Many are already aware that it is mandatory to provide appropriate safeguards for such transfers as the Court of Justice of the European Union (CJEU) emphasised in the so-called Schrems II (1) decision on 16 July 2020, invalidating one of the most commonly used mechanisms for transferring personal data to the United States of America (U.S.)—the European Commission's (Commission) decision 2016/1250 on the adequacy of the level of protection for the transmission of data to the U.S. or the so-called “Privacy Shield”.
At the same time, equally as many entities are not familiar with the concept of “personal data transfers to third countries”. While lack of awareness and enforcement still hinder the application of the GDPR to personal data transfers to third countries, supervisory authorities increasingly apply pressure not only on big tech companies, such as Facebook (2)and Microsoft (3), but also on small and medium entities, by imposing fines (4). Moreover, infringements of the provisions of the GDPR regulating the transfers of personal data to a recipient in a third country are subject to the highest level of penalties under the GDPR.
While those who already have done the Schrems II homework may face the next level challenge (deciding on supplemental measures to ensure compliance with the EU level of protection of personal data), those yet unfamiliar with the concept of data transfers, are exposed to a comparatively higher and increasing risk of non-compliance due to complete lack of safeguards.
Some examples of personal data processing likely to involve transfer to third countries are:
- data storage in cloud-based storage services,
- use of contemporary web-based applications, such as productivity tools, customer relationship management services, automated translations tools, etc.,
- use of data for shared business purposes or engaging in a common economic activity with a company operating in a third country,
Only a few countries, including Andorra, Argentina, Canada, Israel, Japan, New Zealand, Switzerland, and Uruguay, are recognised by the Commission as providing an adequate level of data protection, with the result that data exporters from the EU are exempt from the obligation to apply safeguards for transfers to these countries. When transferring data to an “inadequate” third country, EU data exporters, subject to the obligation to provide appropriate safeguards, mostly choose standard contractual clauses (SCC) adopted by the Commission, as the transfer tool. The United Kingdom, the U.S., the Russian Federation, and Ukraine are not among countries recognised as providing an adequate level of protection; thus, data transfer to these countries may trigger the obligation to provide appropriate safeguards, for example, the SCC.
However, it is not enough to rely solely on the SCC. The CJEU emphasised in Schrems II that the EU data exporter must verify, on a case-by-case basis, whether the law of the third country of destination ensures adequate protection(5) or, in other words, assess and make sure that the data recipient can fulfil the obligations undertaken with the SCC, considering the legislation of the country in question.
Recognising the complexity of assessing the laws of third countries and identifying appropriate supplementary measures, the European Data Protection Board (EDPB) adopted Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Recommendations). Recommendations outline a roadmap of the steps to take to find out if the data exporter needs to put in place supplementary measures to be able to legally transfer data to a third country.
To assess whether the chosen transfer tool is effective in light of all circumstances of the specific transfer, one has to determine if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of GDPR Article 46 transfer tool. The assessment should consider all the actors participating in the transfer (e.g., controllers, processors, and sub-processors processing data in the third country), as identified in the data flow map. Moreover, the assessment should fully consider the applicable legal context, including purposes of transfer and processing, entities involved, categories of personal data transferred, the format of the data, and the possibility of onward or further transfer to another third country (6). Furthermore, the applicable law assessment should include, among others, requirements to disclose personal data to public authorities or granting public authorities the right to access, and assessment whether these requirements are limited to what is necessary and proportionate in a democratic society(7).
Examples of the laws of third countries impinging on the effectiveness of the safeguards may include the Foreign Intelligence Surveillance Act of the U.S. and the Federal Law “On information, information technologies, and protection of information” of the Russian Federation.
If the assessment has revealed that the transfer tool is not effective, the next step is to assess whether supplementary measures exist, which, when added to the safeguards contained in transfer tools, could ensure that the data transferred are protected on the same level as within the EU.
Supplementary measures may have a contractual, technical, or organisational nature; however, contractual or organisational measures alone will generally not overcome access to personal data by public authorities of the third country. Encryption and pseudonymisation are among technical measures that are recognised as appropriate by the EDPB, subject to additional technical and organisational conditions that are aimed to prevent access by third countries’ authorities.
Furthermore, the EDPB mentions several scenarios in which no effective measures can be found, transfer to cloud service providers which require access to the data for business purposes being among them.
Following the Recommendations, mostly it will be possible to ensure compliant transfers; however, in scenarios where no effective measures can be found, the only option might be to follow Microsoft’s example and decide to process data in the EU or the EEA.
Considering the above, if you are transferring personal data to third countries using the SCC, the assessment of effectiveness of the SCC is mandatory to ensure compliance and should be performed before the transfer.