Earlier this year, the European Court of Justice (CJEU) declared the EU-US Privacy Shield to be invalid and cast doubt on the legality of making any transfer of personal data to countries outside the EEA that do not have an ‘adequacy decision’. In particular, but not limited to, the United States.
The CJEU said it was up to the transferring organisation to assess, on a case-by-case basis, whether or not the data being transferred would receive an equivalent level of protection to that provided by the GDPR – and to use supplementary measures to protect the data if it did not.
As with many data protection-related matters, this has done little to clarify the situation. On the contrary, it has further muddied what some might consider to be pretty murky waters, as the CJEU gave no indication of what those supplementary measures might be and under what circumstances they would need to be used.
Recommendations issued by the European Data Protection Board (EDPB), intended to help ensure that personal data which is transferred is protected in accordance with the GDPR, describe the steps that organisations must now take in order to decide whether they need to put in place supplementary measures. (These recommendations were subject to consultation and will be confirmed or amended soon).
Here’s our summary of the steps you need to take if your organisation transfers personal data to countries outside of the EU/EEA.
1. Know your transfers
- Identify all of your international (cross-border) personal data transfers, including any onward transfers of personal data by processors to sub-processors.
- Verify that the personal data you transfer is adequate, relevant, and limited to what is necessary.
Note: “transfer” includes remote access from a third country or cloud storage outside of the EEA.
2. Identify the method the transfer relies on
Identify the appropriate safeguard that you are relying on – for example standard contractual clauses (SCCs).
3. Assess the laws and practices in the destination country
The relevant third country’s surveillance laws and practices must be considered in order to assess whether they interfere with privacy rights granted by EU law. Data importers should also play an active part in the exercise and be ready to provide data exporters with the necessary level of information.
Surveillance laws are a key consideration when assessing the effectiveness of protection in the destination country. To help exporters, the EDPB has provided criteria to assess whether surveillance (including interception) measures in a third country are too invasive. In a nutshell, surveillance measures should not enable access, retention and further use of personal data by public authorities ‘beyond that which is strictly necessary and proportionate in a democratic society’.
The EDPB sets out four essential guarantees which must be respected in order to legally limit privacy and data protection rights:
- Processing should be based on clear, precise, and accessible rules – in essence, interception and surveillance should (to an extent) be foreseeable and grounded in laws which an individual could invoke before a court.
- Processing should be limited to that which is necessary and proportionate with regard to the legitimate objectives pursued.
- An independent oversight mechanism should exist.
- Effective remedies must be available to the individual.
4. Identify and adopt supplementary measures
If the “appropriate safeguard” adopted for the transfer is not effective on its own, consider if any supplementary measures exist which could ensure that the transferred data is afforded the same level of protection provided as it would under the GDPR. These supplementary measures are technical, contractual and/or organisational measures that will need to be considered on a case-by-case basis.
If, for whatever reason, you cannot find or cannot implement supplementary measures, you should not rely on the appropriate safeguard alone to transfer personal data outside of the UK/EU. If you’re already doing so, stop!
5. Take formal procedural steps
If you have identified effective supplementary measures, these measures should be adopted and documented. For example, by supplementing the standard contractual clauses with the additional requirements (provided that the additional requirements do not contradict the standard contractual clauses).
6. Re-evaluate the analysis at appropriate intervals
The EDPB states that businesses must monitor, on an ongoing basis, developments in the jurisdiction to which they have transferred personal data that could affect their initial assessment of the level of protection. For example, if a new data protection or national security law has been passed in the jurisdiction, it might be necessary to repeat the assessment described in step three above.
In order to meet the GDPR’s accountability requirements, each of these steps would need to be documented.
What does this mean for using US based service providers?
The EDPB effectively says that US surveillance laws conflict with the GDPR and that a transfer may only be made under standard contractual clauses if additional supplementary technical measures make access (by US law enforcement) to the data “impossible or ineffective”.
In other words, supplementary contractual or organisational measures alone will not be sufficient.
This creates a big challenge for the use of services where data is hosted or remotely accessed from the US.
What does the ICO say?
The ICO has said it may publish its own guidance in due course, after the EDPB recommendations are finalised. In the meantime, it expects organisations to follow those recommendations.
What does this mean for data transfers to and from the UK after Brexit?
At the end of the Brexit transition period on 31 December 2020, the GDPR became part of UK law as the “UK GDPR”. This means that organisations must continue to comply with the same requirements on international personal data transfers as set out in the recommendations above.
To say that these recommendations make it much harder international data transfers outside the UK/EEA would be a considerable understatement. Added to this, it is highly likely that these recommendations will change over time.
As it currently stands, the required approach is extremely burdensome, disregards commercial realities and leaves no scope for a ‘risk-based’ approach. Which means that organisations can’t take into account the specific nature of the data being transferred (e.g. low-risk or publicly available data) when assessing the steps they need to take.
This would appear to conflict with the ethos of the GDPR itself, which states that organisations must assess risk when implementing technical and organisational measures. Interestingly, and possibly very significantly, in its statement about the EDPB recommendations, the ICO said “We continue to apply a risk-based and proportionate approach to our oversight of international transfers in accordance with our Regulatory Action Policy”.
For organisations that use international data transfers as a standard part of their business operations, the latest recommendations have the potential to be confusing at best, and highly disruptive at worst. The right data protection partner can help you to traverse what will continue to be changeable and turbulent waters. If you’d like to speak to a member of the team about how norm. could support you, email: firstname.lastname@example.org.
This advisory, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such.
Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.