Assessing the EDPB's recommendations on Schrems II

The EDPB (the group of EU data privacy regulators sitting together) has finally issued its views on how European businesses (and those receiving data from them) can deal with the fall-out of the Schrems II decision in July 2020.
 
In short, Privacy Shield was struck down by the EU's highest court (the Court of Justice of the European Union (CJEU)) as a valid method for transferring personal data out of the EU.

However, the CJEU found that continuing reliance on "appropriate safeguards" (especially the EU-approved Standard Contractual Clauses (SCCs)) would be acceptable, as long as, in some circumstances, "additional measures" were put in place.

The EDPB document published last week for a (very short) consultation period aims to address what those measures might be.

It is important to emphasise at the outset of any discussion on the EDPB recommendations that they are just that – "recommendations", and not law. They express the views of regulators (so cannot be lightly dismissed) but it is only for the courts to ultimately interpret GDPR (and the CJEU's judgment in Schrems II).

The EDPB does not enforce GDPR, only national regulators can do that. As is often the case when documents are issued by the EDPB, there are aspects of the recommendations (e.g., some of the inherent contradictions) that indicate they are a bit of a compromise and that not all regulators will necessarily agree.

In its recommendations, the EDPB breaks down the approach that ought to be taken with regard to any transfer of data into six steps. 

In this blog, we will concentrate on the two most problematic aspects (steps 3 and 4), but for completeness, the six steps are as follows.

Step 1 – "know your transfers"

Exporting controllers and processors ought to know what data they are sending, to whom, and where it resides.

This should of course be no surprise at all for EU businesses. Accountability is one of the key principles in GDPR and part and parcel of that requirement is to keep good (Article 30) records of your data. They should already identify recipients (within the group or external vendors) and the location of data.

That said, the EDPB recommendations are a reminder to organisations of this obligation and an opportunity to refresh data mapping. 

Step 2 – "verify the transfer tool"

Most often this will be the SCCs, or potentially binding corporate rules (BCRs), but of course the destination country may be subject to an adequacy decision.  

As with step 1, most of the work here should already have been done – under GDPR an exporter should already know what the transfer mechanism is and inform data subjects of the mechanism in their privacy notices.

Step 3 – "assess the legal safeguards in the destination country"

More on this below, but in summary: Reflecting the Schrems II judgment, an exporter cannot simply rely on the approved transfer mechanism: they must also consider in each particular context whether the laws or practices of the third country ensure protection of the data to EU standards.

Step 4 – "identify and adopt supplementary measures"

The key issue. If the step 3 assessment shows that in the destination country the data is not protected to EU standards, you must go further to ensure that protection.

The EDPB recommendations contain a non-exhaustive list of examples of such measures and we discuss these below.  

Crucially, the recommendations state that an exporter may find no supplementary measure exists that can ensure an essentially equivalent level of protection for a specific transfer. In those cases, transfers must cease.
 
Step 5 – "take formal procedural steps" 

This addresses procedural steps that the exporter might have to take following steps 3 and 4, depending on the transfer tool it is using and measures it is relying on.

For example, when using the SCCs, provided the supplementary measures added to the SCCs do not amend or contradict the SCCs in any way (and the SCCs are used in their "model form"), no further formal procedural steps are necessary.

However, if the supplementary measures do serve to amend or contradict the SCCs in any way, the exporter will need to seek an authorisation from the competent supervisory authority. In essence, the exporter is no longer using SCCs but an alternative – rarely used – method of ad hoc clauses, which do require prior authorisation.

Step 6 – "keep it all under review"

The position may change. Laws and practices may get more troublesome in a particular country, so the assessment in step 3 may need to be undertaken afresh. Alternatively, additional supplementary measures may be introduced.   
 
How to undertake a transfer assessment (Step 3)

Step 3 essentially requires the exporter to assess whether the laws of the country they are transferring data to will prevent the importer from complying with their transfer mechanism obligations (e.g., the SCCs or BCR) in the context of that specific transfer.

First, the exporter must consider the specific characteristics of each transfer (e.g., the purposes of the transfer, the categories of data, and the format in which it the data is transferred) to determine the laws applicable to it.

Within this context, the exporter will then need to determine, in particular:

1. Whether the applicable laws specific to its transfer are likely to require the disclosure of transferred data to, or permit access of data by, public authorities (e.g., for law enforcement, regulatory supervision or national security purposes); and

2. Whether these requirements or powers are limited to what is "necessary and proportionate in a democratic society" (measured against another document issued at the same time, the EDPB European Essential Guarantees, which sets out what is expected in surveillance laws in third countries for them to meet the EU standards[1]). Step 3 seemingly sets an impossibly high bar for exporters, particularly small- and medium-sized enterprises without the legal resources required to conduct such assessments.

