Menu

Filter by
content
PONT Data&Privacy

0

A conclusion at last? EDPB's recommendation on additional data transfer measures

It seems that the transfer of personal data is all "hip and happening" this year. Not only has the European Commission adopted the - long awaited - updated Model Contractual Clauses (Standard Contractual Clauses - "SCCs") have been published and the long road to the adoption of the adequacy decision for the Republic of Korea (South Korea), the European Commission also published the adequacy decision for the United Kingdom. In this blog, however, we take a closer look at the latest recommendation adopted by the European Data Protection Board (EDPB) on June 18, 2021. This recommendation concerns measures to complement transfer instruments in order to ensure compliance with the level of protection of personal data in the EU. Last November, we already provided some information on the draft version of this recommendation. In this contribution, we turn the spotlight on the final version and its implications.

July 12, 2021

Background articles

Background articles

Brief summary

Last July, the Court of Justice of the EU ("ECJ") not only drew a line under the Privacy Shield mechanism, it also scrutinized the current SCCs. While the ECJ found these standard provisions valid, it indicated that the data exporter must verify, prior to the transfer, whether the third country in which the receiving party is located can provide the same level of protection as the SCC. Moreover, according to the ECJ, additional measures had to be taken where necessary.

This left data exporters and importers with two key questions:

  • How do we know if a third country can provide a compliant level of protection? And:

  • With what measures can potential doubts and dangers be eliminated?

The EDPB has attempted to answer these - valid - questions.

Assessing practice in a third country (i)

Data exporters should set their sights not only on the laws in effect in the receiving country, but also on common practices in that country. This recommendation has been added to the final version of the document. This recommendation is particularly relevant in the case:

  • the legislation in the third country officially complies with European standards, but is clearly not being followed in practice;

  • in the absence of relevant legislation in the third country, there are practices inconsistent with the obligations of the pass-through instruments;

  • the transferred data and/or importer (potentially) fall under the heading of "problematic law" (i.e. violate the contractual guarantee that the transfer instrument provides an essentially equivalent level of protection and does not comply with European standards regarding fundamental rights, necessity and proportionality).

It follows from the recommendation that if one of the first two situations mentioned above occurs and adequate additional measures cannot be taken, the transfer should be suspended immediately. With respect to the third situation, the EDPB takes a slightly less strict stance: "you may decide (i) to suspend the transfer, (ii) to introduce additional measures in order to proceed with the transfer or, in the alternative, (iii) you may decide to proceed with the transfer without adopting additional measures if you consider and are able to demonstrate through documentation that you have no reason to believe that relevant and problematic legislation is interpreted and/or applied in practice in such a way that your data and importer are covered.

Be that as it may, the assessment should be well documented and cover the entire "chain of transfers," including all further processing(onward transfers), for example if processors have engaged sub-processors. In addition to general components such as the processing purposes and relevant categories of personal data, the following information can be included in the assessment, for example:

  • Whether, in light of law, practice and documented previous cases, the third country government authorities can access the data with or without the knowledge of the data importer;

  • Whether, in light of legislation, legal powers, available technical, financial and human resources and documented previous cases, the third country government authorities can access the data through the data importer or through the telecom providers or communication channels.

Additional measures (ii)

Additional measures should be assessed on a case-by-case basis. However, according to the EDPB, the assessment need not be repeated for every equivalent retransmission under equivalent circumstances. In assessing whether measures are appropriate or not, the following factors should be considered:

  • The form in which the data is transmitted (e.g., encrypted, pseudonymized, or plain text);

  • the nature of the data;

  • The length and complexity of the chain of transmission; and

  • variables in the practical application of the laws of the third country.

Information resource requirements

The EDPB additionally told a few things about the quality of sources. The sources of information to be used for assessment must meet certain requirements. For example, the sources must:

  • relate to the specific pass-through and/or importer and are not overly general;

  • be objective and based on empirical evidence and knowledge, not assumptions;

  • be reliable;

  • be verifiable, since authorities must be able to check the information if necessary;

  • are in the public domain or otherwise publicly accessible.

Documented experience of the importer with relevant previous requests for access by public authorities in the third country may also be included in the assessment. On the other hand, the absence of such previous requests cannot, by itself, in any case be considered a decisive factor regarding the effectiveness of the pass-through instrument.

