It seems that the transfer of personal data is all "hip and happening" this year. Not only has the European Commission adopted the - long awaited - updated Model Contractual Clauses (Standard Contractual Clauses - "SCCs") have been published and the long road to the adoption of the adequacy decision for the Republic of Korea (South Korea), the European Commission also published the adequacy decision for the United Kingdom. In this blog, however, we take a closer look at the latest recommendation adopted by the European Data Protection Board (EDPB) on June 18, 2021. This recommendation concerns measures to complement transfer instruments in order to ensure compliance with the level of protection of personal data in the EU. Last November, we already provided some information on the draft version of this recommendation. In this contribution, we turn the spotlight on the final version and its implications.
Last July, the Court of Justice of the EU ("ECJ") not only drew a line under the Privacy Shield mechanism, it also scrutinized the current SCCs. While the ECJ found these standard provisions valid, it indicated that the data exporter must verify, prior to the transfer, whether the third country in which the receiving party is located can provide the same level of protection as the SCC. Moreover, according to the ECJ, additional measures had to be taken where necessary.
This left data exporters and importers with two key questions:
How do we know if a third country can provide a compliant level of protection? And:
With what measures can potential doubts and dangers be eliminated?
The EDPB has attempted to answer these - valid - questions.
Data exporters should set their sights not only on the laws in effect in the receiving country, but also on common practices in that country. This recommendation has been added to the final version of the document. This recommendation is particularly relevant in the case:
the legislation in the third country officially complies with European standards, but is clearly not being followed in practice;
in the absence of relevant legislation in the third country, there are practices inconsistent with the obligations of the pass-through instruments;
the transferred data and/or importer (potentially) fall under the heading of "problematic law" (i.e. violate the contractual guarantee that the transfer instrument provides an essentially equivalent level of protection and does not comply with European standards regarding fundamental rights, necessity and proportionality).
It follows from the recommendation that if one of the first two situations mentioned above occurs and adequate additional measures cannot be taken, the transfer should be suspended immediately. With respect to the third situation, the EDPB takes a slightly less strict stance: "you may decide (i) to suspend the transfer, (ii) to introduce additional measures in order to proceed with the transfer or, in the alternative, (iii) you may decide to proceed with the transfer without adopting additional measures if you consider and are able to demonstrate through documentation that you have no reason to believe that relevant and problematic legislation is interpreted and/or applied in practice in such a way that your data and importer are covered.
Be that as it may, the assessment should be well documented and cover the entire "chain of transfers," including all further processing(onward transfers), for example if processors have engaged sub-processors. In addition to general components such as the processing purposes and relevant categories of personal data, the following information can be included in the assessment, for example:
Whether, in light of law, practice and documented previous cases, the third country government authorities can access the data with or without the knowledge of the data importer;
Whether, in light of legislation, legal powers, available technical, financial and human resources and documented previous cases, the third country government authorities can access the data through the data importer or through the telecom providers or communication channels.
Additional measures should be assessed on a case-by-case basis. However, according to the EDPB, the assessment need not be repeated for every equivalent retransmission under equivalent circumstances. In assessing whether measures are appropriate or not, the following factors should be considered:
The form in which the data is transmitted (e.g., encrypted, pseudonymized, or plain text);
the nature of the data;
The length and complexity of the chain of transmission; and
variables in the practical application of the laws of the third country.
The EDPB additionally told a few things about the quality of sources. The sources of information to be used for assessment must meet certain requirements. For example, the sources must:
relate to the specific pass-through and/or importer and are not overly general;
be objective and based on empirical evidence and knowledge, not assumptions;
be reliable;
be verifiable, since authorities must be able to check the information if necessary;
are in the public domain or otherwise publicly accessible.
Documented experience of the importer with relevant previous requests for access by public authorities in the third country may also be included in the assessment. On the other hand, the absence of such previous requests cannot, by itself, in any case be considered a decisive factor regarding the effectiveness of the pass-through instrument.
Although the EDPB has provided some more guidance on how one should assess pass-throughs, we are still left with some concerns about the certainly not imaginary possibility of legitimate pass-throughs, as we concluded in our previous blog on this topic. It is understandable that supervisory authorities cannot provide ready-made example situations. On the other hand, leaving the assessment of both applicable law and appropriate additional measures to the data exporter (and importers) may be too much to ask.
Please refer to the table below for the steps to be taken.
Steps |
Explanation |
Action Items |
1. Know your pass-throughs |
The first step involves being fully aware of all pass-throughs in your organization. This step is essential if you want to meet your accountability obligations. |
|
2. Check the transmission tools you are working with |
Since Schrems-II, the following instruments can be used as a basis for transmission:
In addition, in a limited number of cases, e.g. incidental transfers, the exceptions of Article 49 AVG can be invoked. |
|
3. Assess effectiveness of pass-through instrument against the circumstances |
Effective means that the personal data transferred in the third country enjoys a level of protection that is in fact equivalent to that guaranteed in the EEA. This is not the case if the data importer cannot fulfill its obligations under the transfer instrument chosen under Article 46 AVG due to the laws and practices applicable to the transfer in the third country. |
|
4. Additional measures |
If Step 3 reveals that the legislation of the third country affects the effectiveness of the instrument of transfer chosen under Article 46 AVG, consideration should be given to whether additional measures exist, which - in addition to the safeguards of the chosen instrument of transfer - are necessary to provide an equivalent level of protection of personal data in the third country as under the AVG. The EDPB distinguishes between contractual, technical and organizational measures. Contractual and organizational measures alone do not provide sufficient protection against interference with or access to personal data by public authorities in the third country. |
|
5. Procedural steps |
There are several procedural steps to take in case you have established effective additional measures. It depends on the transfer instrument you use or intend to use under Article 46 AVG. |
|
6. Continuous reassessment |
On an ongoing basis, if possible in consultation with data importers, there should be a review of whether there have been (or are expected to be) developments in the third country that may affect the level of protection analysis made earlier and the decisions made on that basis. The accountability obligation of Article 5.2 AVG is a duration obligation. |
- the data importer has violated or is unable to comply with its obligations under the pass-through instrument of Article 46 AVG; or - the additional measures no longer prove effective in the third country in question. |
Want to know more about personal data transfers? Robert van den Hoven van Genderen discusses this topic during his lecture at the Knowledge Market of Data&Privacyweb on December 7, 2021.