To put the complexity of the task in context, let us not forget it can take several years for the European Commission to review a country's laws and practices to make a determination of that country's "adequacy" pursuant to Article 45 GDPR (and, even with all the resources available to the Commission, they do sometimes – says the CJEU – get it wrong; for example in both Schrems I and Schrems II).

Nonetheless, the EDPB recommendations expect exporters to do the same in short order in respect of those countries to which they transfer data.

Given the likely resources required to reach a positive conclusion with appropriate certainty, many exporters will want to err on the side of caution, concluding that their transfer tool does not effectively ensure an essentially equivalent level of protection and look instead to what effective supplementary measures may be required to protect the transfer pursuant to step 4.

Importers should expect to see an increasing number of requests from exporter customers seeking confirmation as to the nature of laws applicable to them for the purposes of their step 3 assessments.

To avoid having to respond to multiple requests, importers serving large numbers of European exporters may consider preparing their own standard step 3 assessments for the benefit of their European exporter customers.

The suggested potential measures (Step 4)

Annex 2 of the EDPB recommendations provides a non-exhaustive list of supplementary measures for exporters to consider implementing to protect transferred data to the required standards, grouped under the headings of technical, contractual and organisational measures.  

The key points are as follows:

Technical measures

The two key technical measures are:

• Encryption – The EDPB recommendations state that encryption will provide an effective measure if the data is subject to "strong encryption" (taking into account the nature of data and state of the art) that is "flawlessly implemented" before transmission, provided the encryption key is "reliably managed" and retained solely under the control of the exporter (or other entrusted entities) based in the EEA or in an "adequate" territory.

• Pseudonymisation – Similarly, the EDPB recommendations state that pseudonymisation will provide an effective measure where data is pseudonymised in such a way that, once transferred, it cannot be attributed to a specific data subject without the use of additional information (the mapping data). The mapping data (which allows re-identification) must be kept separately by the exporter in the EEA or in an adequate territory. The exporter must also be satisfied that the transferred pseudonymised data could not be re-identified by public authorities through other means or information.    

Contractual measures

The EDPB recommendations suggest contractual measures should generally be used to complement and reinforce other safeguards. This is because contractual measures cannot bind public authorities, nor stop the effect of third country legislation that does not meet standards of essential equivalence.

Nonetheless, possible contractual measures the EDPB recommendations propose include, for example, contractually requiring: 

• Contractual assurances as to the use of certain technical measures.

• The importer to provide transparency about: laws applicable to it that would permit access to data by public authorities; statistics on access by public authorities to data of the kind being transferred; any measures implemented by the importer to prevent public authority access; and, importantly, any public authority access requests the importer has received.  

• The importer to review and, if necessary, challenge the legality of access by public authorities.

• Notification to the data subject of a request or order received by a public authority to enable the subject to seek effective redress (and to assist the subject in seeking such effective redress).

Organisational measures

Again, these can only aid in the overall protection. Examples of organisational measures provided by the EDPB recommendations include implementing:

• Adequate internal policies (particularly on an intra-group basis), which address data transfer governance (e.g., including handling, escalation and challenging procedures).

• Transparency and accountability measures, which ensure public authority access requests are suitably recorded and made available to the exporter, data subjects and, if permitted by law, regularly published.

• Other measures to ensure that the implemented supplementary measures are subject to regular review and scrutiny to ensure their suitability over time. 

Some problematic situations
Some of the measures are discussed in the context of particular transfer scenarios (called "use cases"). Two use cases used to provide examples of scenarios for which no effective measures could be found are particularly troublesome:

• Use case 6: Transfers to processors which require access to data in the clear – Where a controller exporter transfers data to a processor which, in order to perform certain services, needs to access data "in the clear" (i.e., in an unencrypted form), and the powers  granted to public authorities in the recipient country go beyond "what is necessary and proportionate in a democratic society". This will apply to many cloud service providers.

• Use case 7: Remote access to data for business purposes – Where an exporter transfers data to an importer for shared business purposes (such as joint economic activities or personnel services) in a way that allows the importer to directly access data (in an unencrypted form) of its own choice, and the powers  granted to public authorities in the recipient country go beyond "what is necessary and proportionate in a democratic society". This will apply to many global companies that share resources (IT infrastructure) or management functions (HR or marketing) across borders.

