard Contractual Clauses for Processors issued by the European Commission has incorporated much of the EDPB guidance, the new Standard Contractual Clauses seem to permit a risk assessment taking into consideration, i.a., the categories of data concerned and access requests by law enforcement in the third country (see Clause 2(b)).

For transfers to the United States, the guidance calls out FISA 702 as being incompatible with the principles of the GDPR and specifies that any transfers to entities subject to 702 FISA can only be made if “additional supplementary technical measures make access to the data transferred impossible or ineffective” (emphasis added). While this statement follows the view of the CJEU in the Schrems II judgment, it unfortunately lacks any discussion of the substantive legal arguments the U.S. Department of Commerce (DOC) and U.S. Department of Justice (DOJ) presented in their September 2020 whitepaper, which argues that the EU Commission did not base its adequacy finding in 2016 on a comprehensive set of facts regarding the application of FISA. Further, the EDPB’s guidance cautions against relying on nonbinding statements suggesting a broad lack of interest in collecting certain data (as suggested in the DOC and DOJ whitepaper).

For the UK, as January 2021 looms on the horizon any post-Brexit adequacy decision is looking increasingly unlikely. Like the US, the UK’s surveillance laws have received criticism from the EU and, as the UK will no longer be within the EEA, EU data exporters will now need to apply the same rigour to international data transfer to the UK as they do to other third countries.

The regulatory burden primarily falls on European, U.K. and Swiss companies exporting personal data to international partners or vendors to demonstrate that these transfers are lawful and that data subjects are receiving “essentially equivalent” protection. The flip side of this is that U.S. and other third country entities receiving personal data outside the EEA will also need to develop ready-made mechanisms to reassure EEA data exporters that they are able to provide a level of protection for personal data compatible with obligations under the GDPR. The – very unpalatable – alternatives would either involve abandoning their EEA, U.K. and Swiss client base or facing the administrative burden of either implementing some form of data localisation in the EEA or addressing each client’s requests for supplementary measures on an individual basis.

What Should Companies Do?

Even though this guidance is not yet binding and may change, it is safe to say that the process for conducting international personal data transfers is becoming increasingly more complex, and both data exporters and data importers need to start preparing for the new regime:

  • Conduct comprehensive data mapping and analysis as to where (and why) any transfer of data to non-EEA jurisdictions is necessary.
  • Assess the appropriate legal justification for data transfers and continue to follow any further guidance from the EDPB on the assessment and documentation of legal risks.
  • The safest solution would be to consider keeping EU data in the EU.
  • Even if access to EU data from abroad is necessary, limiting any transfers to remote access only, rather than longer term storage, mitigates the risk of law enforcement access to such data. While this does not absolve the parties involved of their obligations under the GDPR, as remote access is treated the same as a data transfer for the purposes of EU data protection law, the reduced prospect of data collection by national authorities outside the EEA may mitigate the risk of enforcement action by EU regulators and complaints from data subjects.
  • Where possible, consider implementing the technical, organisational and contractual safeguards identified by the EDPB. Consider going beyond the technical measures outlined in the guidance order to strengthen the case that the data is sufficiently secure.

Finally, follow any further developments and watch out for the final guidance from the EDPB.

Background and Context

The GDPR contains several restrictions to ensure that the standard of protection for personal data set out in EU law is not circumvented simply by transferring personal data outside the EEA. Aside from its extraterritorial scope, the GDPR:

  • Requires that any international transfers do not undermine the level of protection granted to personal data in the GDPR itself (Recital 101, Article 44)
  • Requires that processing of personal data on the basis of compliance with a legal obligation takes place only where that legal obligation is set out in EU or Member State law (Article 6(1)(c), Recital 45, Article 28(3)(a))

In July 2020, the CJEU published its decision in Schrems II, in which it declared the EU-U.S. Privacy Shield to be invalid and flagged that all international transfers of personal data (regardless of the legal mechanism) must be carried out in a manner that affords data subjects a level of protection with respect to their personal data that is “essentially equivalent” to that guaranteed within the EU. See our previous blog on the Schrems II decision for further details.

