Over the last weeks, the CNPD together with the data protection authorities of the EU member states have elaborated within the European Data Protection Board (EDPB) recommendations on measures that supplement transfer tools to ensure compliance with GDPR.
During its plenary session on 11 November 2020 the EDPB adopted these recommendations, as well as recommendations on the European Essential Guarantees (EEG) for surveillance measures.
Both documents were adopted as a follow-up to the CJEU’s ‘Schrems II’ ruling. As a result of the ruling on July 16th, controllers relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA). The CJEU allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.
The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the Court’s ruling across the EEA.
EDPB Chair, Andrea Jelinek said: “The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”
The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective. To assist data exporters, the recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective.
However, in the end data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on. Data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability. Moreover, data exporters should know that it may not be possible to implement sufficient supplementary measures in every case.
The recommendations on the supplementary measures will be submitted to public consultation. They will be applicable immediately following their publication.
In addition, the EDPB adopted recommendations on the European Essential Guarantees for surveillance measures. The recommendations on the European Essential Guarantees are complementary to the recommendations on supplementary measures. The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the commitments of the Article 46 GDPR transfer tool the data exporter and importer rely on.
The Chair added: “The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data.”
The CNPD together with the EEA data protection supervisory authorities will continue coordinating their actions in the EDPB to ensure consistency in the application of EU data protection law.