The ruling by the Court of Justice of the EU (CJEU) on 16 July 2020 in the Schrems II case has far reaching implications for the transfer of personal data outside of the European Economic Area (EEA).
The CJEU invalidated the EU-U.S. Privacy Shield Framework and ruled that, in certain circumstances, organisations could still rely on standard contractual clauses (SCCs) to transfer personal data from the EEA to the U.S. and other countries, but with appropriate due diligence and in some cases only when accompanied by supplementary measures.
On 11 November, the European Data Protection Board (EDPB) published its view on what these measures look like in Supplementary Transfer Measures Recommendations. In summary, the exporting organisation must undertake a case-by-case assessment of the transfer to assess whether an “essentially equivalent” level of protection for the personal data is provided under the third country’s laws, and where necessary implement supplementary measures to ensure such protection as set out by the following 6 steps:
- Know the transfers by undertaking a mapping exercise;
- Verify the data transfer mechanisms under Chapter V of the GDPR;
- Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied upon;
- Identify whether there are any supplementary measures required;
- Take any formal procedural steps to adopt the supplementary measures; and
- At appropriate intervals, re-evaluate the level of protection afforded to the data transferred and monitor any developments that may affect it.
The European Essential Guarantees gives guidance on the assessment recommended in order to determine if a third country provides an EU equivalent level of protection:
- Processing should be based on clear, precise and accessible rules;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- An independent oversight mechanism should exist; and
- Effective remedies need to be available to the individual.
It should be noted that this guidance applies with immediate effect and there is no grace period meaning it is essential that firms make a detailed assessment (Transfer Impact Assessment) of the type of data being sent, the access that might be granted to the data and an assessment of the legal regime in the countries where the data is sent. Strong encryption and pseudonymisation could work as a sufficient measure to ensure a compliant transfer so long as the data remains encrypted and pseudonymised throughout the process but it maybe that certain transfers may need to be halted.
What firms need to do
- It is essential that a firm maps its data flows. Especially understanding what data flows to which jurisdiction and under which transfer mechanism.
- Then a Transfer Impact Assessments should be performed, which may highlight that inadequate data protection, meaning the data transfer cannot safely be made. Given the end of the Brexit transition period is in a month’s time, with the possibility of no adequacy decision, UK firms may need to quickly assess their transfer mechanisms.
- It is therefore apparent that a re-papering exercise of existing SCCs will be needed and although there is a full year to do this, for many firms the scale of the task may require outside assistance.
- Controllers should also be aware that they may be required to revise SCCs at the behest of processors.