The Schrems II ruling by the Court of Justice of the European Union (Court) rocked the privacy world to its foundations.(1) After all, on July 16, 2020, the Privacy Shield was declared invalid.(2) In addition, the rules for transfers of personal data based on model contracts and "binding corporate rules" were tightened by the Court. Days after the ruling, the European Data Protection Board (EDBP) published a document with frequently asked questions and a notice.(3)(4) Apart from a few notices from national regulators, for a long time this was the only (not very practical) 'guidance' available after the ruling. Until this week. The EDPB published (in draft) its long-awaited recommendations on post-Schrems II transfers of personal data. The European Commission (EC) also published new model contractual clauses (also in draft). In this post, we briefly discuss the published documents.
Coauthor: Menno Borsboom
The EDPB has published two sets of recommendations in an effort to provide greater clarity and guidance on the use of mechanisms for transferring personal data to third countries.
The first set of recommendations address the assessment to be made by the data exporter and possible additional measures.(5)
The second set of recommendations see at the level of interference by governments in third countries.(6)
The first set of recommendations is currently open for consultation. This means that parties can still provide input on the document until November 30, 2020. Only after this will the final version be published. Thus, although the recommendations are still in draft form, they already provide useful insight into the measures parties can take to continue to legally transfer personal data to recipients outside the European Economic Area (EEA). The second set of recommendations is in final form, though.
Set 1: Recommendations intended transmission and additional measures.
The first set of recommendations should assist data exporters in the complex task of assessing the level of data protection of third countries and in taking additional measures - where necessary. The recommendations describe the steps to follow, the sources of information to use and describe some concrete examples of additional measures that can be taken. The recommendations are broken down into the following six steps.
Step 1 - mapping data transfers
As a first step, the EDPB recommends mapping all transfers of personal data, for example using the processing log or privacy statements.(7)(8) The EDPB points out that onward transfers to (or from) third countries should also be considered. Also, the EDPB points out that remote access from a third country and/or storage in a cloud (with servers outside the EEA), are also considered a transfer.(9) In line with the data minimization principle, the EDPB indicates that consideration should be given to whether the mapped transfers are adequate, relevant and limited to what is necessary for the purposes for which the personal data are transferred.
Step 2 - assess the adequacy of the transfer mechanism used
Next, the data exporter should examine whether there is an adequacy decision in place, on the basis of which transfers are permissible (for example, if the transfer takes place to one of the countries on the so-called white list.(10) If that is the case, no further steps need to be taken. However, constant monitoring is required to ensure that the adequacy decision is not revoked or invalidated.
If the country in question does not appear on the white list, the data exporter should opt for a different mechanism for the transfer of personal data, such as model contracts, binding corporate rules, a code of conduct or certifications.(11) Only in exceptional cases can the possibilities under Article 49 AVG be invoked (and only in the case of occasional transfers).
Step 3 - assess third country legislation
At the time the transfer of personal data takes place on the basis of a mechanism other than an adequacy decision, the data exporter should investigate whether there are laws or regulations in the third country that affect the level of data protection under the AVG. In this regard, the EDPB attaches great importance to (potential) access by government authorities to the transferred data. For the assessment criteria, see the EDPB's other set of recommendations (discussed below).(12) Also, in Annex 3, the EDPB describes information that, in addition to the information provided by the data recipient, can be used to make this assessment. The EDPB also emphasizes that the assessment depends on (among other things) the parties involved in the transfer, the purposes of the transfer, the industry in which the transfer takes place, the categories of personal data, and the existence of opportunities for onward transfers. Finally, the EDPB emphasizes that this assessment should be carried out with due care and thoroughly documented.
Step 4 - additional protection measures
If Step 3 shows that the legislation of the third country affects the effectiveness of the chosen transfer mechanism, a fourth step is necessary. This fourth step consists of identifying and establishing additional measures necessary to provide an equivalent level of protection of personal data as under the AVG. Annex 2 of the recommendations contains a list of concrete examples of additional measures, such as the use of encryption and/or pseudonymization. The EDPB distinguishes between contractual, technical and organizational measures, which can be combined where appropriate. To assess which measures are effective, according to the EDPB, consideration should be given to, among other things, the format in which the personal data is sent, the nature of the personal data, the duration and complexity of the transfer, and the parties involved in the transfer. This step should also be thoroughly documented.
Step 5 - procedural steps
The fifth step is to take any formal steps necessary to use the chosen pass-through mechanism. These include the formal procedural steps from Article 46 AVG, such as obtaining prior regulatory approval.
Step 6 - evaluation and reassessment
After completing the first five steps, the transfer of personal data can take place. The sixth step consists of reassessing the level of protection of the personal data transferred. On an ongoing basis, it is necessary to consider whether there have been (or are expected to be) developments that may affect the analysis made earlier.
Set 2: Recommendations for assessing the level of interference by governments in third countries
This second set of EDPB recommendations were initially published in response to the Schrems I case.(13) The current update was made in response to Schrems II. The purpose of this second set of recommendations is to provide guidance on whether or not surveillance measures allowing access to personal data by public authorities in a third country can be considered a justified interference in light of the Charter of Fundamental Rights of the European Union (the Charter).(14)
Based on an analysis of current case law, the EDPB believes that such interference can only be justified using the four "European Essential Guarantees" listed below.
