Schrems II – EDPB consulting on draft recommendations on measures required to supplement SCCs.
The Schrems II decision of the European Court of Justice (CJEU) in July 2020 invalidated the EU-US Privacy Shield and gave a strong indication that Standard Contractual Causes (SCCs) alone would not be sufficient to ensure the lawful transfer of personal data to third countries. See our article here on the Schrems II decision.
The Schrems II decision requires data exporters that wish to use SCCs for transfers of personal data to third countries to consider the law and practice in that country and determine whether or not it is compatible with data subjects’ rights within the EU.
This is unlikely to be the case if public authorities in that country have unfettered access to personal data and/or if data subjects have no effective judicial remedies.
Additional safeguards may be required and since the Schrems II decision there has been a lot of speculation around what measures need to be taken by data exporters in addition to SCCs to ensure an adequate level of protection.
The European Data Protection Board (EDPB) replaced the Article 29 Working Party (WP29). It includes representatives from the data protection authorities of each EU member state and each EEA state. The UK is no longer a member of the EDPB but the guidelines adopted by the EDPB for complying with the requirements of the GDPR are still binding on the UK until the end of the transition period.
The EDPB issued two recommendations in November 2020:
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Draft Recommendations on Supplementary Measures”); and
- Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Recommendations on EEG”).
Draft Recommendations on Supplementary Measures
These draft recommendations contain a roadmap of the six steps data exporters must take when carrying out a risk assessment as to whether a transfer tool, such as SCCs, provides an essentially equivalent level of protection for the personal data within the legal framework of the destination country outside the EEA. If not, the data exporter must put supplementary measures in place to mitigate the risks before being able to continue to lawfully transfer the personal data to the third country concerned.
The draft recommendations also contain a non-exhaustive list of examples of the types of supplementary measures that could be put in place and some of the conditions they would require to be effective.
They are open to public consultation until 21 December 2020 (an extension from the original deadline of 30 November 2020).
However, the data exporters are responsible for making their own assessment in the context of the transfer, the third country law and the transfer tool they are relying on and the data exporter will be held accountable for that decision.
Recommendations on EEG
This recommendation updates the European Essential Guarantee for surveillance measures and is intended to be complementary to the recommendations on supplementary measures. These recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the commitments of the relevant transfer tool the data exporter and importer rely on.
The two recommendations together raise a number of practical challenges. We have yet to receive any guidance on this from the ICO. The ICO’s two statements since the Schrems II decision simply state that they are considering the position, reviewing the recommendations and will consider whether it needs to publish its own guidance in due course.
The ICO is reviewing the European Commission’s new GDPR SCCs which are currently under consultation. These are still open for consultation and need to be approved by the Commission and EU member states. Once approved, organisations will have 12 months to replace their existing SCCs. Until then, current SCCs will apply.
We recommend that you keep a close eye on any forthcoming announcements from the ICO and review your data flows and data processing operations to identify cross-border transfers and establish if you need to put in place additional measures to continue those data transfers lawfully.
If you would like to discuss your data protection obligations in relation to cross-border transfers of personal data (including the use of overseas service providers), please contact Carys Thompson at firstname.lastname@example.org.