EDPB publishes its long-awaited guidance on Schrems II

What key information should data handlers be aware of in the new guidance?

The key takeaway

Organisations who import data to third countries outside of the EU should review their existing means of transfer in light of the new EDPB recommendations, as these provide prescriptive guidance on the steps that now need to be taken.

The background

On 11 November, the European Data Protection Board (EPDB) published its long-awaited guidance on the Schrems II judgment. This is comprised of two sets of recommendations:

• Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the Supplemental Measures Recommendations), and
• Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures (the EEG Recommendations)

(together, the Recommendations).

The Recommendations are designed to provide details of measures which can be used to supplement transfer tools (such as the SCCs) to maintain the level of data protection required under EU legislation. 

The development

Under the Supplemental Measures Recommendations, organisations should observe the following six-step process:

1. “Know your transfers”: data exporters should identify all transactions whereby they transfer data to third countries, including any “onward transfers” of data. The exporter must be able confirm that the data transferred is GDPR compliant, namely limited to what is necessary for the purposes of transference, relevant, and adequate. While potentially time-consuming, the EDPB considers that this is a necessary step.
2. ‘Verify the transfer tool your transfer relies on’: where an adequacy decision exists with regard to the data transfer location, organisations do not need to take further steps other than ensuring the adequacy decision remains valid. Where no adequacy decision exists, organisations must rely on one of the transfer tools listed under Articles 46 and 49 GDPR.
3. Assess whether the third country law may reduce the effectiveness of your chosen transfer tool: this assessment should primarily focus on the third country’s legislation that is relevant to the transfer and chosen tool. The EEG Recommendations provide details of the elements to be taken into account – for example, “access, retention and further use of personal data by public authorities within the remit of surveillance measures must not exceed the limits of what is strictly necessary”. Organisations must make sure to document this assessment process thoroughly.
4. “Identify and adopt supplementary measures”: this step is only necessary where, in compliance with (3) above, the organisation has identified that third country legislation impinges on the effectiveness of the transfer tool. As part of this step, organisations must identify and adopt any additional measures that might assist in bringing the data protection to an EU standard of essential equivalence. The EDPB provides a non-exhaustive list of potential measures at Annex 2 of the Supplementary Measures Recommendations including strong encryption of data and the splitting of data into unintelligible parts (amongst others).
5. Take any formal procedural steps required to put the supplementary measures in place.
6. Remain vigilant: accountability is an ongoing obligation so organisations must make sure to re-evaluate at appropriate intervals that the protection applied to the data in question remains effective, and consider whether there have been any developments that might impact this effectiveness.

The Supplemental Measures Recommendations closed to public consultation from the end of November and then became immediately applicable. Importantly for UK based data handlers, from 1 January 2021 (Brexit), the Recommendations will apply to transfers from the EEA to the UK in the event that no adequacy decision is made.

The EDPB makes specific reference to US law in its Recommendations, finding that section 702 of the its Foreign Intelligence Surveillance Act (FISA) is not considered to provide the essentially equivalent protection necessary. Consequently, in relation to transfers under section 702, supplementary contractual or organisational measures will not be enough to satisfy the GDPR requirements. At Annex 2 of the Recommendations, the EDPB considers worked examples of data transfers and finds that, in its worked examples of (i) cloud service providers that require access to data in the clear, and (ii) remote access to data for business purposes, the EDPB is incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights.

The UK will be classed as a third country from 1 January 2021. If the European Commission fails to give a positive adequacy decision in relation to data transfers between the EU and UK, then EU organisations who transfer data to the UK will need to comply with the six steps outlined in the Recommendations, including an assessment of UK surveillance laws.

Both EU and, for now, UK organisations should consider what organisational steps they will need to put in place to ensure that they are able to follow the EDPB’s latest guidance. Appropriate staff training would be a first step in the right direction.

With regards to UK organisations that import personal data from the EEA, steps should be taken now to identify how UK surveillance laws might impact processing activities, what supplementary measures should be adopted in response, and whether these will be sufficient to allow the continual flow of data.