The Schrems II judgment1 of the Court of Justice of the European Union (ECJ) shook the privacy world to its foundations. After all, on 16 July 2020 the Privacy Shield2 was declared invalid. In addition, the rules for transfers of personal data on the basis of model contracts and binding corporate rules were tightened by the Court of Appeal. Days after the ruling, the European Data Protection Board (EDBP) published a document containing frequently asked questions3 and a notice4. Apart from a few messages from national regulators, this was for a while the only (and not very practical) guidance available following the ruling. That is, until now. On 11 November 2020, the EDPB published (in concept) its long-awaited recommendations concerning the transfer of personal data following Schrems II. On 12 November 2020, the European Commission (EC) also published new model contractual clauses (also in draft). In this contribution we will briefly discuss the published documents.
The EDPB has published two sets of recommendations in an attempt to provide more clarity and guidance on the use of mechanisms for the transfer of personal data to third countries.
- The first set of recommendations concerns the assessment to be made by the data exporter and possible additional measures.5
- The second set of recommendations concerns the level of interference by governments in third countries.6
The first set of recommendations is currently open for consultation. This means that parties can have their say on the document until 30 November 2020. Only after this consultation process will the final version be published. Although the recommendations are in that sense still in draft form, they do provide useful insight into the measures that parties can take to continue to legally transfer personal data to recipients outside of the European Economic Area (EEA). The second set of recommendations is in final form.
Set 1: Recommendations intended transfer and additional measures
The first set of recommendations should help data exporters in the complex task of assessing the level of data protection of third countries and - where necessary – to take additional measures. The recommendations describe the steps that should be followed, the sources of information to be used as well as some concrete examples of additional measures that can be taken. The recommendations are broken down into the following six steps:
Step 1 - mapping of data transfers
As a first step, the EDPB advises to map out all transfers of personal data, for example on the basis of the processing register7 or on the privacy declarations8. The EDPB points out that onward transfers to (or from) third countries should also be considered. The EDPB also points out that remote access from a third country and/or storage in a cloud (with servers outside the EEA) are also considered as a transfer.9 In line with the data minimization principle, the EDPB indicates that it is necessary to consider whether the identified transfers are adequate, relevant and limited to what is necessary for the purposes for which the personal data are transferred.
Step 2 - assessing suitability of the transmission mechanism used
Subsequently, the data exporter must investigate whether there is an adequacy decision in place, on the basis of which the transfer is lawful (for example, if the transfer takes place to one of the countries on the so-called 'white list'). If this is the case, no further steps need to be taken. However, it must be constantly monitored whether the adequacy decision is revoked or declared invalid.
If the country in question is not on the white list, the data exporter should opt for a different mechanism for the transfer of personal data, such as model contracts, binding corporate rules, a code of conduct or certifications.10 Only in exceptional cases can the possibilities of article 49 GDPR be invoked (and only in the case of occasional transfers).
Step 3 - assessment of third country legislation
At the moment that the transfer of personal data takes place on the basis of a mechanism other than an adequacy decision, the data exporter should investigate whether there is any law or regulation in the third country that affects the level of data protection under the GDPR. The EDPB attaches great importance to (possible) access by government authorities to the transferred data. For the assessment criteria, reference is made to the EDPB's other set of recommendations11 (which are discussed below). The EDPB also describes information in appendix 3 that, in addition to the information provided by the data recipient, can be used to make this assessment. The EDPB also emphasizes that the assessment depends on (among other things) the parties involved in the transfer, the purposes of the transfer, the sector in which the transfer takes place, the categories of personal data and the existence of possibilities for onward transfers. Finally, the EDPB emphasizes that this assessment must be carried out with due care and must be thoroughly documented.
Step 4 - additional protective measures
If step 3 shows that the legislation of the third country affects the effectiveness of the chosen transmission mechanism, a fourth step is required. This fourth step consists of identifying and adopting additional measures necessary to provide an equivalent level of protection of personal data as under the GDPR. Annex 2 of the recommendations contains a list of concrete examples of additional measures, such as the use of encryption and/or pseudonymisation. The EDPB distinguishes between contractual, technical and organizational measures, which can be combined where necessary. According to the EDPB, in order to assess which measures are effective, the format in which the personal data are sent, the nature of the personal data, the duration and complexity of the transfer and the parties involved in the transfer must be taken into account (among other things). This step must also be thoroughly documented.
Step 5 - procedural steps
The fifth step is to take any formal steps necessary to be able to use the chosen transfer mechanism. These are the formal procedural steps from article 46 GDPR, such as obtaining prior approval from the supervisor.
Step 6 - evaluation and reassessment
After completing the first five steps, the transfer of personal data may take place. The sixth step consists of reassessing the level of protection of the personal data transferred. It is necessary to check whether any developments have occurred (or are expected to occur) that may influence the analysis made earlier. This should be done on a continuous basis,
Set 2: Recommendations for assessing the level of government interference in third countries
This second set of recommendations of the EDPB were initially published in response to the Schrems I case.12 The current update was made in response to Schrems II. The purpose of this second set of recommendations is to provide guidance on whether or not supervisory measures allowing access to personal data by public authorities in a third country can be considered as justified interference in the light of the Charter of Fundamental Rights of the European Union (the Charter).13
On the basis of an analysis of current case law, the EDPB is of the opinion that such interference can only be justified on the basis of the following four 'European Essential Guarantees'.
