Recommendations from the European Data Protection Board: a silver lining for data exporters?
The European Data Protection Board (“EDPB”) is an official entity established by the European Union to monitor and ensure the consistent application of the General Data Protection Regulation (“GDPR)” throughout the EU. Its existence and mission are rooted in Art. 68 et seq. GDPR. Within this function, the EDPB regularly issues opinions, guidelines, and recommendations on questions of European data protection law. EDPB papers are an important source of information on European data protection law and how it is to be construed.
On November 10, 2020, the EDPB issued two Recommendations: one on “Surveillance measures” and how these may affect European “essential guarantees”. And another on “transfer tools” and supplemental measures to ensure compliance with the EU level of protection of personal data.
The reason of being for these papers is obviously the “SCHREMS II” ruling of the CJEU issued in July 2020 (Case CJEU C311-18). In this ruling, the CJEU abolished the adequacy decision issued by the European Commission for the U.S.A (better known under the moniker “Privacy Shield”), thereby single-handedly rescinding the legal basis for many (if not most) data exports from the EU into the United States. The decision was, at its core, based on the finding that surveillance mechanisms and powers bestowed on US intelligence agencies were not in accordance with the requisite level of protection for European data subjects, which is to be maintained when their data is exported to countries outside of the realm of GDPR.
While the CJEU was very clear on when a data exports into the United States are to be seen unlawful, it left the question how and when such data exports might be still lawful rather unanswered. This created a highly unsatisfactory situation for both those accountable for data exports and their legal advisors: there are many businesses out there who have, by the very nature of their services, no choice but to export data into the USA. By just saying “no” to “Privacy Shield” and setting very high requirements for data exports generally, the CJEU left these businesses out in the rain: beside saying the “Standard Contractual Clauses” as per Art. 46 Sec 2c GDPR might remain a possible legitimization for data exports, the “SCHREMS II” ruling provided little to none practical guidance on how to meet the requirements – thereby even leaving open if these are at all possible to meet.
Now, this is where the EDPB and the Recommendations come into play. They expressly pick up the ball dropped by the CJEU, by trying to give guidance.
1. Data exports into the USA: still possible
The first, very important message one might take from the EDPB recommendations is not expressly spelled out: data exports into the United States are still possible.
In the SCHREMS II ruling, the CJEU pointed out that the legitimacy of a data export must be assessed for each individual case. This part of the ruling is also stressed by the EDPB: each data export must be evaluated on a case-by-case basis. Now, if the legal situation in the United States were to be understood as an absolute restriction to data exports, an assessment of data exports on a case-by-case basis would be simply unnecessary.
This case-by-case approach reflects two core, systemic principles of GDPR: the concept of “accountability” and the concept of the “risk-based approach”. Notably, in the light of GDPR, not all processing of personal data is “created equal”. GDPR does not require that protective measures must always be the highest possible, nor that identical protective measures need to be taken for each and every processing operation. Rather, the accountable party – i.e. the one responsible (and liable for damages and fines as per Art. 82 et. seq. GDPR) for the data processing – is authorized by GDPR to determine, within the framework of a reasonable risk assessment, that some data processing may be subject to weaker protective measures than other, higher-risk data processing. Accordingly, data exports into the United States remain, as such, possible – if the legal requirements are met.
2. The EDPB “roadmap to compliance”
How to meet these requirements is the subject of the EDPB recommendations. The paper lays out a “roadmap” with six “steps” to pursue to determine the legality of a data export. These steps are, unsurprisingly, a reflection of the above-mentioned principles of accountability and the risk-based approach:
Step 1: Know your transfers
Every accountable party should identify all data exports –because without such knowledge, a risk assessment of such transfers is obviously impossible.
Step 2: Identify your transfer tools
To be legitimate, every data export must be based on one of the transfer tools provided by Chapter V, i.e. Art. 46 through 49 GDPR. Accordingly, each data export which has been identified in Step 1 must be attached to at least one of the tools provided by GDPR and its prerequisites must be met.
