Export of personal data outside the European Union: a practical action plan

In the so-called Schrems II judgment rendered on 16 July 2020, the Court of Justice took a position on a number of questions related to the export of personal data. It ruled inter alia that controllers relying on standard contractual clauses (SCCs) are required to verify, on a case-by-case basis and where appropriate in collaboration with the recipient of the data in the third country outside the European Economic Area, whether the legislation of the third country ensures a level of protection that is essentially equivalent to that guaranteed in the European Economic Area. If such a level of protection is not ensured, the Court specified that the data exporter should either cease the transfer of personal data to the third country or implement supplementary measures following a data transfer impact assessment in order to ensure a level of data protection as required by EU law.

The European Data Protection Board (EDPB) adopted two important draft recommendations on 10 November 2020 in order to help businesses (i) assess whether the data protection framework of a third country is essentially equivalent to the GDPR framework and (ii) identify whether and which appropriate supplementary measures need to be taken:

  • Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data; and
  • Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.

The EDPB did not provide any quick fixes or a one-size-fits-all solution, but came up with a 6‑step plan for data exporters to follow on a case-by-case basis before transferring personal data to a third country.

What you need to do (according to Recommandations 01/2020)

  • Step 1 – Know your transfers: Map all transfers of personal data to third countries (due diligence for all countries to which personal data is sent) in a "transfer impact assessment". Document all transfers internally, e.g. by using the record of processing activities.
     
  • Step 2 – Identify the relevant transfer tools: For each transfer, identify the relevant transfer tool of Chapter V GDPR (e.g. standard contractual clauses, derogations, etc.). If the transfer cannot be based on an adequacy decision or on a derogation as provided for by Article 49 GDPR, the data exporter should proceed with Step 3.
     
  • Step 3 – Assess whether the Article 46 GDPR transfer tool is effective in the light of all the circumstances: ​​Selecting an Article 46 GDPR transfer tool (such as standard contractual clauses or binding corporate rules) is not sufficient in itself. The data exporter is required to assess the effectiveness of this transfer tool.
    • If legislation exists in the third country that might impinge on the effectiveness of the transfer tool, the data exporter should examine this legislation on the basis of the European Essential Guarantees as identified by the EDPB in its Recommendations 02/2020. The Recommendations contain a framework of four guarantees to help the data exporter assess whether the legislation of a third country (including possible public authority surveillance measures) can be regarded as a justifiable interference with the rights to privacy and protection of personal data under the EU Charter of Fundamental Rights.

These four guarantees are as follows:

  1. Processing should be based on clear, precise and accessible rules.
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
  3. An independent oversight mechanism should exist.
  4. Effective remedies need to be available to the data subject.
    • If the third country does not have legislation that impinges on the effectiveness of the transfer tool, the data exporter should take into account other objective elements enabling the third country's authorities to require or gain access to the personal data being transferred (such as reported incidents, practice, legal powers and technical, financial and human resources at its disposal). 

 

  • Step 4 – Adopt supplementary measures: If the result of the assessment in Step 3 shows that the legislation of the third country might impinge on the effectiveness of the transfer tool that a data exporter intends to rely upon, the data exporter should take supplementary measures. These can consist of contractual measures for the data importer to comply with, technical measures and organisational measures.

According to the EDPB, contractual and organisational measures alone are not sufficient, as they generally do not overcome access to personal data by public authorities; technical measures are the most important measures for reaching the required standard of protection to render access by third country public authorities to personal data ineffective.

  • Step 5 – Procedural steps if you have identified effective supplementary measures: These procedural steps may differ depending on the Article 46 GDPR transfer tool you are using or envisage using. For example, the data exporter should consult with the competent supervisory authority when it intends to put in place supplementary measures in addition to the SCCs if these supplementary measures directly or indirectly contradict the SCCs.
     
  • Step 6 – Re-evaluate at appropriate intervals: Data exporters should re-evaluate at appropriate intervals whether the level of protection accorded to the data transferred to third countries is still sufficient, and should monitor whether there have been or will be any developments that may affect the level of protection.

These draft recommendations, as summarised in the chart below, may be amended, e.g. on the basis of the public consultation that was conducted up to 21 December 2020.

New standard contractual clauses

One day after the EDPB published its draft recommendations, on 12 November 2020, the European Commission published new draft SCCs.

These SCCs contain various new provisions, such as:

  • clauses to address four types of transfers (between controllers, from controller to processor, from processor to controller and between processors);
  • docking clauses to allow new parties to adhere;
  • a requirement for the data exporter to document the transfer impact assessment;
  • an obligation for the data exporter to consider law and practice in the third country;
  • an obligation for the data importer to notify the data exporter and data subjects when it receives a "binding request" from a public authority to access the data; to assess the legality of the order; to document requests, and to make documents available to the data exporter.

These draft recommendations may be amended, e.g. following the public consultation held prior to 10 December 2020.

Once adopted, there will be a one-year transition period for businesses to move to the new clauses and to conclude new agreements.