At long last, the European Data Protection Board (“EDPB”) has released two recommendations on international data transfer mechanisms in the wake of the CJEU Schrems II judgement in July 2020. The CJEU judgement requires controllers to assess, on a case by case basis, the effectiveness of international transfer mechanisms, such as Standard Contractual Clauses (SCCs), and implement “supplementary measures” as necessary to ensure that any transfer mechanism is able to work effectively and provide a level of protection essentially equivalent to the GDPR. Since the CJEU decision, data controllers have waited with bated breath for formal guidance on how to approach Schrems II compliance and on what the concept of “supplementary measures” might actually mean in practice.
The first of the two EDPB recommendations is its recommendations on supplementary measures (or to give it its full title “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”). This is the most useful of the two recommendations as it sets out a six-step roadmap for data controllers to follow to achieve Schrems II compliance:
1. Know your transfers 2. Identify the transfer mechanisms 3. Assess their effectiveness 4. Apply the supplementary measures 5. Check for formalities 6. Review periodically.
It also sets out much welcomed concrete examples of the Technical, Contractual and Organisational “supplementary measures” that controllers (and indeed processors) can take.
The second piece of EDPB guidance is its recommendations on essential guarantees. This explicitly sets out four European “essential guarantees” which are to be assessed against the surveillance laws of a recipient country of any data to determine whether there is anything in law or practice in that country which might impinge on the effectiveness of the transfer mechanisms (e.g. the SCCs). These “essential guarantee” benchmarks form the bedrock of the task of completing step three of the EDPB’s six-step roadmap and they are as follows:
Guarantee A- That the processing is based on clear, precise and accessible rules.
Guarantee B- That the processing is necessary and proportionate to the legitimate objectives being pursued.
Guarantee C- That there is an independent oversight mechanism.
Guarantee D- That there are effective remedies available to the affected data subjects.
The guarantees set out in the EDPB's recommendation are to form the foundation of any Transfer Risk Assessment that a controller (or processor) might be undertaking – i.e. how do the laws of the recipient country stack up against these guarantees?
These two EDPB recommendations both roughly align with our FAQ comment and note on practical steps for data controllers published in July and August. If your organisation has been undertaking a Schrems II remediation model in line with our guidance, the good news is that only minor changes are likely to be required to come into line with the EDPB’s most recent recommendations (leaving aside the daunting task of actually assessing each data recipient on a case by case basis under step three of the roadmap).
We’ll be providing a more detailed analysis next week along with an analysis of the revised SCCs issued by the European Commission yesterday. There will also be an opportunity to discuss all of these developments with our data team at our next In-house Data Club on 2 December 2020 (invite to follow shortly).
If your organisation has been undertaking a Schrems II remediation model in line with our guidance, the good news is that only minor changes are likely to be required to come into line with the EDPB’s most recent recommendations.