Step 3: Assess whether the transfer tool chosen is actually working
Now the tricky bits begin. Knowing each single data export and the tool with which it is to be legitimized, now the effectiveness of the tool needs to be checked. In other words: it must be assessed of the identified risk pertaining to the data export is sufficiently addressed by the transfer tool.
This is especially crucial when relying on “Standard Contractual Clauses” as per Art. 46 Sec 2 c GDPR – which currently remain the main viable tool for data exports into the USA. It must be assessed whether contractual obligations can actually satisfy the need for protection even against governmental action. This touches a wide range of potential issues, such as the legal situation in the county to which the data is exported, known precedents and the technical, financial and legal resources of both the data exporter and the data importer. Now, if the analysis concludes that the transfer tool does, in and by itself, fully address the risk of the data export all is fine and the roadmap ends right there.
Step 4: Adopt supplementary measures
If, however, the analysis has shown that the tool chosen for legitimizing the data export is not effective in fully addressing the risk, this does not yet mean the data export is illegitimate. Deficiencies might be cured by implementing supplementary measures in addition to what the tool chosen already includes.
This is exactly the point where the CJEU left off: it stated that “Standard Contractual Clauses” might be employed, and that they should be accompanied by supplementary measures if they are deemed insufficient. The EDPB papers offer both theoretical guidance as to the nature of potential measures. But it also offers an expressly non-exhaustive list of concrete practical cases and examples on measures which might be included. It does, however, not say these might be effective in any case – which is obvious, looking at the basic statement that each data export must be assessed on a case-by-case basis.
Step 5: Put the supplementary measures into practice
Having identified the data export, the tool legitimizing it and the supplementary measures as such clearly is not enough – they must be implemented and brought to life. This might be a truism but is nonetheless vital: as the old saying goes, “paper is patient” and of course the best paperwork scheming a high level of data protection is worthless unless it is put into practice. Any data protection authority will not only look at the formalities required to be met using the tool legitimizing the data export, but of course also if it is indeed working and sufficiently protecting the rights of data subjects.
Step 6: Re-evaluate in appropriate intervals
The last step of the EDPB’s roadmap might appear obvious but is easily forgotten. Data processes are fluid and evolving all the time, hard- and software employed is renewed and improved constantly. The accountable party needs to remain on top of its data exports and the tools used for their legitimization, as well as their legal, technical, and practical implications.
3. Our opinion
The EDPB expressly intended to pick up where the CJEU left off, trying to put the CJEU ruling into practice. Now – does it succeed? The proper answer to this question is very much the answer of a lawyer: it depends. It depends on your perspective and the facts of your case.
The “roadmap” issued by the EDPB is surely helpful but does not contain much news. The steps mentioned are implied by GDPR and should already be known and applied by any accountable party seeking compliance with their data processing in general, as well as their data exports. What is new, however, are the various scenarios and uses cases written down in the Annex to the Recommendations, which illustrate a few ways to (not) successfully deal with the implications of GDPR. What’s more, it spells out various possible additions to “Standard Contractual Clauses” which might be adopted to comply with situations in which these do not suffice by themselves (as is certainly the case with all data exports into the United States). As such, they surely serve the intended purpose as they offer guidance – no less, but also not more.
Overall, everyone hoping for an easy and convenient off-the-shelf solution will be disappointed, as such is not on offer. In fact, the Recommendations stress that there is no such thing as an off-the-shelf solution: each single data export must be assessed and a tool appropriate to its inherent risk be found, set up in theory and implemented in practice. Accordingly, the situation of accountable data exporters remains rather unsatisfactory – there is no easy answer and no quick solution to the questions imposed on data exports by GDPR. However, the good news is that this lack gives every accountable data exporter the freedom to determine for themselves which additional supplementary measures might be appropriate. GDPR expressly allows them to decide case-by-case on their own account, provided the measures taken are adequate for the specific risk in question.
This is the challenge every data exporter is faced with and must take on if he wants to comply with GDPR. If the “SCHREMS II” ruling was not enough of a wake-up call in this regard, the Recommendations must be understood as such.