Guarantee A - clear, precise and accessible rules
Government intervention in citizens' freedoms must have a legal basis in the law of the third country. This legal basis should contain clear and precise rules of scope and should include minimum guarantees.
Guarantee B - necessity and proportionality of objectives
In accordance with the Charter, any restriction on the exercise of the rights and freedoms recognized by the Charter must respect the essence of those rights and freedoms.(15) In addition, subject to the principle of proportionality, restrictions on those rights and freedoms may only be made if they are necessary and genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others.(16)
Guarantee C - independent oversight mechanism
Any interference with the right to privacy and data protection must be subject to an effective, independent and impartial oversight system to be established by a judge or by another independent body (e.g., an administrative authority or a parliamentary body).
Guarantee D - individual effective remedies
The last European Essential Guarantee relates to the redress rights of the data subject. The data subject must have an effective remedy to satisfy his or her rights when he or she believes that they are not being or have not been respected., If, for example, the legislation does not provide an individual with the possibility of legal remedies to access his or her personal data, then there is no effective judicial protection.(17)
In addition to the EDPB's two sets of recommendations, the EC published a draft executive order on model contractual clauses on Nov. 12, 2020, along with a draft of new model contractual clauses.(18) These documents are also currently up for consultation.
The new Model Contracts distinguish four situations. A separate Model Contract has been prepared for each situation:
transfers from controller to controller;
transfers from controller to processor;
transfers from processor to processor; and
transfers from processor to controller.
For practice, the latter two Model Contracts in particular are a welcome addition. After all, the current versions of the Model Contracts cannot be used directly by processors who want to transfer personal data to third countries (unless, for example, they have a power of attorney to do so from the controller).
The other two Model Contracts (for use by data controllers), have been modified in a number of important respects, partly in response to Schrems II:
a contractual obligation was added for the parties to conduct and document the assessment (described by the Court in Schrems II) of the legislation of the third country. The parties must then determine whether the Model Contract can indeed guarantee an equivalent level of protection;(19)
a reference has been added to the steps to be taken if the model contracts do not provide an equivalent level of protection in light of the legislation of the third country;(20) and
additional transparency obligations apply to the data importer in the event of government access requests, including an obligation to notify the data exporter of such requests or, where local law prohibits it, to make every effort to obtain a waiver of this prohibition.(21)
Given the timing of the publication of the Model Contracts, it is impossible to read the draft of these Model Contracts without considering the roadmap from the EDPB's recommendations as described above. There does seem to be some disagreement on the approach. While both the EC and the EDPB include a list of factors that data importers must consider to determine whether local law allows them to fulfill their obligations under the Model Contracts. But these lists are not the same. The EC appears to allow data importers to assess the likelihood that the government may have access to the transferred data by evaluating relevant practical experience that shows whether or not the data importer has previously received disclosure requests from government agencies for the type of data it has transferred.(22) In contrast, the EDPB cautioned data importers about subjective considerations, including the likelihood that government agencies will access your data in a manner inconsistent with EU standards.(23) However, both documents note that the evaluation should include all laws "applicable" to the data importer.(24)
The new model contracts are open for consultation until December 10, 2020. Final model contracts are expected to be decided in early 2021.
After the Schrems II ruling, the Court left the privacy community disillusioned. Clear, practical guidelines on the (continuation of) international transfers of personal data were lacking. This week that changed, with the EDPB's new (draft) recommendations. Following six practical steps, personal data transfers can be brought back in line with the AVG. Moreover, the recommendations are accompanied by a list of concrete "additional measures" that parties can take, in addition to the use of (for example) model contracts. In addition, when making the analysis of the level of protection in the third country, parties can consider the 'European Essential Guarantees' discussed by the EDPB. Finally, the EC has not been idle either, and a new set of (draft) model contracts has been submitted for consultation. For now, it remains to be seen when the final versions of the documents will be published and whether their content will be substantially similar to the current drafts. We will keep a close eye on this.
(1) https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=ecli:ECLI:EU:C:2020:559
(2) https://www.privacyshield.gov/welcome
(3) https://edpb.europa.eu/our-work-tools/our-documents/ohrajn/frequently-asked-questions-judgment-court-justice-european-union_nl
(4) https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_nl
(5) https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_nl
(6) https://edpb.europa.eu/our-work-tools/our-documents/recommendations/edpb-recommendations-022020-european-essential_nl
(7) Article 30 AVG
(8) Articles 14 and 15 AVG
(9) See question 11 of the EDPB's frequently asked questions
(10) https://ec.europa.eu/info/law/law-topic/deu/our-work-tools/our-documents/recommendations/edpb-recommendations-022020-european-essential_en
(13) Court of Justice of the European Union, October 5, 2015, ECLI:EU:C:2015:650(Schrems I)
(14) In particular reference to Articles 7 and 8 of the Charter
(15) Article 52(1), first sentence of the Charter
(16) Article 52(1), second sentence of the Charter
(17) See above o.a. paragraph 95 of Schrems I
(18) https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries
(19) Clause 2 of the proposed Model Contracts
(20) Clause 2(f) of the proposed Model Contracts
(21) Clause 2(f) of the proposed Model Contracts
(22) Clause 2(b) of the proposed Model Contracts
(23) Marginal Number 42 of the EDPB Recommendations
(24) Clause 2(a) of the proposed Model Contracts and Marginal Number 28 and Beyond of the EDPB Recommendations
More articles by Loyens & Loeff
