On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”).  (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).

The two recommendations adopted by the EDPB are:

Draft Recommendations on Supplementary Measures

The EDPB in its Draft Recommendations on Supplementary Measures sets out a six-step process that organizations should follow when they transfer personal data from the EU to a third country.

The six steps are as follows:

  1. Data exporters should know their transfers, by recording and mapping their transfers, including onward transfers—for instance, where processors outside the EEA transfer personal data to a sub-processor in the same or another third country.
  2. Data exporters should identify the transfer tools relied on for their transfers, which may include adequacy decisions, Article 46 GDPR transfer tools (including the SCCs and Binding Corporate Rules), or derogations under Article 49 GDPR.
  3. If relying on an Article 46 GDPR transfer tool (such as SCCs), data exporters should assess whether the mechanism affords a level of protection in the third country that is “essentially equivalent” to that guaranteed in the EU. (The CJEU in Schrems II established this principle that the protections in the third country should be “essentially equivalent” to that in the EU.)  The EDPB states that this assessment should be conducted with due diligence and thoroughly documented (paragraph 42).
    • The EDPB emphasises that this assessment should pay close attention to any laws in the third country that lay down requirements to disclose personal data to public authorities or grant public authorities powers to access personal data (e.g., for criminal law enforcement, regulatory supervision, and national security purposes). The EDPB emphasises that such assessments should be based on publicly available legislation as well as other sources of information, including “precedent” and “practice”.
    • The EDPB’s Recommendations on EEG (discussed below) set out the specific elements to be considered when determining whether such requirements or powers granted to public authorities are limited to what is regarded as justifiable interference—and therefore not impinging on the commitments taken in the Article 46 GDPR transfer tool.
  4. If the assessment under step 3 reveals that the Article 46 GDPR transfer tool is not effective, data exporters should, in collaboration with the data importer, adopt supplementary measures to ensure that the data transferred is afforded in the third country a level of protection essentially equivalent to that in the EU.
    • The EDPB considers that supplementary measures may have a contractual, technical or organizational nature, and emphasises the role of technical measures.
    • Annex 2 of the Draft Recommendations sets out detailed guidance on supplementary measures that may be adopted in specific scenarios.
  5. Data exporters should take any procedural steps required to implement effective supplementary measures—for example, by obtaining authorization from a competent EU supervisory authority to adopt any supplementary measures that contradict the SCCs.
  6. Data exporters, in collaboration with data importers, should re-evaluate at appropriate intervals the developments in the third country to which the personal data has been transferred. Data transfers should be promptly suspended or ended where the data importer has breached or is unable to honour the commitments it has taken in the Article 46 GDPR transfer tool or the supplementary measures are no longer effective in that country.

Recommendations on EEG

The Recommendations on EEG identify four European Essential Guarantees, which must be respected to ensure that interferences with the rights to privacy and protection of personal data do not go beyond what is necessary and proportionate in a democratic society, as required by settled CJEU and European Court of Human Rights (“ECtHR”) case law.  These European Essential Guarantees are:

  1. The processing should be based on clear, precise and accessible rules;
  2. The measures adopted must be necessary and proportionate with regard to the legitimate objectives pursued, and the necessity and proportionality of such measures need to be demonstrated;
  3. An independent oversight mechanism must be in place; and
  4. Individuals whose data is processed must have access to effective remedies.

When data exporters assess a third country’s laws to determine whether the level of protection in the third country that is essentially equivalent to that are guaranteed in the EU, they must assess whether any laws allowing public authorities to demand disclosure or obtain access to personal data meet these European Essential Guarantees.  These European Essential Guarantees should therefore form the backbone of transfer impact assessments that organizations carry out following the Schrems II decision and to take the third step outlined in the Draft Recommendations on Supplementary Measures discussed above.

Next Steps

Taken together, the Draft Recommendations on Supplementary Measures and the Recommendations on EEG raise a number of practical challenges. We encourage companies to provide their feedback on the Recommendations on Supplementary Measures as part of the public consultation process, which is open from 11 November 2020 to 30 November 2020.  If you have any questions concerning the material discussed in this blog post, please contact the Covington team.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Lisa Peets Lisa Peets

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more…

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more than two decades, she has worked closely with many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU and UK legal frameworks affecting technology providers, including data protection, content moderation, artificial intelligence, platform regulation, copyright, e-commerce and consumer protection, and the rapidly expanding universe of additional rules applicable to technology, data and online services.

Lisa also supports Covington’s disputes team in litigation involving technology providers.

According to Chambers UK (2024 edition), “Lisa provides an excellent service and familiarity with client needs.”

Photo of Marty Hansen Marty Hansen

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues, including related to artificial intelligence. Martin has…

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues, including related to artificial intelligence. Martin has extensive experience in advising clients on matters arising under EU and U.S. law, UK law, the World Trade Organization agreements, and other trade agreements.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.