This blog post (updated on June 23, 2021) updates our post of November 12, 2020 on the EDPB’s draft Guidance.
Many organizations around the world – and particularly companies in the United States – are directly affected by the EU Court of Justice’s July 2020 Schrems II decision casting doubt on the lawfulness of transferring personal data from the EU to countries where national security laws might permit authorities to gain access to the personal data. (The Schrems II decision is discussed below; click here for a longer discussion of the case.) The European Data Protection Board (EDPB) has just published the final form of its guidance as to what it expects organizations to do to assess risks and bolster protections for transfers of personal data. The new guidance imposes a very high burden on transferors and recipients of EU personal data. Although the guidance nominally is addressed to transferors (or “data exporters”), the reality is that most European companies will lean heavily on their US data importers to perform the required transfer risk assessment.
As expected, the EDPB has clarified that its guidance applies to all personal data transfers under Article 46, which includes binding corporate rules (issued under Article 47) as well as the Standard Contractual Clauses (SCCs), the various yet-to-be-implemented codes of conduct and certifications envisioned by the GDPR, and “ad hoc” clauses approved by individual data protection authorities. Somewhat oddly, the guidance suggests that transfers done under the Art. 49 derogations do not require a Schrems II analysis. However, other guidance from the EDPB on the Art. 49 derogations renders them largely useless for anything other than very occasional transfers that fit specific criteria.
Schrems II and the EDPB’s guidance apply to virtually all ex-EU personal data transfers other than to the handful of countries that have an “adequacy decision” from the European Commission. While this article focuses primarily on transfers to the US, the principles apply more generally. US data importers should note that if they plan to make an onward transfer to another non-EEA country, for example, to a non-EEA cloud server or service provider outside the US, the same analysis will need to be done with respect to the national security laws and practices of the destination country.
What is the problem we need to solve?
The main thrust of the Schrems II case was to question whether the US national intelligence agencies’ ability to require certain US entities to turn over personal data of people who are in Europe fatally undercuts the EU-approved data transfer mechanisms as a means of ensuring that European personal data is adequately protected when it is transferred to the US. The Court stopped short of an outright prohibition on all personal data transfers to the US, but nonetheless held that US national security powers and programs conflict with the fundamental rights of people in the EU (in part due to overly broad data collection) and do not provide adequate remedies for EU persons who suspect their fundamental rights have been violated. The Court suggested that unspecified additional protections might make such transfers acceptable. The EDPB’s guidance provides a step-by-step framework for assessing the privacy risks of data transfers and describes additional protections that may be acceptable to EU regulators.
What is the end goal?
The objective of the assessment framework and additional protections proposed by the EDPB is to satisfy four “European Essential Guarantees” – principles that must be satisfied when personal data is processed in a way (such as for national security purposes) that conflicts with privacy rights:
- Processing should be based on clear, precise and accessible rules
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- An independent oversight mechanism should exist
- Effective remedies need to be available to the individual
The Schrems II decision effectively held that US national security laws fail to satisfy the European Essential Guarantees. That means that US organizations need to assess very carefully whether US national security laws apply to their transfers, and if the answer is ‘yes,’ adopt additional measures to make sure that the personal data they receive nonetheless will be treated in a way that is acceptable under European data protection standards.
How does the EDPB suggest organizations tackle a Schrems II analysis?
The EDPB guidance provides a list of steps organizations should take to assess whether proposed data transfers meet the European Essential Guarantees outlined above:
- Know your transfers. This is a fundamental GDPR requirement in any event. Organizations should know what personal data they are transferring and be able to show that the transfers meet all requirements of the GDPR, including data minimization.
- Identify your data transfer mechanism. Organizations must be able to identify which of the GDPR’s data transfer mechanisms is in use. Typically, this will be a Commission adequacy decision, the SCCs, or BCRs (binding corporate rules).Transfers done on the basis of an adequacy decision are presumed to provide adequate safeguards and do not require further analysis.
- Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer mechanism, in the context of the specific transfer. This may be the heaviest lift for organizations. The EDPB advises that the “assessment should be focused first and foremost on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on.” In other words, how does the legislation, applied to your specific transfer, fare when assessed against the European Essential Guarantees? This will be the primary route of analysis for US organizations, since its national surveillance activities are governed by published legislation, including publicly available ancillary regulations and guidelines. Many US organizations will find that they are not directly subject to the FISA Section 702 administrative subpoenas (commonly referred to as “national security letters”) discussed extensively in Schrems II, but that their cloud service providers, e-mail hosts and potentially other service providers are. US organizations need to assess any resulting privacy risks throughout their data custody chain.
