The European Data Protection Board (EDPB) has published its final guidance on making transfers of personal data to third countries, to comply with EU data protection rules in light of the Schrems II judgment. The EU General Data Protection Regulation (GDPR) restricts transfer of personal data to third countries, unless similar levels of data protection are in place.
When Edward Snowden blew the whistle on government mass surveillance programs, privacy activist Max Schrems filed a complaint over the EU international data flows. Although the complaint called the Irish Data Protection Commission (DPC) to suspend Facebook’s EU-US data flows, legal questions were referred to the Court of Justice of the European Union (CJEU).
In the case, the court held that the protection granted to personal data in the European Economic Area (EEA) must travel with the data, wherever it goes. Any business cannot bypass the protection by transferring it to third countries. The court further said that EU data protection regulators have a duty to step in and suspend transfers to third countries.
Following the judgment, the Irish DPC issued a preliminary order to Facebook to suspend its EU-US data flows. Facebook immediately challenged the order in the Irish courts, but the challenge failed. The data flow is at the risk of being stopped, unless EU-US lawmakers seal a deal to bring equivalency in their data protection regimes.
While the court maintained that no transfer of personal data can take place until similar levels of protection are available in a third country, it also upheld the validity of standard contractual clauses as a transfer tool. Contracts may serve to ensure contractually an essentially equivalent level of protection for data transferred to third countries.
The judgment didn’t specify which measures the data exporters could undertake to this end, but left it to exporters to assess and verify, on a case-by-case basis, the appropriate safeguards contained in the Article 46 GDPR tools.
The Final Guidance
After the CJEU judgment, the EDPB have put out an initial guidance. It has now issued a final guidance- to help data exporters with the complex task of assessing third countries and identifying appropriate measure for data transfers.
“The recommendations provide exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in a place.”
“Know your Transfers”
Through the guidance, firstly the EDPB advises exporters to map all transfers of personal data to third countries. They should ensure that the data is afforded an essentially equivalent level of protection wherever it is being transferred for processing. Exporters must verify that the data they transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
“Verify Transfer Tools”
Secondly, the EDPB advises the exporters to verify the transfer tools their transfer rely on, amongst those listed under Chapter V GDPR. If the third country the exporter is transferring to has gained a “data adequacy” status, then the exporter is not required to do anything but monitor the validity of the adequacy decision. In absence of data adequacy, exporters need to rely on one of the transfer tools listed under Article 46 of GDPR.
“Assess effectiveness of transfer tool”
Thirdly, the exporter needs to assess if there is any law in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools it is relying on. Assessing the laws and the tools relied upon, the exporter can verify if the relied upon tool can effectively protect the personal data transferred. In case of any apprehension of ineffective protection after the data has been transferred, the exporter may suspend the transfer or implement supplementary measures to proceed with it.
“Identify and adopt supplementary measures”
Fourthly, if the legal regime in the third country impinges on the effectiveness of the transfer tool, the exporter needs to identify and adopt supplementary measure required to bring about equivalency with the EU standard of data protection. The guidance also contains a non-exhaustive list of examples of supplementary measures. However, the exporter would be responsible for assessing the effectiveness of the measures/ combination of measures with regard to the third country. In case no measure is sufficient to guard the data, the exporter must avoid, suspend or terminate the transfer to avoid compromising the level of protection of personal data.
Fifthly, the exporter should take any formal procedural steps that the adoption of a supplementary measure may require, depending on the Article 46 GDPR transfer tool the exporter is relying on. Lastly, the exporter has to vigilantly re-evaluate at appropriate intervals, the level of protection afforded to the personal data it transferred to third countries.
You can read the full recommendation here.