On November 11, 2020, the European Data Protection Board (EDPB) published its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” to address the Schrems II judgment, in which the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield and upheld the validity of standard contractual clauses (SCCs). Schrems II requires a controller or processor that exports personal data outside the EU based on SCCs to conduct a case-by-case assessment of the adequacy of data protection in the third country and, where that country falls short, to implement supplementary measures to afford data subjects an essentially equivalent level of data protection as that guaranteed in the EU by the General Data Protection Regulation (GDPR). According to the EDPB, the CJEU’s decision applies to the use of any appropriate safeguard under Article 46 of the GDPR, such as binding corporate rules (BCRs). Where a data exporter cannot ensure essentially equivalent protection, it must suspend or stop the transfer, or not start it in the first place. 

Since the CJEU issued its decision in July 2020, data exporters have been eagerly awaiting clear guidance from EU data protection authorities regarding lawful transfers of personal data to third countries, especially because the CJEU did not explain how to assess a third country’s level of data protection or define what measures would constitute supplementary measures. The EDPB’s latest guidance aims to address the data exporters’ concerns and should provide welcome relief to organizations worldwide that engage in cross border personal data transfers. 

What are the EDPB Recommendations regarding the Schrems II Decision?

The EDPB’s recommendations provide a roadmap the data exporters should follow to ensure that the personal data transfers are lawful and that they satisfy the GDPR’s accountability principle under Article 5(2). Specifically, the EDPB sets forth the steps organizations should take in evaluating their crossborder transfers and the importers’ third countries, describes potential supplementary measures, and offers resources for assessing a third country. Along with this guidance, the EDPB also issued its “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures to help organizations assess the third country’s law regarding public authorities’ access to personal data for surveillance purposes. 

Register for the webinar Schrems II Fallout: Reaction and Analysis of the new EDPB Guidelines 

What are the Roadmap Steps?

Data exporters can leverage the roadmap to understand the circumstances of the cross-border personal data transfers and determine if supplementary measures are necessary to ensure that the transfers are lawful, or if they need to stop or suspend such transfers. The EDPB’s recommended six steps are: 

    1. Know your transfers by mapping your personal data transfers to third countries 
      • Leverage your existing processing activity records required by Article 30, as well as information provided to data subjects as required by Articles 13.1.f and 14.1.f 
      • Consider onward transfers 
      • Also, ensure that you comply with the data minimization principle 
    2. Identify the transfer tools you are relying on to determine whether you are transferring personal data to a third country with an “adequacy decision,” or using an appropriate safeguard (e.g., SCCs or BCRs) under Article 46 or a derogation under Article 49 
    3. Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer by assessing whether the law in the third country undermines the effectiveness of the appropriate safeguard and provides essentially equivalent data protection to the personal data as that guaranteed in the EU by the GDPR and the Charter of Fundamental Rights 
      • Consider all circumstances of the transfer, such as the following: 
        • Purpose of the transfer and processing 
        • Types of entities involved in the transfer and processing 
        • Industry or sector in which the transfer happens 
        • Categories or types of personal data transferred 
        • Format of the transferred personal data 
        • Whether the personal data will be stored in third country or accessed remotely by an entity in the third country 
        • Any onward transfers 
      • Cooperate with the data importer to obtain relevant sources about its country’s legal system and analyze this information. 
        • Relevant information includes decisions by the CJEU and the European Court of Human Rights; European Commission adequacy decisions; intergovernmental organications’ reports; national case-law; and reports by academics and civil society/rights organizations 
      • In assessing the third country’s public authorities’ access to personal data and whether the level of interference with data subjects’ fundamental rights to privacy and data protection is justifiable, take into account the European Essential Guarantees (EEG) in a holistic manner: 
        • Processing should be based on clear, precise and accessible rules 
        • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated 
        • Independent oversight mechanism 
        • Effective remedies need to be available to the individual 
      • Where the third country does not ensure the EEG, then that country would not provide an essentially equivalent of data protection, so you should not engage in a transfer or suspend current transfers or implement supplementary measures 
    4. Adopt supplementary measures that are necessary to ensure a level of essentially equivalent data protection where the assessment shows that the third country’s legal system would undermine the effectiveness of the appropriate safeguard transfer tool 
      • The EDPB provides a non-exhaustive list of supplementary measures to consider using to remedy the privacy issues identified in the assessment and gives use cases as examples where the measures would likely be effective. The supplementary measures include: 
        • Technical Measures (e.g., pseudonymizing or encrypting data) 
        • Additional Contractual Measures (e.g., requiring technical measures or defining transparency obligations) 
        • Organizational Measures (e.g., internal policies for governance of transfers especially with groups of enterprises, transparency and accountability measures, and adoption of standards and best practices) 
      • Where the supplementary measures would not effectively ensure an essentially equivalent level of data protection, you must not engage in the transfer or suspend any current transfers. If you decided to transfer anyway, then first consult your competent supervisory authority who will make a final decision on the transfer. 
    5. Procedural steps if you have identified effective supplementary measures, steps which may be formally required to implement those measures, including consulting your competent supervisory authority. 
    6. Re-evaluate at appropriate intervals the level of data protection afforded to the transferred personal data and monitor whether any developments have or will impact that protection 
      • You should implement procedures to stop or suspend personal data transfers where the supplementary measure become ineffective or the data importer has violated or is no longer able to comply with the Article 46 appropriate safeguard mechanism commitments 

In following the EDPB’s roadmap, keep in mind the importance of documenting your data mapping, third country assessments, supplementary measures, decisions, and overall evaluation procedures in order to satisfy the GDPR’s accountability principle and provide documentation to your supervisory authority. 

Register for the webinar Schrems II Fallout: Reaction and Analysis of the new EDPB Guidelines 

EDPB’s Recommendations – Next Steps

The EDPB’s recommendations on evaluating the level of adequacy of data protection in third countries and supplementary measures, as well as its recommendations on European Essential Guarantees, offer solid guidance to organizations that transfer personal data outside of the EU. Data exporters are responsible for conducting proper due diligence assessments and making decisions on the adequacy of data protection, as well as implementing supplementary measures where necessary. Note that data importers also play a role in this process by helping data exporters assess the third country’s legal framework, using supplementary measures where appropriate, and complying with their contractual and legal obligations, such as those under Article 28 and the appropriate safeguard mechanism like SCCs. Ultimately, however, data exporters bear responsibility for ensuring that the third countries provide essentially equivalent data protection to the transferred personal data. 

Data exporters now need to operationalize the EDPB’s recommendations by following its roadmap to ensure that their cross-border personal data transfers comply with the GDPR and the CJEU’s Schrems II decision and that their organizations satisfy the accountability principle. They should seek data importers’ assistance where appropriate and document their activities. 

Register for our webinar for more insight on handling personal data transfers postSchrems II, or start operationalizing the Schrems II decision for free with OneTrust’s Schrems II Solution. 

Further Schrems II reading:

Next steps on Schrems II EDPB Recommendations: