On November 10, the European Data Protection Board (EDPB), the European Union’s top data privacy regulator, issued long-awaited guidance setting out a framework for navigating transfers of data out of the European Economic Area (EEA) in light of this July’s landmark ruling from the Court of Justice of the European Union (CJEU) inData Protection Commissioner v. Facebook Ireland and Maximilian Schrems (otherwise known as Schrems II). The EDPB also issued a document describing the “essential guarantees” that must be respected in order to ensure that interference with data subjects’ privacy and data protection rights through surveillance of transferred data does not “go beyond what is necessary and proportionate in a democratic society.” These two documents outline the risk assessment that companies must make on a case-by-case basis (as required by Schrems II) in order to allow transfers of data out of the EEA, while the first also discusses examples of the supplementary measures that companies can employ, together with standard contractual clauses, binding corporate rules or other legal transfer tools recognized by the EU General Data Protection Regulation (GDPR), to ensure that European data subjects receive an essentially equivalent level of privacy and data protection when their data is transferred out of the EEA.
The Schrems II ruling invalidated the U.S. – EU Privacy Shield framework for data transfers to the U.S and also clouded the widespread use of standard contractual clauses (SCC’s) annexed to contracts as a legal data transfer tool, since the SCC’s do not bind intelligence and law enforcement authorities in the recipient country. Surveillance by U.S. intelligence agencies of incoming electronic communications and data held by Facebook, as authorized by Section 702 of the FISA Act and various executive orders, was at the heart of the Schrems II court’s determination that Privacy Shield did not provide appropriate safeguards for European individuals. The court held that companies transferring data out of the EEA must perform an assessment in the case of each transfer as to whether the state of legislation and actions of public intelligence and law enforcement authorities in the recipient country create a need for supplementary measures in addition to the SCC’s to ensure that European individuals receive privacy and data protections essentially equivalent to those in the EU (or, indeed, whether such protection is even possible; if not, a data exporter must end or suspend the transfers). Moreover, since mere access to data outside of the EEA is considered a transfer under the GDPR (even if the data is actually stored in the EEA), the Schrems II ruling and EDPB guidances impact any company that is servicing European customers from the U.S. or has back-office operations in the U.S.
The guidance entitled Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data provides a concrete and detailed compliance framework for applying Schrems II. Among other things, it analyzes various technical, organizational and contractual measures that can be overlaid upon the SCC’s, binding corporate rules and each other to (potentially) establish the level of protection for data recipients required by the GDPR. However, the guidance is clear that the bar is high, and companies must rigorously develop and document each stage of their analysis.
The guidance first sets out a six-step process for determining whether a particular data transfer is permissible:
– Know and map your data transfers.
– Verify the legal transfer tool your transfer relies on. (In the absence of a determination that the recipient country has adequate protections, this tool may be SCC’s or binding corporate rules, or, for occasional and non-repetitive transfers, a “derogation” from the normal requirements, such as the explicit consent of the data subject or the transfer being necessary to perform a contract.)
– Assess if there is anything in the law or practice of the recipient country that may impinge on the effectiveness of the transfer tools you are relying on. (The EDPB essential guarantees guidance provides further guidelines for this assessment for countries like the U.S. where surveillance activities may exceed what the EU considers to be necessary and proportionate in a democratic society.)
– Identify and adopt supplementary measures that are necessary to bring the level of data protection in the recipient country up to the requirement of essential equivalence with the EU.
– Take any formal procedures steps required by the adoption of these supplementary measures.
– Re-evaluate at appropriate intervals the level of protection in the recipient country and monitor if there have been or will be any developments that may affect it.
With respect to the third step, the EDPB requires an actual assessment that takes into account legislation (if available) and other objective factors; contrary to practices that developed in the immediate aftermath of the Schrems II ruling, this assessment should not be based on “subjective” factors, such as the likelihood of governmental authorities accessing transferred data in a manner inconsistent with EU standards. As for the fourth step, Annex 2 of the guidance goes on to discuss and evaluate specific examples of supplementary measures, broken down into technical measures, additional contractual measures, and organizational measures. It is clear from this discussion that the adoption of appropriate supplementary measures is not a simple “check the box” exercise, as many companies saw the SCC’s prior to Schrems II. Furthermore, the EDPB warns that, where supplementary measures are required, contractual and organizational measures alone will probably not be sufficient to establish the appropriate level of data protection in the recipient country, since these measures do not bind governmental actors.
The leading technical supplementary measure discussed in the guidance is encryption, but use of this measure must apply to both the transmission of EU data into the recipient country as well as its storage there. The EDPB states that encryption will be an effective supplementary measure if the personal data is processed using strong encryption before transmission, the encryption algorithm and “its parameterization (i.e., key length, operating mode, if applicable)” are state-of-the-art and robust against the likely cryptanalysis capabilities of government authorities, the strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved, the encryption algorithm is flawlessly implemented by properly maintained software, the encryption keys are reliably managed, and the keys are retained solely in the EEA or in another country which has received an adequacy decision. Pseudonymization (the processing of personal data in a manner so that it cannot be attributed to an individual data subject, or used to single out a data subject, without the use of additional information) can also be an effective supplementary measure if the additional information is retained solely in the EEA or in another country with an adequacy decision, there are suitable safeguards against re-identification, and the data controller has established by a “thorough analysis” that the governmental authorities in the recipient country cannot attribute the pseudonymized data to an identified or identifiable natural person by cross-referencing it with other information they may possess. Other potentially permissible technical measures include split or multi-party processing.
Examples of contractual measures examined by the EDPB include:
– providing for specific technical measures to be implemented as a precondition for a data transfer
– transparency obligations requiring the data importer to use best efforts to provide information about governmental access to the relevant data in the recipient country
– enhanced audit rights for the data exporter
– a “warrant canary” obligation for the data importer to regularly publish a cryptographically signed message informing the data exporter that (as of the time of each message) the data importer has received no order to disclose EU personal data
– an obligation for the data importer to challenge orders to disclose personal data where legal grounds to do so exist
– increased assistance to EU data subjects in exercising their rights
Organizational measures include enhanced internal policies allocating specific responsibilities for data transfers, documenting for the data exporter or publishing information about requests for data access by governmental authorities, and employee training. However, as mentioned earlier, while companies should consider adopting contractual and/or organizational supplementary measures to bolster their overall compliance position and reduce the risk of an action by a European data subject or data protection authority, they are likely insufficient by themselves to validate the use of the SCC’s as a tool to transfer EU personal data to the U.S. The requirement to perform rigorous assessments of the consistency of data transfers with EU protections on a case-by-case basis and to document the results of these assessments and the adoption of supplementary measures in conjunction with the surviving legal transfer tools will create significant operational and compliance costs and hurdles for companies in the absence of an established framework to replace Privacy Shield. Indeed, full compliance may be impossible or infeasible, leading many companies to reduce their overall level of risk by adopting partial measures or else storing their EU personal data in the EEA and limiting the ability to transmit or export it elsewhere (although even this is a partial measure because mere access in the U.S. is a data transfer). However, the incoming Biden administration has signaled that regularizing cross-border data flows will be a high priority in 2021. Between a joint U.S.-EU initiative to work out a successor to the defunct Privacy Shield and the prospect of comprehensive federal privacy legislation that could allay European concerns about the state of data protection in the U.S., there is some cause for optimism that the Gordian knot created by Schrems II will be resolved in the next year or two. In the meantime, however, companies should study the EDPB guidances, verify what data transfer tools they are currently relying upon, and create and document their compliance plans accordingly.