The European Data Protection Board (EDPB) has adopted recommendations on measures around transfer tools which aim to assist controllers and processors acting as data exporters.
During its 41st plenary session, the EDPB adopted recommendations which will essentially ensure a level of protection for data being transferred outside of Europe.
In doing so, the EDPB is seeking a consistent application of the GDPR and the court’s ruling across the EEA.
EDPB chair Andrea Jelinek said: “The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters.
“The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”
Following the July determination that Privacy Shield was unlawful, this is one step closer to data transfers being compliant once again.
The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective.
The EDPB said that “data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on,” and “must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability.”
Jelinek said: “The implications of the Schrems II judgment extends to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face.
“Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data.”
Cordery partner Jonathan Armstrong told Infosecurity that this appears to be draft guidance, which may be welcomed “but as we know, the courts don’t have to follow guidance and we’ve seen in the past how they often don’t.”
He added: “There’s no 100% safe way of doing data transfers even if you follow guidance from the EDPB – companies will still have to do their own risk assessment which is effectively double due-diligence – (a) who am I transferring data to (and are they safe) and (b) where is the data going (and is that country safe or can I strap on additional measures to make it safe).”
Commenting, William Long, global co-leader of Sidley’s privacy and cybersecurity practice, and leader of the EU Data Protection practice, said the recommendations are welcome in this respect; however, they will need to be carefully reviewed by international companies to determine the kind of data transfer assessment they will need to carry out.
“In particular, the six steps require data mapping, identifying the GDPR data transfer mechanism, such as Standard Contractual Clauses (SCCs), and an assessment of the laws in the country outside of the EEA where the data is being transferred to (e.g. the US),” he said.
“Where the assessment reveals that the third country legislation impinges on the effectiveness of the data transfer mechanism (e.g. SCCs) then the recommendations set out a non-exhaustive list of supplementary measures to bring the level of protection of the data transferred to an EU standard of essential equivalence. The measures include a number of technical measures focusing on state-of the-art encryption and pseudonymization, so information security professionals may need to be closely involved in these assessments.”
Long said despite the recommendations being made, a further significant step forward would be for the European Commission and the US government to promptly negotiate a successor to the EU-US Privacy Shield program that directly addresses the CJEU’s concerns in Schrems II.
The six recommendations, as featured by Hogan Lovells, are as follows:
- Step One: Identify international data transfers
- Step Two: Identify data transfer mechanisms
- Step Three: Assess the law in the third country
- Step Four: Adopt supplementary measures
- Step Five: Adopt necessary procedural steps
- Step Six: Re-evaluate at appropriate intervals