EDPB publishes final Recommendations on risk assessments and supplementary measures for international transfers following Schrems II

On 18 June 2021, the European Data Protection Board (EDPB) adopted its final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the Recommendations). The Recommendations concern transfers of personal data from within the European Economic Area (EEA) to most non-EEA territories being those not considered to provide an adequate level of protection by the European Commission (third countries).

The Recommendations outline a process for complying with obligations to assess the law and practices of third countries to which controllers or processors send personal data when relying upon transfer mechanisms, “appropriate safeguards”, permitted under Article 46 of the GDPR such as standard contractual clauses and also include binding corporate rules, administrative arrangements and ‘ad doc contractual clauses’. 

Background

The Recommendations have been adopted following public consultation since their publication in draft form in November 2020 (see our earlier report on the draft Recommendations). Overall, the Recommendations retain much of the content of the earlier draft and the six-step ‘roadmap’ to compliance. The Recommendations elaborate and clarify prior guidance in certain key areas, particularly the complex and onerous task of transfer assessments.

The stated aim of the Recommendations is to assist controllers and processors acting as data exporters in their duty to identify and implement appropriate measures to supplement their transfer mechanism (i.e. standard contractual clauses) where they are needed to ensure an “essentially equivalent” (as identified in the Court of Justice’s Schrems II judgment) level of protection to the data that applies in the recipient third country as guaranteed in the European Economic Area by the GDPR read in light of the Charter of Fundamental Rights of the European Union.

Key takeaways from the Recommendations:

• Risk-based approach: The Recommendations incorporate a welcome softening on the prior position that subjective factors, such as the prior experience of the parties to the transfer with access requests from public authorities of the third country, could not be relied upon in the course of the transfer risk assessment. Now, the Recommendations, permit reliance upon such subjective elements provided they are based on and corroborated by objective factors and thoroughly documented.
• Documentation: The Recommendations, in line with the recently revised Standard Contractual Clauses (SCCs) (see our earlier report on the SCCs adopted on 4 June 2021), emphasise  that the transfer risk assessment must be comprehensively documented in reports that detail the law and practices of the third country that are relevant to the specific transfer, the procedure followed to produce the assessment, and the dates on which the assessment and subsequent reviews took place.
• Sources of information for the risk assessment: Annex 3 of the Recommendations also provides an expanded list of sources of information that data exporters can use in the course of the transfer risk assessment which now includes national and international case law; reports from parliamentary and independent oversight bodies, providers of business intelligence; reports from academic institutions and civil society organisations; reports from business, professional and trade associations; and “warrant canaries” (i.e. statements that law enforcement and national security requests have not been received) from the importer or entities in the same industry sector.
• Law and practice of third countries:  The Recommendations emphasise that the legislation in force in the third country relevant to the transfer is first and foremost to be assessed but also now clarify that “practices in force” in the third country must also be examined. This allows the data exporter to verify if in actuality the appropriate safeguards in the transfer tool, e.g. standard contractual clauses, are effectively in practice. Conversely, an assessment may identify no offending legislation applicable to the transfer but reveal practices of public authorities that impinge upon the appropriate safeguards therefore requiring suitable supplementary measures to be implemented or the transfer to be suspended.
• Common day-to-day business transfers: The prior draft of the Recommendations provided a bleak outlook for most common transfers of personal data to service providers, such as cloud services, that require access in the clear (called ‘Use Case 6’ under the Recommendations) or for business purposes such as intra-group administration (‘Use Case 7’) where the personal data was travelling to a third country whose laws permitted public authorities that goes beyond what is necessary and proportionate under EU law. Previously “no effective measures could be found” to cure such problematic laws in those scenarios. Now, the inclusion of the “in practice” criterion means such transfers may not be unlawful as a rule provided they are assessed thoroughly in line with the Recommendations and such laws are found not to apply to the transfer “in practice”.
• Transfers by derogation: The Recommendations address ambiguity in relation to derogations as an alternative transfer mechanism to appropriate safeguards and clarify that the rule is that personal data may not be transferred to a third country unless appropriate safeguards are put in place. Derogations cannot become “the rule in practice and must to be restricted to specific situations.”  

Next steps for businesses as data exporters

The Recommendations are not binding but reflect the law applicable to third country transfers as understood by expert regulators across the EU (i.e. the bodies charged with enforcing such laws). Controllers and processors of personal data therefore should have regard to the Recommendations when putting in place their own processes and procedures. For example, the six-step plan set out in the Recommendations should be followed:

1. Map data transfers – identify all data flows (remembering that remote access from a third country constitutes a transfer), to whom it is being transferred and where. Any onward transfer (such as sub-processor or the recipient’s group companies) should also be identified;
2. Identify the appropriate transfer mechanism if one is not already in place;
3. Conduct a transfer risk assessment of the laws and/or practices of the third country. The risk assessment for transfers should also be reviewed in light of the related obligations contained in the 2021 Standard Contractual Clauses in order to develop a process for third country transfer review, assessment and documentation for now and the future.
4. Identify and implement supplementary measures as required;
5. Take any formal procedural steps in documenting the supplementary measures that were implemented; and 
6. Regularly review transfers, the protection applicable to them, and changes in law or practices of the third country that would affect the outcome of the transfer risk assessment. 

Our Data Protection Team is available to assist you with understanding the implications of the Recommendations and the SCCs for your business, advising on data mapping and risk assessing transfers as well as assessing which transfer tools and supplementary measures apply to your transfers. For further information, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey or any member of the ByrneWallace LLP Data Protection/GDPR Team.