One change after another in the area of international data transfer - where to go from here?

coauthor: Sophie Hendriks

The European Data Protection Board [European Data Protection Board (EDPB)] has recently issued (draft) recommendations that may address the main problems companies have faced since Schrems-II. Once these recommendations are adopted, all organizations whose activities fall within the scope of the AVG should comply with them.

According to the EDPB, additional measures may be needed if the existing measures do not provide sufficient protection. If even these additional measures do not provide the required level of protection, the transfer should be suspended. Incidentally, it is doubtful that this guidance will make much of a difference in practice, since in some cases it is simply impossible to contractually deviate from applicable laws by which the receiving party is bound, which would be tantamount to making the transfer of personal data to that party impossible.

In this article, we summarize the proposed recommendations and offer suggestions for implementation. Once the final recommendations are known, we will provide an update.

Schrems-II

In July of this year, the EU Court of Justice not only drew a line under the Privacy Shield Treaty, which allowed companies in the EEA to transfer personal data to receiving parties that were party to that treaty. The ECJ immediately included current model contracts - or standard clauses, a frequently used tool to enable the transfer of personal data - in its considerations. Although the ECJ considered these standard clauses valid, it indicated that prior to the transfer, the data exporter should verify that the third country in which the receiving party is located can provide the same level of protection as the AVG. Moreover, according to the ECJ, additional measures had to be taken where necessary.

How to move forward?

The simplest solution would be to keep all personal data within the EEA. However, in some cases the transfer of personal data to countries outside the EEA is unavoidable. Therefore, we question whether the new guidelines are a good fit for current practice, where personal data is constantly being exchanged. In those cases, however, the EDPB believes that once the recommendations are final, all organizations sharing data with parties based in third countries should follow the following roadmap before, during and after the transfer. Obviously, this includes existing transfers.

The annex to the guidelines lists several examples of additional measures that can be taken to ensure the level of protection necessary to validly transfer personal data to a recipient in a third country.

It should be reiterated here that the guidance issued by the EDPB is still only a draft version. However, the final version is not expected to differ substantially.

Recipients

It has already been mentioned: the recommendations are also relevant for organizations that regularly receive personal data from organizations based in the EEA. Therefore, using the criteria of Step 3 as a guide, we recommend evaluating whether or not your organization is subject to local legislation that could compromise the level of protection guaranteed by the AVG. If so, consider whether there are measures that can be taken that would adequately mitigate that risk.

Recipients

It has already been mentioned: the recommendations are also relevant for organizations that regularly receive personal data from organizations based in the EEA. Therefore, using the criteria of Step 3 as a guide, we recommend evaluating whether or not your organization is subject to local legislation that could compromise the level of protection guaranteed by the AVG. If so, consider whether there are measures that can be taken that would adequately mitigate that risk.

More articles from AKD