Warranty A - clear, precise and accessible rules
Government intervention in citizens' freedoms must have a legal basis in the law of the third country. This legal basis must contain clear and precise rules on the scope of application and must include minimum guarantees.
Warranty B - necessity and proportionality of the objectives
In accordance with the Charter, any restriction on the exercise of the rights and freedoms recognized by the Charter must respect the essence of those rights and freedoms.14 In addition, subject to the principle of proportionality, these rights and freedoms may be subject to limitations only if they are necessary and genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others.15
Warranty C - independent monitoring mechanism
Any interference with the right to privacy and data protection must be subject to an effective, independent and impartial system of supervision to be established by a judge or by another independent body (e.g. an administrative authority or a parliamentary body).
Warranty D - individual effective remedies
The last European Essential Warranty relates to the recovery rights of the person concerned. The data subject must have an effective means of redress to comply with his or her rights if he or she is of the opinion that they are not being or have not been respected. For example, if the law does not provide a person with legal remedies to gain access to his or her personal data, there is no effective judicial protection.16
New version Model contracts EC
In addition to the two sets of EDPB recommendations, on 12 November 2020 the EC published a draft implementing decree on model contractual clauses, together with a draft of new model contractual clauses.17 These documents are also currently available for consultation.
The new Model Contracts distinguish four situations. A separate Model Contract has been drawn up for each situation:
- transfers from controller to controller;
- transfers from controller to processor;
- transfers from processor to processor; and
- transfers from processor to processing manager.
In practice, the last two Model Contracts in particular are a welcome addition. Indeed, the current versions of the Model Contracts cannot be used directly by processors wishing to transfer personal data to third countries (unless, for example, they have a power of attorney from the data controller).
The other two Model Contracts (for use by data controllers) have been adapted in a number of important respects, partly as a result of Schrems II:
- a contractual obligation has been added for the parties to carry out and document the assessment (described by the Court in Schrems II) of the legislation of the third country. Subsequently, the parties must determine whether the Model Contract can indeed guarantee an equivalent level of protection18;
- a reference is added to the steps to be taken if the Model contracts do not provide an equivalent level of protection in the light of the legislation of the third country19; and
- Additional transparency obligations apply to the data importer in the case of government access requests, including an obligation to inform the data exporter of such requests or, where local law so prohibits, to make every effort to obtain an exemption from this prohibition20.
Given the timing of the publication of the Model Contracts, it is impossible to read the draft of these Model Contracts without thinking of the step-by-step plan of the EDPB recommendations as described above. There seems to be some disagreement about the approach. It is true that both the EC and the EDPB include a list of factors that data importers should take into account in order to determine whether local legislation allows them to comply with their obligations under the Model Contracts. These lists are however not the same. The EC seems to allow the data importers to assess the likelihood whether or not the government may have access to the transferred data by evaluating relevant practical experience which shows whether or not the data importer has previously received a request for disclosure from government authorities for the type of data that it has transferred.21 On the other hand, EDPB has warned data importers of subjective considerations, including the likelihood of government authorities accessing your data in a manner inconsistent with EU standards.22 Both documents however note that the review must include all laws that are "applicable" to the data importer.23
The new model contracts are open for consultation until 10 December 2020. A decision concerning the final model contracts is expected to be made in early 2021.
After the ruling in the Schrems II case, the Court left the privacy world disillusioned. Clear and practical guidelines on the (continuation of) international transfers of personal data were lacking. This changed with the publication of the new (draft) recommendations of the EDPB. By following six practical steps, transfers of personal data can be brought back in line with the GDPR. Moreover, the recommendations are accompanied by a list of concrete 'additional measures' that parties can take, in addition to the use of (for example) model contracts. Parties can also take into account the 'European Essential Guarantees' discussed by the EDPB when analyzing the level of protection in the third country. Finally, the EC has not been idle either and has published a new set of (draft) model contracts for consultation. For now, it remains to be seen when the final versions of the documents will be made available and whether their content will essentially be in line with the current concepts. We will keep a close eye on this and will as usual keep you posted!
1. Court of Justice of the European Union, 16 july 2020, ECLI:EU:C:2020:559 (Schrems II)
7. Article 30 GDPR.
8. Article 14 and 15 GDPR.
9. See question 11 of the frequently asked questions of the EDPB.
10. Article 46 GDPR.
12. Court of Justice of the European Union, 5 October 2015, ECLI:EU:C:2015:650 (Schrems I).
13. In particular, reference is made to Articles 7 and 8 of the Charter.
14. Article 52(1), first sentence, of the Charter.
15. Article 52(1), second sentence, of the Charter.
16. See e.g. recital 95 of Schrems I.
18. Clause 2 of the proposed Model Contracts.
19. Clause 2 under f of the proposed Model Contracts.
20. Clause 2 under f of the proposed Model Contracts.
21. Clause 2(b) of the proposed Model Contracts.
22. Edge number 42 of the EDPB recommendations.
23. Clause 2 under a of the proposed Model Contracts and Marginal 28 et seq. of the EDPB Recommendations.