This article is written by Shreya Mazumdar pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).
The European Data Protection Board (EDPB) is an autonomous European body with an objective to ensure consistent application of the General Data Protection Regulation (GDPR) and in order to promote cooperation among the EU’s data protection authorities.
It was on the 11th Nov. 2020 the EDPB directed the companies around the world a new map to guide the data flows. The EDPB published two documents which are the recommendations on supplementary measures and EU essential guarantees. This document highlights the assessment process for efficient foreign protection as per the EU laws when the personal data is transferred abroad and a set of EU approved safeguards that the companies can implement even when the foreign protection is judged lacking when it is compared to EU legal standards.
The Court of Justice of European Union (CJEU) of 16th July 2020 upholds in Data Protection Commission v. Facebook Ireland Ltd., Maximillian Schrems, C-311/18 that the provisions of GDPR (Article 46 (1) and 46 (2) (c)) must be interpreted in order to enforce appropriate safeguards, enforceable rights and effective legal remedies required under the GDPR must ensure that the data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses shall provide a level of protection which is essentially equivalent to guarantee within the EU. There has to be a level of protection of natural persons which is equivalent to that of the protection and safeguards guaranteed by the GDPR where the transfer of personal data is to a third country that is carried out. The CJEU came up with various such guidelines in order to safely transfer data.
Guideline for global data flow
The EDPB directs the recommendation to the companies which are charged with implementing them. This part of the article mentions the step-by-step guideline for implementing this recommendation. This is a six-step plan in order to assess and protect global data flow which is in line with the ruling in Schrems-II.
Guideline 1 and 2 : transfer mapping and transfer mechanism
The first step is advice by EDPB to exporters for them to know the transfer and the second step is to verify the transfer tool by which the transfer happens.
As per the current practice, this recommendation refers to standard contracts, ad hoc contractual clauses, binding corporate rules (BCR), adequacy, consent or other GDPR Article 49 derogation (exemptions for cross-border). The EDPB mentions that if the transfer is to a country that is deemed adequate by the European Commission so long as the decision is in force the company will not have to take any further steps in order to monitor the adequate decision that remained valid.
If this transfer of data is to any of the 12 countries or territories that are deemed to be adequate the EDPB seems to suggest that such transfer is acceptable but the CJEU decision can change the equation. EDPB in its recommendation mentions the encryption safeguards that are essential for data routed through a non-adequate country in transit to an adequate one which is a potential suggestion for the universal need for additional safeguard.
Guideline 3 : examine if the non-EEA protection is enough
EDPB recommends that in case there are provisions in law or practice of the third country which may run contrary to or deviate from the effectiveness of the appropriate safeguards of the transfer tools the company is relying on the specific transfer. The essential guarantees mentioned by the EDPB are as follows:
- The processing of data shall be based on clear, precise and accessible rules.
- The necessity and proportionality with respect to the legitimate objective pursued need to be demonstrated.
- There has to be an existence of an independent oversight mechanism.
- There are supposed to be effective remedies that need to be available to the individual.
EDPB cautions against relying upon subjective factors like public authorities that may access the data which is not at par with the EU standards rather than considering the laws governing access and protection directly. It means that the legal requirement and authorities should be given more importance when it comes to assessing the practical likelihood that your data will be of interest to and accessed by authorities. After the CJEU’s (Courts of Justice of The European Union) July 16th decision, many companies did consider such likelihood as part of their assessments having few other options at their disposal. The EDPB statement mentions that many companies may need to reassess their approach.
With respect to the Recommendation of Essential Guarantees, the EDPB offers companies’ recommendations on safeguard and has a very brief list of possible sources of information to assess foreign protection. These include cases from CJEU, European Court of Human Rights, European Commission adequate decisions, resolutions and reports from the intergovernmental organisation and regional bodies.
Guideline 4 : search and implement supplementary measures
This is one of the crucial steps suggested by EDPB. EDPB mentions that there have to be supplementary measures that shall be taken in order to bring the level of data protection transfer to the EU standard of essential equivalence.
One has to abide by this step where the organisation’s assessment in step three reveals that the third country legislation conflicts with implementing Article 46 GDPR which is an appropriate safeguard when there is a transfer to other countries. EDPB has listed out a non-exhaustive list of such measures in annexe two of the recommendations. This details down the great attention and scrutiny in the days ahead. If there can be no supplementary measures that can be taken in order to remedy the deficiencies then the transfer must be stopped.
The supplementary measures that are to be provided by EDPB encircle around technical, contractual and organisational measures. For every category, EDPB outlines appropriate additional safeguards as well as scenarios that might be available but in situations where these measures cannot be taken, there shall not be any data transfer and it should be stopped.
