EDPB recommendations for third country transfers published

On November 10^th 2020, the European Data Protection Board (EDPB) published recommendations that supplement transfer tools to so-called third countries outside the EU and the EEA. On July 16^th 2020, the ECJ ruled that the transfer of personal data on the basis of the EU-US Privacy Shield is not permissible and that users must carry out their own effectiveness test when using EU standard contractual clauses. In the decision, the ECJ also clarified that data transfers to the USA are no longer possible solely on the basis of EU standard contractual clauses. This poses considerable problems for companies and organizations.

Against this background, it is to be welcomed that the first resilient positions have now been taken at European level, even if at first glance these are not suitable for solving the numerous problems in practice. The EDPB follows the hard line of the ECJ and makes no attempt to use the set screws of the GDPR for pragmatic solutions. The ideas of the ECJ and the EDPB on the protection of personal data deviate so fundamentally from the ideas of many other countries outside the EU that a lasting solution can only be achieved politically and legislatively. In practice, only companies in the EU are currently suffering from this global conflict.

The EDPB explicitly emphasizes the responsibility of each data exporter to carefully examine transfers to third countries and to ensure a level of protection of personal data comparable to that in the EU. To this end, he formulates a six-step procedure, which is roughly outlined below with the respective significance for practice:

Step 1: Documentation of all transfers of personal data to third countries

The EDPB makes it clear that the documentation of transfers to third countries is of great relevance. However, the EDPB explicitly points out that, in its view, any access from a third country (e.g. for maintenance and support) already constitutes a transfer to a third country. The EDPB also points out that onward transfers, e.g. to subcontractors in a (different) third country, must also be taken into account. All data transfers to third countries should be regularly documented in the register of processing activities.

Step 2 and 3: Selection of a transfer instrument and examination of its effectiveness

With regard to the effectiveness of the chosen transfer instrument, the EDPB once again clarifies that data exporters can rely on adequacy decisions of the EU Commission under Art. 45 GDPR or the Data Protection Directive (95/46/EC) without further examination, provided that the relevant decisions have not been overturned by the ECJ or the Commission (such as the one for the EU-US Privacy Shield by the ECJ). For all guarantees under Art. 46 GDPR, the EDPB requires an individual examination of their effectiveness. With regard to the exceptions to Art. 49 GDPR, the EDPB points out that, in its view, their scope of application must be interpreted narrowly (see also Guidelines 2/2018).

When examining the effectiveness of guarantees under Art. 46 GDPR, the EDPB expects a case-by-case assessment ofthe specific data transfer, taking into account all processing steps and all third countries concerned. He expressly emphasizes that all subcontractors must also be included. The individual case examination should document whether the measures taken meet the Essential European Guarantees, on which the EDPB also published recommendations on November 10^th 2020.

Step 4: Selection and binding agreement of additional protective measures

If the examination comes to the conclusion that the agreed guarantees under Art. 46 GDPR do not ensure an adequate level of protection for personal data, supplemental protective measures must be examined. This step will thus be the most relevant in practice. These supplemental measures can basically be of a contractual, technical or organizational nature, although the EDPB makes it clear that contractual and organizational measures alone cannot as a rule provide effective protection against access by the authorities. Provided that measures are found and agreed upon which create an adequate level of protection for the data in the third country, the transfer is in principle possible.

The extensive presentation of examples of supplementary measures in Annex 2 is very helpful and provides good orientation, although many examples seem to be strange and not very practical. However, it is gratifying that the EDPB explicitly describes the pseudonymization of data as a possible measure, provided that the data importer (and accordingly the foreign authority) has no possibility of tracing the data back to individual persons.

Step 5: Formal confirmation of the process steps (if necessary)

It may be necessary to coordinate the additional measures found with the responsible supervisory authority. The EDPB's explicit clarification that additional agreements to EU standard contractual clauses do not require the approval or release of the competent supervisory authority is most welcome as long as the wording of the EU standard contractual clauses is not changed but only supplemented and the additional provisions do not contradict the EU standard contractual clauses. Any change in the wording of the EU standard contractual clauses requires the approval of the supervisory authority. The EDPB also makes it clear that the Schrems II decision also applies to Binding Corporate Rules (Art. 47 GDPR) and holds out the prospect that a separate publication by the EDPB will be made on this subject.

Step 6: Regular review of the measures taken

Finally, the EDPB makes it clear that all measures taken require regular review. The EDPB expressly demands that measures must be taken to enable the data transfer to be terminated at short notice if the data importer violates the agreed rules.

First conclusion on the recommendations of the EDPB

The steps described by the EDPB are presented in a comprehensible manner and essentially correspond to the measures already discussed. The required in-depth examination of local law in the recipient countries is likely to be practically unaffordable, especially for small and medium-sized enterprises, and will present even large companies with hardly solvable challenges. It may be advisable, as a precaution, to deny the appropriate level of protection in the third country and rather look for technical protective measures that - where possible - effectively prevent data access by foreign authorities.

Unfortunately, the EDPB does not even address data processing in multinational companies, wherepersonal data from the EU in third countries must also be regularly accessed and processed. According to the examples of the EDPB, the transfer of personal data to group companies in a third country is practically impossible. Whether it is actually the intention of the GDPR to de facto prohibit multinational companies with the participation of European companies may be doubted.

The EDPB also expressly does not address the problem of temporary maintenance access from a third country, which is highly relevant in practice, although assistance for the companies concerned would have been particularly important here.

The EDPB's recommendations were published expressly for public comment. It is therefore to be expected that the EDPB will also receive extensive comments from practical experience. It is possible that this will lead to further practical examples. However, fundamental changes are not to be expected by taking the public comments into account.

Practical tip

The EDPB makes clear that it takes the ECJ decision very seriously and encourages national supervisory authorities to examine transfers to third countries. Many national supervisory authorities have already announced that they will make the issue a focus of their audits. Those responsible are therefore urgently advised to pay appropriate attention to the issue, to check, adjust or even temporarily suspend data transfers to third countries in a documented manner. The current legal situation must be classified as extremely challenging.