In early November, the European Data Protection Board (EDPB) published two sets of recommendations: Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data; and Recommendations on the European Essential Guarantees for surveillance measures. Both documents intend to address the requirements set out by the Court of Justice of the EU judgment in Schrems II (C-311/18) (see also our articles on the case here and here). 

The ruling concerned the validity of the standard contractual clauses (SCCs) as one of the mechanisms of transferring personal data outside of the European Economic Area (EEA).

While the judgment maintains the validity of the SCCs, it imposes a higher level of due diligence on exporters and importers of personal data from the EEA.

The recommendation on supplementary measures outlines a process for ensuring the level of protection for EEA resident personal data that is transferred outside of the EEA to a third country. It is open for consultation until 21 December 2020. The guidance lists a six-step approach:

1. Know your transfers (map your transfers, where is personal data being transferred to including onward transfers, check data transferred is adequate, relevant and necessary to the purpose)

2. Identify the transfer tools relied on (set out under Articles 45, 46 and 49 GDPR, adequacy decision, SCCs, binding corporate rules, BCRs, codes of conduct, certification mechanisms, ad hoc contractual clauses, derogations)

3. Assess whether the transfer tool is effective in light of all the circumstances such as law or practice in the third country (effective means an essentially equivalent level of protection is guaranteed as in the EU)

4. Identify and adopt supplementary measures (if effectiveness of the transfer tool is impacted) which could be technical (e.g. encryption, pseudonymisation and split processing), contractual (transparency reports, enhanced audit rights or a warrant canary) or organisational measures (internal policies for governance of transfers with clearly defined responsibilities)

5. Take any formal procedural steps (depending on the transfer tool used)

6. Re-evaluate at appropriate intervals (ongoing monitoring)

The recommendations on the European Essential Guarantee provide guidance on whether interference by public authorities to access personal data for criminal law enforcement, regulatory supervision and national security impinges on the effectiveness of data transfer tools.

In its statement following the publication of the recommendations, the Information Commissioner’s Office (ICO) stated that: ‘We reiterate our advice that organisations should take stock of the international transfers they make, and update their practices as guidance and advice become available. We continue to apply a risk-based and proportionate approach to our oversight of international transfers in accordance with our Regulatory Action Policy.’

The recommendations on supplementary measures are open for consultation until 21 December.