European Data Protection Board: Updated recommendations on international data transfers

Following the ruling of the Court of Justice of the European Union (CJEU) in the Schrems II case on 16 July 2020, the European Data Protection Board (EDPB) released detailed Recommendations on measures that supplement transfer tools for international data transfers for public consultation on 11 November 2020 (as we reported).

On 18 June 2021, the EDPB then adopted the expected final version of the Recommendations on supplementary measures.

In its Recommendations, the EDPB continues to describe the main steps data exporters should take in the context of their data protection accountability:

1. Analyse data transfers to third countries (know your transfers)
2. Verify the transfer tool your transfer relies upon
3. Assess the effectiveness of the appropriate safeguards of the transfer tools
4. Identify and adopt adequate supplementary measures where appropriate
5. Implement supplementary measures
6. Re-evaluate at appropriate intervals

Compared to the previous version, the extensively revised final version contains a number of important changes to be taken into account when assessing international data transfers in future, in particular regarding the following issues:

• The derogations in Article 49 (including recourse to consent by the data subjects) are not intended to become “the rule” in practice, but need to be restricted to specific (processing) situations. Although the exceptional nature of Article 49 of the GDPR is clearly emphasised once again, in our view the new wording provides at least some indication that the EDPB is now adopting a broader interpretation of Article 49 GDPR compared to the consultation version. In the consultation version, recourse to Article 49 had been limited (generally more narrowly) to “occasional and non-repeat transfers” (paragraph 25 of the Recommendations).
  
  
• The final version of the Recommendations places a greater focus on the practice of the authorities in the third country concerned (see paragraph 43). In the absence of any relevant legislation in the third country, the administrative practice in question is the sole basis for the assessment under data protection law (see paragraph 43.2). On the other hand, if there are appropriate legal provisions governing access by public authorities, the practice of the authorities concerned must be taken into account as an additional factor in the assessment and may have both negative and positive effects on the admissibility of a transfer:
  
  
  • Public authorities’ practice has a negative impact where the law of the third country formally complies with European standards, but the competent authorities do not in fact follow these legal standards in their practice and thus there is a risk that the guarantees provided for in the GDPR transfer tools will be compromised.
    
    
  • On the other hand, the authorities’ practice has a positive effect if there may be “problematic legislation” in the third country on paper (i.e. legislation in the third country could undermine the effectiveness of the transfer tools provided for in the GDPR), but based on the practice of the authorities there is actually no risk of undermining the safeguards provided for in the transfer instruments (e.g. standard data protection clauses) for the transfer to be assessed.
    
    
• Overall, the EDPB thus follows a type of risk-based approach, with a special focus on practice. A risk-based approach was also proposed in comments on the EDPB Recommendations during the consultation process. According to the EDPB, even a transfer to a third country with “problematic legislation” may be permissible without any additional measures if, after careful and documented assessment, the controller considers that the “problematic” legislation of the third country in question is interpreted or applied in practice in such a way that it does not apply to the data importer or to the data transferred in a specific case (paragraph 43.3).
  
  In addition to the legal framework of the third country applicable to the transfer, the basis for the assessment should be “relevant, objective, reliable, verifiable and publicly available” information, which may expressly include information from the data importer and the practical experience of the data importer (paragraph 44 onwards). However, caution is advisable where, under the law of the third country, access to data could take place even without the intervention of the data importer.

• If, as a result of the assessment described above, it is concluded that in practice there is not a sufficient level of protection for the transfer in question, additional measures would be necessary. The focus here remains on technical measures, in particular encryption in such a way that the data importer does not have access to the data in question.

Any transfer of personal data to “unsafe” third countries therefore still requires a detailed, documented and thorough (legal) analysis of the situation of the third country concerned, specifically taking into account the objectively understandable practice of the third country concerned.

In the press release on its Recommendations, the EDPB reiterates that the impact of Schrems II must not be underestimated and that international data flows are already subject to the supervisory authorities’ scrutiny. Nevertheless, the changes made to the Recommendations described above are at least a ray of hope for the use of US cloud services compared to the previous version (paragraph 49).

We therefore still recommend that the data transfers in the company be thoroughly assessed and that, in light of the final version of the Recommendations, particular attention should be paid to documenting the assessment.

Further links:

• European Court of Justice — Schrems II ruling
• New standard data protection clauses for international data transfer