On 21 June 2021, the European Data Protection Board (“EDPB”) published the final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”). These long-awaited Recommendations are an extremely important step for the consideration of data transfer related risks and GDPR compliance management within an organisation.
The final Recommendations follow the Draft Recommendations published on 11 November 2020 (the “Draft Recommendations“). They seek to address the requirements of the Schrems II decision of the Court of Justice of the European Union last year and follow the publication earlier this month of the European Commission final Implementing Decision on standard contractual clauses for the transfer of personal data to third countries.
Many of the Recommendations remain unchanged compared with the previous Draft Recommendations, however there are some notable differences:
- Data exporters must consider whether protection provided for the transferred personal data is essentially equivalent to that guaranteed in the EEA, both after the transfer of the personal data and during the transit of data from the exporter to the importer’s country.
- When carrying out a Transfer Impact Assessment (“TIA”), there is a strong emphasis within the Recommendations for data exporters to also assess the practices in force in the third country alongside the relevant legislation, including where that legislation formally meets EU standards. If there are incompatible practices in the third country (irrespective of the legal regime in that third country), additional supplementary measures will have to be implemented.
- Where a TIA reveals that relevant legislation in the third country may be ‘problematic’, the exporter may proceed with the transfer without implementing supplementary measures, if it considers that the problematic legislation will not be applied in practice, to the transferred data and/or the importer. However, there are lots of extra hoops to jump through to be able to demonstrate and document (in a detailed report), in collaboration with the data importer, that the law in the third country is not interpreted and/or applied in practice. The Recommendations include a long list of “possible sources to assess a third country” in Annex 3, in order of preference ranging from the gold standard “case-law of the Court of Justice of the European Union” down to “internal statements or records of the importer expressly indicating that no access requests were received for a sufficiently long period; and with a preference for statements and records engaging the liability of the importer and/or issued by internal positions with some autonomy such as internal auditors, DPOs, etc”. The main takeaway is that the bar for documenting evidence that data is unlikely to be accessed in practice has been set extremely high, adding to the already significant amount of extra paperwork for exporters and importers.
- In a divergence from the approach taken by the European Commission, the Draft Recommendations considered that subjective factors such as the likelihood of risk of harm to the data subject, should not be taken into account when carrying out a TIA. Now, at first glance, the final Recommendations appear to have taken a wider approach, stating that data exporters can take into account “documented practical experience of the importer with relevant prior instances of requests for access received from public authorities in the third country” when carrying out a TIA. However, this apparent move closer to a more risk based approach, comes with a number of significant caveats, including:
- The data exporter can only use the experience of the importer as an additional source of information if the third country does not prevent the importer providing information on public authority requests for disclosure or the absence of such requests. This appears to rule out transfers to some countries, for example, the U.S., where informing third parties that a request for disclosure has been received may constitute a criminal “tipping off” offence. Indeed, a “no tipping off” offence is not unique to US laws; it is common to many interception regimes around the world.
- The relevant and documented experience of the importer must be corroborated and not contradicted by “relevant, objective, reliable, verifiable and publicly available or otherwise accessible information on the practical application of the relevant law”.
- The absence of prior instances of requests received by the importer cannot be considered, by itself, as a decisive factor allowing a transfer to proceed without supplementary measures. This information can only be considered together with other types of information obtained as part of the overall TIA.
- In the Draft Recommendations, the EDPB adopted a narrow interpretation of the derogations in Article 49 GDPR, restricting use of the derogations to “occasional and non-repetitive transfers”. In the final Recommendations, the EDPB appears to have adopted a similarly narrow approach, stating that the Article 49 derogations cannot become “the rule” in practice, but need to be restricted to specific situations. That said, helpfully the final Recommendations no longer explicitly state that Article 49 should be limited in use to “occasional and non-repetitive transfers”. We anticipate that, notwithstanding the cautious guidance in the final Recommendations, Article 49 will become a more commonplace and popular mechanism to justify transfers given the high bar set by the Recommendations to be able to rely on standard contractual clauses. The two options are not mutually exclusive and we also anticipate that exporters will seek to rely on Article 49 “to the extent that” they cannot justify transfers on the basis of another Chapter V mechanism. Litigation on these approaches and appeals of enforcement action by regulators applying the EDPB Recommendations is inevitable given the vagaries of the underlying law.
- The Recommendations confirm that additional commitments that may need to be included in BCRs as a result of the Schrems II ruling will be included in updated guidance, to which all groups relying on BCRs as transfer tools will have to align their existing and future BCRs.
It is important to remember that the Recommendations are not legally binding. They are no more than an interpretation of the underlying law as set out in the Schrems II judgment itself and in Chapter V of the GDPR, albeit that the interpretation of specialist regulators does tend to carry weight in domestic Member State courts. Given the high bar that the Recommendations have set to be able to rely on standard contractual clauses, we anticipate that many exporters will fall short and that enforcement action, appeals and litigation are inevitable. It will take time for these appeals and cases to work their way through the courts and for the actual legal standard of care to be clarified. For the time being a great deal of legal uncertainty remains on the topic of international transfers.
Although the Recommendations provide guidance and confirm the EDPB’s view of their preferred step by step approach needed to comply with the Schrems II judgment, the required level of assessment, detailed documentation and justification set out in the Recommendations is likely to be challenging for businesses. In particular the requirement to consider the practices in force in the third country, which can demonstrate both that legislation meeting EU standards in the third country is not sufficient, as well as establishing that “problematic legislation” will be very difficult to apply in practice.
The global data protection, privacy & security team at DLA Piper has developed a standardised data transfer methodology to assist clients carrying out a transfer impact assessment consistent with the Schrems II judgment and Chapter V of the GDPR, when relying on SCCs or other transfer mechanisms. For further information please see our global data transfer webpage.