What was unclear from the CJEU’s decision, however, was how such equivalent protection could be guaranteed in a way that was compatible with international data recipients’ obligations under local law. Of particular focus was access to personal data by national surveillance authorities, especially in the U.S. where personal data processed by operators of “electronic communication services” are potentially subject to access by, or orders to disclose from, U.S. security authorities under Section 702 FISA and Executive Order 12.333.

The guidance published by the EDPB has therefore been long awaited by data exporters and data importers alike, in anticipation that EU regulatory authorities might be able to shed some light on how to address the issues raised in Schrems II in practice.

So, What’s “Essentially Equivalent”?

The question is not so much whether the law of the recipient’s country is “essentially equivalent” to the standard in the GDPR, but whether that law prevents the relevant transfer tool selected (whether Standard Contractual Clauses, binding corporate rules or another recognised mechanism) from being effective in ensuring that the level of protection guaranteed by the GDPR is not undermined by the transfer.

In carrying out the assessment, exporters are required to familiarise themselves with “all of the relevant aspects of the legal system of that third country,” using publicly available tools and help from data importers.

In particular, the EDPB has set out the key elements to be considered when analysing the level of access to, and the right to require disclosure of, personal data granted under the law of the third country. The European Essential Guarantees provide an overview of jurisprudence from the CJEU and the European Court of Human Rights on the question of what constitutes justifiable government interference with individuals’ privacy rights under the Charter of Fundamental Rights of the EU, neatly summarised into four essential elements:

  1. Processing should be based on clear, precise and accessible rules
  2. Necessity and proportionality regarding the legitimate objectives pursued need to be demonstrated
  3. An independent oversight mechanism should exist
  4. Effective remedies need to be available to the individual

Where applicable legislation is not publicly available or clear legislation is lacking, exporters must look beyond the legislation at “other relevant and objective factors” – namely reported precedents, legal powers, legislation and practice, and technical, financial and human resources at the disposal of the third country. The EDPB explicitly cautions against a reliance on what it refers to as “subjective” factors “such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards,” in what may be a (very) thinly veiled dig at the DOJ and DOC whitepaper.

It is important to flag, however, that the assessment is not an adequacy determination on the scale undertaken by the European Commission. Although the guidelines do propose that the same Article 45(2) adequacy considerations will be relevant, the analysis applies only to the given circumstances of the transfer, and the law of the recipient country is only one of the factors to be considered. Other elements will need to include:

  • The transfer mechanism relied on
  • The nature of the data being transferred and the purposes for which the data are transferred and processed
  • Types of entities involved in the processing and the sector in which the transfer occurs
  • Whether data will be stored in the third country or whether there is only remote access from that third country
  • Format of the data being transferred (i.e., in plain text, pseudonymised or encrypted)
  • Any potential onward transfers identified during the initial mapping exercise

In addition, while conducting such analyses for each transfer and each recipient country will be onerous in the short term, in the longer term, one would expect that the information required about third countries’ legal regimes will become more readily available for assessment by EEA, U.K. and Swiss data exporters. This information, together with developing practice and comments from regulators, should either ease the time and effort required to conduct the initial research and provide a bit more grounding and certainty to any conclusions drawn or, as with the United States, give clear guidance that such transfers are incompatible with EU law unless the data is rendered unreadable to the U.S. recipient.

What Happens Where the Level of Data Protection in the Third Country Does Not Effectively Ensure an Essentially Equivalent Level of Protection?

Data exporters will need to identify and adopt supplementary measures as necessary to bring the level of protection of the data transferred up to the EU standard. Where no supplementary measures can remedy the deficiencies identified, the EDPB says that transfers must be stopped or not commenced. If the data exporter intends to continue transferring the data notwithstanding the fact that the relevant deficiencies cannot be remedied, the EDPB takes the view that the data exporter should notify the competent supervisory authority.

Thankfully, the EDPB provides a non-exhaustive list of recommendations and examples of supplementary measures in Annex 2 of the guidance. These are broadly broken down into contractual, technical and organizational measures that can be combined in a way that they support and build on each other.

Of the use cases proposed by the EDPB, two are particularly noteworthy, as they refer to scenarios where the EDPB indicates it has not (yet) found any effective technical safeguards. These scenarios include data processing in the clear by cloud service providers (i.e., unencrypted processing) or remote access and use of data in the clear from a third country for business purposes, such as processing of personal data through human resource tools.

