Major Changes to All International Data Transfers Confirmed

On November 11, the European Data Protection Board (“EDPB”) issued its highly awaited recommendations on supplementary measures required for data transfers outside the EU and EEA (“Recommendations”) in the aftermath of the so-called Schrems II judgement. Please find below our brief insights on the Recommendations.

• In line with the significant obligations identified in the Schrems II judgement, the Recommendations set out a rather burdensome roadmap to ensure the lawfulness of data transfers outside the EU or EEA post-Schrems II. To begin with, controllers should carefully map all of their existing data transfers and the underlying transfer mechanisms.
• Where the underlying transfer mechanism is reliance on so-called appropriate safeguards, such as the commonly used standard contractual clauses (“SCCs”), controllers should assess whether the laws or practices (e.g. governing the access to data by public authorities) of the third country in question may impede the effectiveness of the appropriate safeguards used in a transfer. To assist data exporters in this complex assessment, the EDPB adopted a second set of recommendations on the European Essential Guarantees providing elements to help assess the legal framework of a third country.
• If such assessment indicates that the laws or practices of the third country may impede the existing safeguards, supplementary measures should be identified and adopted. The Recommendations contain a set of examples of the technical, contractual and organisational measures that could be used for securing the data transfers to third countries. These examples include requirements for encryption techniques and algorithms, supplementary contractual terms reinforcing transparency obligations of the data importer and internal policies for governance of transfers. The EDPB emphasises that the selection and implementation of certain measures do not render the transfers categorically lawful but the assessment shall be done on a case-by-case basis.
• It is vital to re-evaluate the chosen measures on a regular basis and monitor the developments in the third countries where data is transferred. In addition, the EDPB emphasises the importance of the documentation of assessments related to transfers in accordance with the principle of accountability.
• Use cases provided in the Recommendations include two example scenarios where the EDPB finds it currently impossible to adopt effective technical safeguards to secure the transfers in a sufficient manner. These cases deal with significantly common scenarios in modern data processing solutions and are, therefore, particularly problematic for many organisations. In the first scenario, data is transferred to cloud service providers or other processors, which require access to data as clear text, and in the second one, a controller or processor in the EU makes personal data available to entities in a third country to be used for shared business purposes (e.g. entities belonging to the same group of companies).
• Even though the long awaited Recommendations provide several concrete examples on the sufficient supplementary measures securing data transfers after Schrems II, there are no easy solutions. The overall situation remains vague. Many controllers and processors in the EU may find the roadmap hard to implement in practice from a day-to-day business perspective.

In addition to the EDPB Recommendations, the European Commission released yesterday, 12 November, its draft implementing decision (“Decision”) on new SCCs. The Commission states that the SCCs need to be updated to better reflect the requirements of the GDPR. Additionally, the Commission underlines that “– important developments have taken place in the digital economy, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains as well as evolving business relationships.” With the Decision, new processor-to-processor SCCs would be introduced, which will be highly appreciated by many processors in the EU.

The Decision is now open for feedback until 10 December. There would be a transition period of one year from the entry into force of the final decision, during which the current SCCs (subject to necessary additional safeguards) may be used. Notwithstanding the transition period, the Decision suggests that any changes to existing contracts or new contracts entered into following the final decision would require implementation of the new SCCs.

What Next? – Our Analysis

• It remains to be seen how supervisory authorities will enforce the obligations identified in Schrems II following the Recommendations. According to the Recommendations, “Supervisory authorities will pay due consideration to the actions exporters take to ensure that the data they transfer is afforded an essentially equivalent level of protection.” 
• The Finnish Data Protection Ombudsman has today indicated that it will begin preparations for bringing the Recommendations to the attention of the Finnish market, since the Recommendations now serve as a basis for a harmonised EU-level approach to determining the implications of Schrems II. In practice, the Ombudsman, when moving forward, will possibly send inquiries to organisations in selected industries and request to clarify the steps taken in response to the Schrems II judgement and the Recommendations.
• Many organisations now face important decisions regarding how to navigate the post-Schrems II environment in light of the Recommendations. The seven-step plan introduced in our previous broader article on Schrems II continues to serve as a useful structure for required analyses and actions.
• It will be of great interest to see what the next steps of global cloud service providers will be in reaction to the Recommendations – what measures will be taken and how will the measures affect the services?
• The current developments build pressure for preparations of a new transfer mechanism to replace Privacy Shield, the previous scheme for transfers to the US now invalidated by Schrems II. As of now, merely discussions between the EU and US have been started.
• The new obligations identified in Schrems II and now clarified in the Recommendations require an unprecedented transformation of existing practices. Although the Recommendations may be found laborious to follow, doing nothing definitely remains a risky option.