International Data Transfer: New EDPB Recommendations as a Ray of Sunshine on the Horizon?
It may be a coincidence, but US President Joe Biden could hardly have wished for better timing: To coincide with his visit to Europe, the European Data Protection Board (EDPB) has published a new paper that makes it at least a little easier for companies to transfer data to the US in some cases.
Version 2.0 of the "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data" of 18 June 2021 (edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf (europa.eu)) only brings minor changes compared to the previous version (consultation version of 10 November 2020, edpb_recommendations_202001_supplementarymeasurestransferstools_de.pdf (europa.eu)) but in important cases they give international companies some more options.
The ruling relates in particular to data transfers to the USA, which until now had very often been covered by the so-called "EU-US Privacy Shield". The ECJ considered the "EU-US Privacy Shield" to be insufficient to ensure an adequate level of data protection within the meaning of the GDPR, primarily due to the far-reaching competences of the US security services.
Standard contractual clauses (SCCs for short) - previously relied on by many companies for data transfers to the US - can still be used in principle even after Schrems II, but the mere conclusion of the SCCs is not sufficient for this purpose anymore. Rather, additional measures have to be taken.
Previous EDPB recommendation
The consultation version of the EDPB recommendations adopted on 10 November 2020 addressed the question of what additional measures may be considered.
Based on the assumption that the US security authorities are not impressed by, for instance, contractual agreements between a EU company (as a data exporter) and a US company (as a data importer), the proposed measures were mainly of a technical and organisational nature, in particular anonymisation and encryption, with the aim of preventing the processing of clear data by the data recipient in the US and thereby preventing US security authorities from accessing personal data. Though additional contractual measures beyond the SCCs were recommended, they were not considered sufficient.
Shortcomings of the previous EDPB recommendations: Cloud services, employee data in the group, eCommerce...
The Schrems II ruling and the EDPB recommendations confronted many companies with challenges hardly solvable, as no solution was offered for important use cases. For instance, transfer to cloud service providers or other processors requiring access to unencrypted data or remote data access for business purposes was explicitly identified as a problem without a solution (subs. 88 ff). The transfer of employee data within international corporations was not addressed at all, which posed major problems for US corporations in particular.
In addition, the EDPB was also very restrictive regarding the exceptions in the GDPR, which also include guarantees to secure third-country transfers: "Article 49 of the GDPR is an exception. The exceptions provided for therein must thus be interpreted restrictively; they relate predominantly to processing activities that are only occasional and not repetitive. The EDPB has issued its Guidelines 2/2018 on the exemptions under Article 49 of Regulation 2016/679" (subs. 25 - the English wording here is even stricter than the German). The transfer of employee data within international corporations, the transfer to cloud service providers or cross-border e-commerce are usually not exceptions that only take place occasionally - in fact, they are typically recurring activities.
New EDPB Recommendations
The new EDPB recommendations also offer no explicit solutions to the problems outlined.
However, they do give companies a little more leeway. The strict wording of the exceptions under Article 49 GDPR has at least been softened somewhat ("Article 49 GDPR has an exceptional nature. The derogations it contains must be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place. Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.") Thus, it does not says anymore that Article 49 could not be applied if there were a large number of operations or repeated operations. This allows room for manoeuvre to base the transfer of data to the USA - at least under strict conditions - on the necessity for the fulfilment of the contract or consent, whereas the necessity must be carefully examined and the consent must be given in an informed manner, which may also include specific explanations of the risks of the international transfer of data.
Finally, the EDPB corrects its course in another detail. When assessing the risks of a data export, it is now possible - to a greater extent than under the consultation version - to take into account whether the respective data importer and the respective data processing activity are actually subject to problematic US laws. Of course, this also requires a precise analysis, which must be documented.
Data transfers to the USA remain difficult, but the new recommendations are a way in the right direction. So far, companies that wanted to follow the EDPB's recommendations simply were not offered a solution in some important areas. In this respect, the data transfer risk assessment demanded by the data protection authorities was a frustrating exercise because no solution could be found, regardless of the risk identified. There now seems to be some progress in important areas, especially where the data importer in the USA does need access to unencrypted data, for instance in the transfer of employee data within the corporation or in global technical infrastructures such as some cloud services or e-commerce offerings.
The German data protection authorities are already in the process of investigating the status of the implementation of the Schrems II ruling in companies, for example via questionnaires (Coordinated Audit of International Data Transfers | The Brandenburg State Commissioner for Data Protection and for the Right to Inspect Files). Violations will surely be sanctioned. Companies are well advised to carry out the required assessment carefully and in line with the EDPB recommendations and to document this exercise.
Dr Andreas Lober