The EDPB goes on to acknowledge that some countries conduct surveillance activities without a legal framework or with limited transparency, and recommends some steps to take. US organizations are relatively fortunate in that they can easily access the US national security legislation that governs US surveillance programs, along with a substantial amount of publicly available information describing these programs and the internal controls designed to prevent their abuse. In many cases, US organizations will be able to demonstrate that the relevant US laws and programs do not permit access to their particular data transfers, and thus the data is not at risk. However, US organizations will also be interested in the new parts of the EDPB’s guidance concerning when and how practical experience with national security data access requests can be taken into account in cases when the application of the laws to a particular transfer is unclear.
Part of the analysis in Step 3 requires the exporter to consider the risk of access during transit from the exporter to the importer’s country. The architecture of contemporary telecommunications networks means that data may traverse multiple countries and may be transmitted via satellite or undersea cables. Although the EDPB frames the risk to data in transit in terms of the national security laws of the importer’s country, the actual risk of surreptitious access to data in transit via the Internet, including via underwater communications cables and satellite transmissions, is, of course, not limited to any one country or even to state actors. Nor is the risk one that suddenly arises when data leaves the outer boundaries of the EEA – hacking of communications networks can just as easily take place in the EEA as outside of it. Data exporters and importers will need to produce a thoughtful response to the EDPB’s guidance, taking into account any risks under US laws (relating to US surveillance activities outside of US territory), but presumably also discussing general hacking risks. The EDPB’s broad comments on risks to data in transit arguably put European data exporters on the hook for analyzing the national security laws and practices of every country in the world that has the technical capacity to conduct electronic surveillance outside of its borders.
- Identify and adopt supplementary measures as necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. The next section of this article discusses these measures.
- Take any formal procedural steps required by your data transfer mechanism to adopt your supplementary measures. For example, the new Standard Contractual Clauses require a written transfer risk assessment and documentation of any supplementary measures that are adopted.
- Periodically re-evaluate and monitor the adequacy of your supplementary measures. This follows from the accountability principles of the GDPR.
Recommendations for Additional Protections
The EDPB’s key recommendations for additional technical protections in the final guidance are substantially the same as in its draft guidance. These measures include:
- Robust encryption. However, encryption will only count as an additional protection if there is no legal obligation to provide the encryption key to a government authority. (This is a hot topic in many countries, not just the US.) Even though it is not a silver bullet, the EDPB guidelines, taken as a whole, are likely to make encryption a virtually mandatory standard tool for safeguarding EU personal data.
- Pseudonymization prior to transfer. Pseudonymization has the benefit of allowing multiple records to be associated with one individual, but without identifying the individual as such. It may be useful in certain cases – and worthless in others where it’s necessary to know who the person is in order to make proper use of the information. Furthermore, organizations need to consider carefully the risk that a specific person could be identified by looking at his or her pseudonymised data or combining it with other data that is available to the entity that is attempting to identify the person.
The EDPB’s final key recommendations for additional procedural or contractual protections are also largely the same as in the draft guidance, and include:
- Due diligence and transparency commitments. The data importer would commit to doing a deep dive on its national surveillance laws and their potential impacts on the data transfer. The data importer would also commit to providing as much notice as legally permitted concerning any request from, or disclosures to, government authorities. Finally, the data importer would state the restrictions it may be under in making such disclosures. All of this could be packaged as a formal due diligence exercise that the data exporter and data importer would complete prior to initiating a data transfer. The new Standard Contractual Clauses embody the kind of due diligence and transparency commitments that the EDPB describes.
- Contractual commitments as to the IT solutions in use. Specifically, the data importer would make representations with respect to the absence of back doors or other software features intentionally designed to allow a government authority to access data.
- Enhanced technical audit provisions. The data importer would agree to more specific technical audit provisions designed to allow the data exporter to satisfy itself that the data importer was not giving personal data to government authorities. (Presumably these audits would be done by qualified third parties, but it’s hard to imagine that many US companies would be willing to submit to a potentially unlimited number of audits by EU companies or to allow unfettered access to the companies’ IT security features.)
- Use of “warrant canaries”. A warrant canary is a digital sign that a company keeps visible only if it has not received a National Security Letter (or similar requirement outside of the US). This is rather obviously a potentially risky option for a company that is subject to a gag order or any other tipping-off restriction. It is not clear whether the EDPB’s guidance will renew interest in the use of warrant canaries.
- Contractual commitments to exercise legal avenues to resist disclosure requests and to give notice to the affected parties of the request. The data importer would agree to avail itself of any rights it has to resist the disclosure request and to notify the data exporter and data subjects.
The EDPB has additional recommendations, and it is well worth reading the guidance in full.