In conclusion

Although the EDPB has provided some more guidance on how one should assess pass-throughs, we are still left with some concerns about the certainly not imaginary possibility of legitimate pass-throughs, as we concluded in our previous blog on this topic. It is understandable that supervisory authorities cannot provide ready-made example situations. On the other hand, leaving the assessment of both applicable law and appropriate additional measures to the data exporter (and importers) may be too much to ask.

Please refer to the table below for the steps to be taken.

Steps

Explanation

Action Items

1. Know your pass-throughs

The first step involves being fully aware of all pass-throughs in your organization. This step is essential if you want to meet your accountability obligations.

  • Data processing mapping and recording;

  • Don't forget to include further processing[onward transfers], such as when processors have engaged sub-processors;

  • Furthermore, it is necessary to consider whether the mapped transfers are adequate, relevant and limited to what is necessary for the purposes for which the personal data is transferred.

2. Check the transmission tools you are working with

Since Schrems-II, the following instruments can be used as a basis for transmission:

  • Adequacy Decisions[Adequacy Decisions];

  • Model Contractual Clauses[Standard Contractual Clauses or SCCs];

  • Binding Corporate Rules[Binding Corporate Rules or BCRs];

  • Codes of Conduct[Codes of Conduct];

  • Certification schemes[Certification mechanisms];

  • Ad Hoccontractual clauses[Ad Hoc contractual clauses].

In addition, in a limited number of cases, e.g. incidental transfers, the exceptions of Article 49 AVG can be invoked.

  • If the transfer rests neither validly on an adequacy decision nor on an exception listed in Article 49 AVG, you must proceed with step 3;

  • If the transfer does validly rest on an adequacy decision, it is important to keep in mind that you should check whether adequacy decisions relevant to your transfers have since been revoked or invalidated.

3. Assess effectiveness of pass-through instrument against the circumstances

Effective means that the personal data transferred in the third country enjoys a level of protection that is in fact equivalent to that guaranteed in the EEA. This is not the case if the data importer cannot fulfill its obligations under the transfer instrument chosen under Article 46 AVG due to the laws and practices applicable to the transfer in the third country.

  • Consider all parties involved in the transmission;

  • Review the characteristics of each transfer and check the domestic laws and regulations of the country to which the data is being transferred;

  • Pay particular attention to relevant laws and practices, especially laws requiring disclosure of personal data to government agencies or allowing those government agencies to access personal data;

  • The European Essential Guarantees (EEC) are recommendations that provide guidelines for assessing whether or not surveillance measures that allow access to personal data by public authorities in a third country can be considered a justified interference.

4. Additional measures

If Step 3 reveals that the legislation of the third country affects the effectiveness of the instrument of transfer chosen under Article 46 AVG, consideration should be given to whether additional measures exist, which - in addition to the safeguards of the chosen instrument of transfer - are necessary to provide an equivalent level of protection of personal data in the third country as under the AVG.

The EDPB distinguishes between contractual, technical and organizational measures. Contractual and organizational measures alone do not provide sufficient protection against interference with or access to personal data by public authorities in the third country.

  • It should be assessed on a case-by-case basis what additional measures, when using a particular transfer instrument based on Article 46 AVG, are effective with respect to the transfer of data to a particular third country;

  • If you decide to proceed with the transfer, despite the fact that the receiving party cannot fulfill the obligations of the instrument, in accordance with the specific provisions of the relevant transfer instrument based on Article 46 AVG, you must notify the relevant supervisory authority.

5. Procedural steps

There are several procedural steps to take in case you have established effective additional measures. It depends on the transfer instrument you use or intend to use under Article 46 AVG.

  • Take the necessary procedural steps.

6. Continuous reassessment

On an ongoing basis, if possible in consultation with data importers, there should be a review of whether there have been (or are expected to be) developments in the third country that may affect the level of protection analysis made earlier and the decisions made on that basis. The accountability obligation of Article 5.2 AVG is a duration obligation.

  • Robust mechanisms should be in place that allow transfers to be immediately suspended or terminated if:

- the data importer has violated or is unable to comply with its obligations under the pass-through instrument of Article 46 AVG; or

- the additional measures no longer prove effective in the third country in question.

Want to know more about personal data transfers? Robert van den Hoven van Genderen discusses this topic during his lecture at the Knowledge Market of Data&Privacyweb on December 7, 2021.

AKD

Share article

Comments

Leave a comment

You must be logged in to post a comment.