On November 10, 2020, the European Data Protection Board (EDPB) adopted the long-awaited “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (the recommendations) – available here. The recommendations should assist organizations in dealing with the consequences of the Schrems II judgment of the Court of Justice of the European Union (which invalidated the Privacy Shield and imposed additional requirements on organizations for their transfers of personal data).
There are things we like in the recommendations, and things we do not. Organizations are invited to submit their comments until November 30, 2020. Reach out to us if you would like to have your say in the public consultation process, or if you would like to know more about the assessment tool and methodology we developed to comply with the new data transfer requirements.
The 5 Things We Like:
- The methodology. The proposed roadmap is built around six steps: (1) mapping the data flows; (2) identifying the transfer tools to be relied upon; (3) assessing the effectiveness of your transfer tool; (4) adopting supplementary measures; (5) considering procedural steps; and (6) re-evaluating.
- The details of available (non-exhaustive) supplementary measures (and this is rather a first of its kind in EDPB work product). The recommendations provide a list of: (1) contractual (i.e., legal clauses to be incorporated in data exporter – data importer contracts); (2) technical (e.g., state-of-the-art encryption, retention of keys solely by the data exporter, etc.); and (3) organizational measures (internal policies specifically addressing data transfers, regular publication of transparency reports, etc.).
- It recognizes the role of accountability in dealing with data transfers. There is no room for “passive compliance” anymore, and effective protection of personal data must be ensured under the principle of accountability. This requires data exporters to make efforts to comply with data protection rules and be able to demonstrate it.
- It includes actual contractual language one might use. These are wide ranging; e.g., in relation to: (1) specific information to be provided by the data importer on access to data by public authorities; (2) assurances on the absence of back doors; or (3) use of warrant canary method to inform the data exporter that a request to access personal data from a public authority has been received.
- Last but not least, they confirm the added value of the assessment tool we developed for our clients. After reading the recommendations, we gave our existing assessment tool 8/10 and we are ready to come back with a 10/10 result on Monday!
The 5 Things We Don’t Like:
- Privatization of the assessment of foreign legal frameworks. The data exporter has to assess whether any requirements to disclose personal data to public authorities is “limited to what is necessary and proportionate in a democratic society,” or whether it may impinge on the commitments contained in the transfer tool it is relying on (e.g., Standard Contractual Clauses, or SCCs). The benchmark is the EDPB European Essential Guarantees; it looks like the EDPB is outsourcing a task that should be part of its duties.
- You can agree with many aspects of the recommendations, but when you look at the use cases you get confused. The use cases provide for (too) high standards in comparison of what the reading of the recommendations would suggest.
- It only deals with SCCs – more to come for other transfer mechanisms. The recommendations recognize that supplementary measures might also be needed when the transfer is based on codes of conducts, Binding Corporate Rules (BCRs), certifications, etc., but there are no guidelines about those. The EDPB promises to come back in relation to BCRs— EDPB we count on that!
- It seems to disregard subjective elements in the assessment of the effectiveness of the protection. However, the chances personal data have to be disclosed to public authorities might play a role in the assessment, particularly if based on public reports or statistics. The EDPB seems to contradict itself when suggesting that the data importer could provide information and statistics based on the importer’s experience or reports from various sources on access by public authorities to personal data to help the data exporter in documenting its assessment.
- It promotes “utopia” (or rather free legal counseling). Whilst we might recognize some value in a duty to assist data subjects in exercising their rights in the third country, suggesting that organizations should cover the cost of exercising these rights seems a bit far-fetched.
- Charles-Albert Helleputte, Partner | chelleputte[at]steptoe.com
- Diletta De Cicco, Associate | ddecicco[at]steptoe.com
Compliments of Steptoe & Johnson LLP – a member of the EACCNY.