During its 40th and 41st plenary sessions that took place in November, the European data protection board (EDBP) adopted the following recommendations:
– Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data;
– Recommendations on the European Essential Guarantees for surveillance measures.
Besides, the European Commission presented two draft SCCs: one set of SCCs for contracts between controllers and processors, and another one for data transfers outside the EU.
These documents are a follow-up to the CJEU’s “Schrems II” ruling that cancelled the Privacy Shield and prohibited personal data transfers to countries such as the USA where governmental mass surveillance programs are carried out. Indeed, the CJEU considered these programs were incompatible with European Data Protection Standards.
However, the Court provided for the possibility to supplement the SCCs with additional measures to allow transfer to these countries. Without further details as to what these additional measures could be, guidelines of the Authorities were eagerly awaited.
1.Context of the Schrems II ruling
In the Schrems II ruling of July 2020 (see here), the CJEU considered that the US laws allowing for the performance of a mass surveillance programme were not compatible with EEA data protection standards. The court also found that such laws contradicted the provisions contained in international data transfer tools such as the Privacy Shield and the SCCs.
As a result, the CJEU cancelled the Privacy Shield and provided for the possibility to supplement the standard contractual clauses with additional measures so that they ensure an adequate level of data protection.
Not only this ruling concerned the transfer of personal data to the US but also the personal data transfers to any country whose legal system would contradict the provisions of the SCC.
Following this ruling, the CJEU now expects that Controllers carry out a case-by-case analysis of the level of protection provided in the third countries where the data recipient is located and, if necessary, supplement the SCCs with additional measures, be it technical, organizational, or contractual measures.
Beyond the fact that it is difficult for the controller to assess the level of protection of a third country, the CJEU did not provide any examples or guidance as to what these additional measures could be.
2. The EDPB adopted recommendations on measures that could supplement the SCCs and on the European Essential Guarantees for surveillance measures
The EDPB adopted recommendations on measures that supplement the SCCs to ensure a level of data protection equivalent to the EU data protection standards.
It also adopted recommendations on the European Essential Guarantees for surveillance measures.
In doing so, the EDPB seeks a consistent application of the GDPR and the CJEU ruling across the EEA.
The EDPB Chair, Andrea Jelinek said: “The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”
The first recommendations aim to provide the steps data exporters must follow to work out if they need to put in place supplementary measures, and help them identify those that could be effective.
In this regard, the recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective.
The recommendations on the supplementary measures are currently subject to public consultation.
The second recommendation provides data exporters with elements to determine if the legal framework allowing public authorities of a given third country to access personal data for surveillance purposes can be regarded as a justifiable interference with the rights to privacy and the protection of personal data.
These recommendations supplement the recommendations on supplementary measures.
This latter recommendation will be useful for assessing the level of protection of a third country. Indeed, mass surveillance programs carried out in the US was the main reason why the CJEU cancelled the privacy shield and required for additional measures to be implemented when organisations relied on the SCCs for transferring data to the US.
3. The Commission drafted new sets of Standard Contractual Clauses
The European Commission presented two draft SCCs: one set of SCCs for contracts between controllers and processors and another one for data transfers outside the EU.
The draft controller-processor SCCs are completely new and do not apply to international transfers of personal data.
Therefore, we will focus on the second set of SCCs for the transfer of personal data to third countries.
These second set of SCCs will replace the existing SCCs for international transfers that were adopted before the GDPR came into effect.
These SCCs needed an update to align with the GDPR requirements and since July 2020, with the CJEU’s ‘Schrems II’ ruling.
The good news is that the Commission not only covered data transfer from EEA controller to non-EEA controller and from EEA controller to non-EEA processor but also international data transfer from an EEA processor to a non-EEA processor and from an EEA processor to a non-EEA controller.
It also makes it expressly possible to add multiple parties to the agreement as exporter or importer acting either as controller or processor. It will, for example, simplify the contractual framework of data transfers taking place within international group companies which have not resorted to BCR.
The Commission has requested a joint opinion from the EDPB and the EDPS on both sets of SCCs. Therefore, the SCCs are not yet a valid legal data transfer tool, and we may expect the EDPB will not fully follow the Commission’s position.
In this regard, the EDPB Chair Andrea Jelinek said: “The new SCCs for the transfer of personal data to third countries have been highly anticipated, and it is important to point out that they are not a catch-all solution for data transfers post-Schrems II. While the updated SCCs are an important piece of the puzzle and a very important development, data exporters should still make the puzzle complete. The step-by-step approach of the EDPB recommendations on supplementary measures is necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. Together with the EDPS, the Board will now thoroughly draft a joint opinion on the two sets of draft SCCs as invited by the European Commission.”
Indeed, the EDPB will likely be very cautious given that CJEU cancelled the Commission’s decisions regarding international data transfer to the US two times in a row (i.e. Schrems I and II ruling).
As for now, following the EDPB recommendations seems to be safer than only resorting to the new set of SCCs drafted by the Commission without further analysis.
In conclusion, a little bit of patience is still required before we know exactly what should be done concerning international data transfers.
However, as recommended by the EDPB, organisations should carry out a data transfer mapping so that to identify the countries where data are sent and carry out the analysis so that to identify the relevant measures they should add to their data protection agreements.