The European Data Protection Board (EDPB) has published its final recommendations for the necessary safeguards for transfers of personal data to destinations outside the European Economic Area (EEA), following the Schrems II decision in which the Court of Justice of the European Union (CJEU) held that personal data transferred from the EEA to a destination outside the EEA must be protected at a level essentially equivalent to the level of protection under the GDPR.
The core of the EDPB’s recommendations indicates that when an organization chooses to use the European Commission’s Standard Contractual Clauses (SCCs) as a mechanism for data transfers to other countries, the organization will have to assess the laws in the country of destination (‘third country’) which affect data protection.
If the assessment indicates that the third country does not provide an essentially equivalent level of protection as the laws in the EU, the organization should identify and adopt supplementary contractual, technical, and organizational measures. These measures are aimed at elevating the protection afforded to the data so that it rises to the appropriate level of protection under the EU standards. The EDPB provides a non-exhaustive list of suggested measures, including encryption as a technical measure if the data recipient located in the third country is exposed only to encrypted data.
The EDPB’s draft version of the recommendations, issued in November 2020, attracted significant public comments because they introduced significant practical difficulties for many organizations that engage in cross-border transfers of GDPR-governed data, particularly regarding transfers to U.S. cloud service providers.
Similar to the draft recommendations, the final version of the recommendations consist of a six-phase program for organizations: (1) mapping the cross-border transfers of personal data, and verifying that they are appropriate, relevant, and limited to what is necessary; (2) choosing the desired cross-border transfer tool, amongst those recognized in the GDPR; (3) if the chosen tool is the SCCs, then assessment of the laws and practices in the country of destination is required, including identification of those laws and practices that may impinge on the effectiveness of the safeguards of the chosen transfer tools.
It is in this step 3 that the final recommendations differ from the original draft. If the data transferred or the data importer falls within the scope of any problematic legislation, the data exporter may nevertheless proceed with the transfer without implementing supplementary measures if it can “demonstrate and document that [it] has no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice”.
The assessment must be conduct “with due diligence”, and the EDPB warns that the regulators or courts may ask to review the assessment and “hold you accountable for any decision you take on that basis”.
The three final steps in the recommendations remain largely the same as in the draft: (4) identifying and adopting necessary supplementary measures to protect the data transferred; (5) taking formal procedural steps to adopt the supplementary measures; and (6) periodically re-evaluating the level of protection of transferred data, at appropriate intervals.
CLICK HERE to read the EDPB’s final recommendations on supplementary measures to cross-border data transfers.