Following are the suggestions for these safeguards.
A very predictable safeguard is encryption, which can be used for technical safeguards. Companies and organisations shall take appropriate measures to abide by this encryption as an appropriate safeguard under this context. The EDPB shows six separate facets of encryption protocol in order to prove the sufficiency. Before transmission, there has to be strong encryption, check if the encryption can survive cryptanalysis by public authorities, perfect implementation of the encryption algorithm and maintenance of keys in the EEA.
An organisation should pay particular attention where there are no effective technical safeguards found. These circumstances include data processing in the clear by the cloud service provider (that is, unencrypted processing) of the data that is sent to a remote location and accessed at a remote location and use of this data from a third country for business purposes such as human resource processing.
It has been clarified right away by EDBP that as contracts cannot bind government authorities, contractual safeguard shall only remedy deficiencies that are essentially equivalent protection when implemented as part of a broader package of supplementary measures.
One of the very crucial safeguards described by EDPB is that an importer who imports data shall commit to transparency. EDPB mentions that if there is such safeguard then it will assist the exporters in conducting its required assessment. EDPB mentions the call for transparency regarding the laws governing government under which the government has access to data in the recipient jurisdiction and potentially certification that the importer has not created any channel that enables the government to access its data.
Enhanced audits verify whether data has been provided to government authorities, commitments to notify the data exporter in situations where the importers can no longer comply with the commitments due to the change in the laws of the country or case of “warrant canary” that a government access request has not been received until and unless it has. The EDPB notes that an importer shall notify the EU exporter of its inability to match the commitments before data is accessed by government authorities in practice.
Another recommendation of EDPB is, contractual commitments by the data importers to challenge government access to data in court before disclosing it, where bases for such challenges exist.
Lastly, EDBP proposes contractual commitments in order to enable data subject rights. These include commitments not to discuss data with government authorities unless expressed consent is taken from the data subjects. In addition to that, a notification to data subjects of requests shall be provided which shall be at par with the law so that the affected data subjects can seek redressal in the EU, through DPAs or the courts.
EDPB mentions that there are safeguards that shall be paired with contractual guarantees and technical protection to provide corresponding protection which shall be assessed on a case-by-case basis in the context of specific transfer.
Internal policies for the transfer governance with a group of enterprises is an example where implementation of these policies can be complex. EDPB explains that these policies shall provide a clear allocation of responsibilities, reporting challenges and ways to respond to the government access requests. EDPB further mentions that government access request, procedural step to challenge unlawful or disproportionate request as well as transparency to data subjects.
Other measures for an organisation can include transparency policies, akin to those discussed under contractual measures, data minimisation procedures, security standards recognised internationally, such as ISO standards and policies or commitments not to transfer the data onward to other countries which may not provide essentially equivalent protections.
Once the organisation has conducted an extensive assessment and kept in place sufficient additional safeguards where that is realistically possible, the EDPB asks them to keep documenting their approach and seek authorisation where required by the chosen transfer mechanism and to reassess the approach regularly.
The EDPB recommendation can turn out to be complex and it might take a while for the companies and organisations to get this perfectly implemented. It can be frustrating for companies as the compliance can be challenging if a proper data protection lawyer is not engaged to guide them as these compliances are mandatory for enabling and protecting data flow so that EU’s global economy and society can function, considering the increase in remote data-enabled engagement during the pandemic.
EDPB and DPAs are doing quite the impossible task of providing concrete examples and options for companies to address a nearly impossible task by searching ways to maintain EU data protection standards in an inherently global and multicultural world in which norms and laws diverge.
- Caitlin Fennessy, A breakdown of EDPB’s recommendations for data transfers post-‘SchremsII'(11thNov.2020) https://iapp.org/news/a/a-break-down-of-edpbs-recommendations-for-data-transfers-post-schrems-ii/
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (10th Nov. 2020) https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf.
- EDPB issues finalised Schrems II guidance on ensuring compliance for data transfers, (28th June 2021) https://hsfnotes.com/data/2021/06/28/edpb-issues-finalised-schrems-ii-guidance-on-ensuring-compliance-for-data-transfers/
- Clint Monteith, EDPB Issues Draft Guidance on Post-Schrems II GDPR Compliant Data Transfers(23rdNov.2020) https://www.dwt.com/blogs/privacy–security-law-blog/2020/11/edpb-draft-guidance-gdpr-data-transfers
- Rob Stubbs, Data Sovereignty and Privacy Compliance Post Schrems II, https://www.infosecurity-magazine.com/opinions/data-privacy-compliance-post/
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: