The EDPB Recommendations: International Data Transfer after Schrems II

In the aftermath of the Court of Justice of the European Union decision in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18; respectively, the “Court” and “Schrems II”)[1], last November 10^th, 2020, the European Data Protection Board (the “EDPB”) has published Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations 01”)[2] and Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Recommendations 02”)[3], to assist European data exporters to comply with their obligations to lawfully transfer personal data outside the EEA.

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data  - Adopted on 10 November 2020 

Recommendations 02/2020 on the European Essential Guarantees for surveillance measures - Adopted on 10 November 2020 

It is well-known that, as a consequence of Schrems II, data exporters wishing to transfer personal data outside the EEA relying on an Article 46 GDPR transfer tool[4], are preliminarily required to:

-         carry out a case-by-case assessment of the legal system of the recipient country to verify whether it “ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses”[5];

-         in case of a negative assessment, adopt “additional safeguards to those offered by those clauses”[6], which are able to satisfy the EU level of protection[7].

Acknowledging the concerns experienced by data exporters in the absence of any official guidelines, the EDPB has recently addressed these obligations offering:

-       guidance as to how data exporters should conduct the assessment of a third country legal system to test its adequacy under the European Union standards (Recommendations 02); and

-       a methodology “for the exporters to determine whether and which additional measures would need to be put in place for their transfer”[8] (Recommendations 01).

In particular, Recommendations 01 define the following six step roadmap that data exporters shall follow to verify whether and which additional safeguards shall be adopted:

Step 1.       Record and map all data transfers;

Step 2.       Identify the legal mechanism on which the transfer is based;

Step 3.       Assess whether the Article 46 GDPR transfer tool relied on by the data exporter is effective in practice. This step, and in particular the analysis of the third country legal system it entails, are further detailed in Recommendations 02;

Step 4.       Adopt supplementary measures any time the adequacy test from previous Step 3 fails. In this respect, Annex II of Recommendations 01 also provides a non-exhaustive list of possible supplementary measures, which may be contractual, organizational, or technical, though the EDPB attributes an absolute preference to the last category;

Step 5.       Follow the necessary procedural steps to implement the identified supplementary measures; and

Step 6.       Constantly monitor the effectiveness of the additional safeguards over time.

Furthermore, Recommendations 02 clarify data exporters’ obligation to verify whether surveillance measures allowing access to personal data by public authorities in a third country can be regarded as a justifiable interference[9]. Moving from the protection of the right to privacy and personal data enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the EDPB analyzes the jurisprudence of the Court and of the European Court of Human Rights to identify the following main European Essential Guarantees (“EEG”):

1. Processing should be based on clear, precise and accessible rules;
2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
3. An independent oversight mechanism should exist;
4. Effective remedies need to be available to the individual.

Consequently, in their assessments, data exporters shall verify whether the third country legal system satisfies the EEG. The analysis may lead to only two conclusions:

-         the third country legislation satisfies the EEG, and the data transfer may start / continue with no additional obligation;

-         the third country legislation does not ensure the EEG and does not offer a level of protection essentially equivalent to that guaranteed within the EU. Therefore, as detailed in Recommendations 01, data exporters shall either consider the implementation of additional safeguards or not to start / end the extra-EEA transfer of personal data.