EDPB issues guidance for safe data transfers post-Privacy Shield

The Court of Justice of the European Union, in addition to scrapping the EU-U.S. Privacy Shield, determined two other principal mechanisms for data transfers—standard contractual clauses (SCCs) and binding corporate rules (BCRs)—remain valid but warned neither offer 100 percent legal protection. As such, in the four months since the judgment, companies have been anxious that they may be in breach of the General Data Protection Regulation (GDPR) by continuing to transfer data across the Atlantic.

“Privacy advocacy organizations and regulators alike are pushing hard for companies to get into line with privacy laws, and enforcement action is likely to increase as guidance makes clear what is required.”

Gary LaFever, CEO and General Counsel, Anonos

On Wednesday, the EDPB published its list of “supplementary measures” companies can take to ensure the personal data they transfer outside of the European Union still enjoys the same level of protection data subjects would expect in Europe.

“The protection granted to personal data in the European Economic Area must travel with the data wherever it goes,” the EDPB said. “In the end data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on.”

The EDPB’s six-step guide says companies should:

1. Map all transfers of personal data to third countries to ensure it is afforded an essentially equivalent level of protection wherever it is processed. Companies must also verify the data they transfer is adequate, relevant, and limited to what is strictly necessary.
2. Verify the transfer tool they are relying on to transfer the data—such as SCCs and BCRs. If the European Commission has already declared the third country where the data is being transferred as “adequate,” companies will not need to take any further steps. It is still possible to make occasional and nonrepetitive transfers under the derogations provided for in Article 49 of the GDPR, but this mechanism cannot be used for standard data transfers.
3. Assess if there is anything in the law or practice of the third country that may undermine the data’s level of protection (compared to the GDPR). Companies should conduct and document their due diligence.
4. Identify and adopt supplementary measures to bring the level of data protection up to EU standards if your assessment reveals the third country’s legislation impinges on the effectiveness of the transfer tool you are relying on. In those cases where no supplementary measure is suitable, companies must avoid, suspend, or terminate the transfer to avoid compromising the level of protection of the personal data.
5. Consult with their leading supervisory authority if they believe the supplementary measures may prove problematic or if risk supplementary clauses attached to SCCs may result in a lower level of data protection.
6. Re-evaluate at “appropriate intervals” the level of protection afforded to the data they transfer to third countries, as well as monitor if there have been (or will be) any developments that may affect it. EU data regulators will suspend or prohibit data transfers in those cases where, following an investigation or complaint, they find an essentially equivalent level of protection cannot be ensured.

According to the EDPB’s guidance, supplementary measures include:

• Ensuring data sent to third countries is used only for backup purposes and not to access/share it;
• Pseudonymizing data so the personal information can no longer be attributed to a specific data subject;
• Encrypting data;
• Ensuring the data subject can be regarded as a “protected recipient” for medical or legal purposes under the third country’s laws; and
• Using split- or multi-party processing so no single organization can access all identifiable personal data other than the data exporter;

Scenarios in which the EDPB says there are no effective supplementary measures include: 

• Transferring personal information to a cloud services provider in a third country that needs access to unencrypted data to execute operations, or is based in a country where “access [to] the transferred data goes beyond what is necessary and proportionate in a democratic society”; and
• Transferring unencrypted data between parts of a company that has operations in the European Union and in third countries where the level of data privacy is not adequate.

Experts say the EDPB’s guidance is useful, though some companies will find it onerous to comply. They also warn companies should take steps to implement the measures quickly.

Gary LaFever, CEO and general counsel at data privacy specialist Anonos, says there is a “high” chance of regulators and privacy groups taking enforcement action against companies that are not already implementing the steps the EDPB is recommending. “Privacy advocacy organizations and regulators alike are pushing hard for companies to get into line with privacy laws, and enforcement action is likely to increase as guidance makes clear what is required,” he says.

“If an organization has not completed the steps and suffers a notifiable breach related to an EU-U.S. transfer, they will find any subsequent regulator investigation much more uncomfortable,” agrees Camilla Winlo, director of consultancy at privacy expert DQM GRC. “A fine is more likely and will be bigger if the organization has not complied with the EDPB’s requirements.”