The European Data Protection Board (EDPB) has recommended measures to supplement personal data transfer tools to ensure compliance with EU standards when transferring data to non-EU “third countries”.
Following the Schrems II ruling, which struck down the Privacy Shield between the US and EU in July, many controllers have been relying on Standard Contractual Clauses (SCCs) as a tool for data transfers outside the EU.
Where SCC safeguards alone are not sufficient, supplementary measures are allowed in order to guarantee those equivalent personal data protections. But until now, data exporters have been waiting for clarity as to what these may look like.
The recommendations, released by the EDPB on November 10 and now set for public consultation, set out a “roadmap” for data exporters to establish whether supplementary measures are necessary and identify effective measures (see steps below)
The guidance contains a selection of use-case scenarios of supplementary measures and required conditions. Ultimate responsibility, however, still lies with the data exporters themselves, and such measures may not always be possible.
On the same day, the EDPB also provided recommendations, styled the “European Essential Guarantees”, for determining whether third country laws allowing access to data for the purposes of surveillance constitute a “justifiable interference” with privacy and personal data protections, and would therefore be GDPR-compliant.
Since July’s decision, controllers using SCCs must establish whether the law of the third country in question ensures equivalent personal data protection to that of the European Economic Area.
Verification must be done on a case-by-case basis, in collaboration with the third country recipient, if appropriate.
EDPB roadmap steps
- Step one advises exporters to map and know their transfers, and ensure data transferred is “adequate, relevant and limited to what is necessary” for the purposes for which it is being transferred.
- Step two is to verify the transfer tool the transfer relies on. If an adequacy decision with the intended data destination is not in place, the exporter must rely on one of the transfer tools listed under GDPR Article 46 for regular and repetitive transfers.
- Step three is to identify any laws or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied on on, in the context of the specific transfer.
- If the assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool relied upon for the transfer, step four is to identify and adopt supplementary measures to bring the level of data protection up to the EU standard of essential equivalence.
- Step five is to take necessary formal procedural steps that the adoption of the chosen supplementary measure may require, depending on the Article 46 GDPR transfer tool relied upon.
- Step six is to re-evaluate the protected of the transferred data at appropriate intervals and any developments that may affect it.