That said, it should be noted that the EDPB does not say transfers cannot happen in these circumstances, only that it cannot identify any "technical measures" that will assure the "essential equivalence" needed.   

Here, it leaves open the possibility that contractual or organisational measures may suffice – although this is a door that, elsewhere in the EDPB recommendations, they seem to shut...

The challenge that remains

In the end, despite the discussion on other measures, the EDPB recommendations clearly highlight the importance of technical measures:

"Contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country (where this unjustifiably interferes with the data importer’s obligations to ensure essential equivalence)."

In some situations (namely, where the surveillance laws in the importer's country fails to meet the familiar EU test of going "beyond what is necessary and proportionate in a democratic society"), the EDPB writes, "only technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes".

It then continues to say that, if the data importer falls under FISA (the US surveillance law which was discussed in Schrems II – see this Fieldfisher blog), then SCCs may only be relied upon "if additional supplementary technical measures make access to the data transferred impossible or ineffective".

When this is read in conjunction with the two most problematic examples ("in the clear" data processed by a processor (use case 6) or groups sharing data (use case 7)), it does beg the question as to why the EDPB bothers setting out non-technical measures at all, and whether a risk-based approach can be taken.   

So can business take a "risk-based" approach?

Perhaps the answer is that additional measures are useful when a business takes into account the nature of the data and the likelihood of actual (as opposed to theoretical) government access.

That would make sense, and is in line with much of what has been happening since the CJEU judgment itself.  

Many vendors tell their EU customers that the data is not of interest to surveillance authorities, or is publicly available anyway, and that they have never received any government access request.

So can businesses continue to look at risk here? The EDPB says not – at least during the step 3 (assessment) stage. In judging gaps in the legal regime of a destination country (where the laws are "lacking"), the EDPB writes that you should look only at "objective factors" and "not rely on subjective ones such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards". 

It seems clear though that the EDPB will apply this more generally (i.e., even when the laws are clear and in relation to any practical steps to take), you should not take into account these subjective factors.

Many exporters will likely continue to rely on just this sort of risk assessment. They will take comfort from the fact that, despite the EDPB ecommendations, such an approach is not obviously inconsistent with the CJEU's judgment (there are references to assessments being done on a "case-by-case" basis[2]), that it is indeed in line with the tenor of GDPR (which allows risk-based obligations in many situations) and that, frankly, it takes the exporter out of the unsolvable bind that any other reading would otherwise place them in.

In this regard, it is also interesting to see the revised SCCs published by the European Commission last week (see this Fieldfisher blog). In those, each party gives a warranty that nothing in the importer's legal regime would present an issue for it to comply with the laws. 

In giving that warranty, the clauses expressly state that the parties are entitled to take into account a number of factors including "the nature of the personal data", and "any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred".

Practical steps

Although still out for consultation, it seems unlikely much will change before the EDPB recommendations are finalised.

To the challenge that the EDPB is being impractical, it has already replied publicly that it is constrained by the law (GDPR and the European treaties) as interpreted by the CJEU. 
 
Much will depend on the attitudes of relevant regulators and whether they are willing to countenance a risk-based approach. 

Given Brexit, perhaps it is of little comfort to businesses with a European footprint wider than just the UK, but the Information Commissioner's Office has already said in a press release on the EDPB recommendations that it will take a risk-based approach to enforcement.

Immediate steps that exporters and importers can take to reflect this important document are as follows:

As an exporter:

• Revisit and refresh the transfer sections of your Article 30 records.

• Develop an approach on conducting transfer risk assessments.  Might you seek input from your vendors? Might it make sense (in some situations – e.g., when it is already known that the assessment will fail (FISA in the US)) to simply move on to putting in place "additional measures" in any case?

• Consider what "additional measures" make sense for your particular transfer. Can you encrypt or pseudonymise (in Europe) and only transfer data without the key?  

• Be prepared to negotiate with your vendors to ask for some of the contractual promises set out, and check the operational measures in place.

• Document why you think those measures suffice.    

• Put in place processes to revisit any assessment as appropriate.

 As an importer:

• Consider how you might help your customers/exporters address their transfer risk assessment and whether you might want to prepare your own assessment for the benefit of all of your customers.

• Have you prepared statements for transparency as to government access?

• Can you provide your services without having data "in the clear" and therefore assist with encryption or pseudonymisation?

• What contractual promises and/or organisational measures (from the "menu" offered up by the EDPB) are you willing to offer?

The EDPB's consultation is open on their site until 30 November 2020 if you are interested in submitting a response.