Post Schrems II World: EDPB adopts recommendations on additional measures for international data transfers | Adams and Reese LLP

To post Schrems II World: EDPB adopts recommendations on additional measures for international data transfers

On June 18, the European Data Protection Board (EDPB) formally adopted version 2 of its recommendations on measures supplementing transfer tools, first adopted on November 10, 2020, following Schrems II decision of the Court of Justice of the European Union.

Version 2

The first recommendations were adopted in November and published for public consultation. After receiving many helpful comments and suggestions, the EDPB released version 2 of the recommendations, revising the original recommendations to incorporate the comments received during the comments phase. The EDPB has focused most of its revisions on guidance for countries of destination:

• Evaluate the destination country practices towards data in addition to its legal standards
• Evaluate the destination country laws to the data and the actions it can take without consulting the data importer
• The dependence of the data exporter on the data importer real experience
• Reliance on recommendations to meet the compliance requirements of the revised European Commission (EC) Model Contractual Clauses (CCPs) announced on June 4, 2021 (which we recently discussed)

Where some of the European Commission’s regulations and guidelines remain more difficult to apply in practice, the EDPS recommendations are designed to be easily invoked and used as a framework for exporters to ensure a level of data protection essentially equivalent to that of consumers. General data. Protection Regulation (GDPR).

EDPB framework

The EDPB framework has remained similar to that of version 1, but the details, appendices and case scenarios provide more relevant and in-depth material than in the initial version. The framework is designed for exporters to use when assessing whether and what additional measures, if any, are needed for their transfers to ensure adequate data protection.

Responsibility for data transfers

• Principle of responsibility: a continuing requirement for controllers and processes to comply with data protection rules and rights in accordance with the GDPR. This requirement includes data transfers to other countries.

Roadmap

• Apply the principle of accountability to data transfers in practice. Document everything – the assessment, the decision to use additional measures, which measures are chosen and which are used – in case the competent supervisory authority requests such evidence.

The six stages of the framework

1. Know your transfers.

• Record and map transfers, including onward transfers. Don’t forget about data minimization.

2. Identify the transfer tools you rely on. Check the EC website to determine if there is an adequacy decision for the destination country. If there is, you do not need to take any further action as described in the recommendations.
   1. If there is no adequacy decision, consult the transfer tools of Article 46 of the GDPR or the appropriate guarantees:
      1. CSC
      2. Binding corporate rules (BCR)
      3. Codes of conduct
      4. Certification mechanisms
      5. Ad hoc contractual clauses

2. 1. May require the use of transfer tools + additional measures = ensure a substantially equivalent level of protection.

3. 1. Article 49 Derogations may only be considered after the failure of the above measures. The requirements are strict and may not be met. Proceed if insufficient.

3. Assess whether the GDPR Article 46 transfer tool you are relying on is effective in light of all the circumstances of the transfer.

• Is the transfer tool effective? Appropriate assessment of effectiveness now includes assessment of public authority laws and practices in the destination country. The recommendations provide a long list of resources and detailed scenarios to explain how to perform a thorough and accurate assessment.

4. Adopt additional measures.

• Annex 2 of the recommendations provides a non-exhaustive list of additional measures.
• If the additional measure + transfer tool = essentially equivalent level of protection a proceed with the transfer
• If additional measures are not effective or sufficient to ensure a substantially equivalent level of protection, any initiated transfer must be stopped and the transfer cannot proceed.

1. Procedural steps if you have identified effective complementary measures.

• If additional effective measures are identified above, follow the procedure steps depending on the GDPR Article 46 transfer tool you are using or plan to use:

1. CSC
   1. There is no need for additional authorization as long as they do not contradict the SCCs, and the level of protection of the GDPR is guaranteed.
   2. Changes to CCPs require the approval of a competent supervisory authority.
2. BCR
   1. It is the responsibility of the data importer and exporter to determine that the adequate level of protection is achieved when the data is transferred to a third country.
   2. If it is not followed, consider what additional measures to take and whether the laws or practices of the destination country will result in ineffective protection.
3. Ad hoc contractual clauses:
   1. the Schrems II decision applies, which means that the parties cannot guarantee on behalf of the public authorities of the countries of destination that they will be bound by the contractual conditions of the parties.

6. Reassess at appropriate intervals.

• The principle of accountability is an ongoing requirement and compliance does not just happen once; each transfer must be compliant.

Our privacy, cybersecurity and data management team will continue to monitor developments in this area.