Technical Safeguards

The EDPB emphasises the importance of technical safeguards, as making the data unintelligible other than to the data exporter is the most effective way of mitigating the risk of access to the transferred data by public authorities in third countries. The EDPB provides seven potential use cases:

  • Encryption: Unsurprisingly, encryption is high up on the EPDB’s list of preferred measures, although subject to a few caveats. In particular, the EDPB envisages a high technical standard of encryption, including strong encryption prior to transmission (i.e., encryption in transit and at rest), resilient encryption mechanisms that can be considered robust against cryptanalysis by public authorities, and “flawless” implementation and reliable management of the encryption algorithm.

If the encrypted data merely transits a third country, encryption at transit suffices.

In addition, in order to maintain the efficacy of encryption as a measure to mitigate the risk of disclosure to national authorities, the cryptographic keys would need to be stored out of reach of the data recipient – i.e., held solely by the data exporter or other entities entrusted with this task that reside in the EEA or an “adequate country.”

It will be interesting to see how this approach will align with the EU’s proposals to provide “lawful access” to end-to-end encrypted services in the United States.

  • Pseudonymisation: The EDPB clarifies that reliable pseudonymisation of personal data can also be considered as an effective supplementary measure where two conditions are met: (1) a data exporter must pseudonymise data prior to the transfer; (2) the algorithm or repository that allows the association of the pseudonymised data with a specific person are held exclusively by the data exporter and kept separately within the EEA or an “adequate” third country.

As with the implementation of any encryption techniques, the EDPB requires a high standard of pseudonymisation and states that in many situations factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person, their physical location or their interaction with an internet-based service at specific points in time may allow the identification of that person even if his/her name, address or other plain identifiers are omitted.

  • Split- or multiparty processing: Similar to encryption and pseudonymisation, split- or multiparty processing is designed to ensure that the data received by each recipient is unreadable to that recipient in the absence of additional information that is kept out of that recipient’s reach.

Contractual Measures

By definition, supplementary contractual measures would need to go beyond those already set out in either Standard Contractual Clauses or Binding Corporate Rules.

That said, as the EDPB notes, the effect of such measures is questionable in that they only bind the data importer and not external parties (i.e., national authorities). Commitments to challenge government orders will generally provide “very limited additional protection” and will often only remedy deficiencies in the standard of protection when implemented as part of a broader package of supplementary measures.

The measures suggested by the EDPB are similar to the contractual measures proposed by the Data Protection Supervisory Authority for the State of Baden-Wuerttemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden Württemberg) in August). See our previous blog for further details.

These include:

  • A contractual obligation on the data importer to use specific technical measures; additional transparency obligations (e.g., the publication of transparency reports setting out the number of requests for data from governmental authorities and the importer’s responses). It is worth noting that the EDPB considers that these measures could help a data exporter meet its obligation to document its assessment of the level of protection in the third country.
  • The obligation to provide certifications that the importer has not created “back doors” enabling direct government access to its data. This obligation needs to be safeguarded with contractual penalties (to the extent enforceable under applicable law) and/or the ability for the data exporter to terminate the agreement in the event that the applicable certification does not reflect reality or ceases to be accurate.
  • Enhanced audit rights.
  • Obligations to assess and challenge the legality of any compelled disclosure order of a governmental authority.
  • Data importers should be asked to follow a “warrant canary” method whereby the data importer commits to publish regularly a cryptographically signed message informing the exporter that, as at a certain date and time, it has received no order to disclose personal data or the like. A failure to transmit the relevant message would then indicate access by law enforcement and alert the exporter to suspend further data transfers.

Organizational Measures

As with any additional contractual measures, the EDPB states that such safeguards would need to be combined with contractual and technical safeguards in order to be effective. Organizational measures alone will rarely provide an essentially equivalent standard of protection. They might include:

  • Internal policies regarding international data transfers (especially between group companies) that specify the reporting channels and standard operating procedures for cases of governmental access requests.
  • Documentation of governmental access requests received, and the responses provided.
  • A clear allocation of responsibilities for responding to governmental access requests.
  • Employee training.

If you have questions about this update, please reach out to the authors for more information.