EU Data Protection Regulators Issue Critical Draft Guidance on Personal Data Transfers
US companies and other organizations whose activities involve the use of personal information from Europe were unsettled by the EU Court of Justice’s July 2020 Schrems II decision that cast doubt on the lawfulness of transferring personal data from the EU to the US. (Click here for a summary of that case.) The European Data Protection Board (EDPB) has now published its long-awaited guidance as to what it expects organizations to do to bolster protections for transfers of personal data. The new guidance imposes a very high burden on transferors and recipients of EU personal data. However, organizations may appreciate that the EDPB guidance does at least provide a pathway (no matter how onerous) for data transfers following the Schrems II decision. Furthermore, the EDPB has clarified that its guidance applies to all personal data transfers under Article 46, which includes binding corporate rules as well as the Standard Contractual Clauses (SCCs) and the various yet-to-be-implemented codes of conduct and certifications envisioned by the GDPR.
Schrems II and the EDPB’s guidance apply to all ex-EU personal data transfers, but the remainder of this article focuses on transfers to the US.
What is the problem we need to solve?
The main thrust of the Schrems II case was to question whether the US national intelligence agencies’ ability to require certain US entities to turn over personal data of people who are in Europe fatally undercuts the EU-approved data transfer mechanisms as a means of ensuring that European personal data is adequately protected when it is transferred to the US. The Court stopped short of an outright prohibition on all personal data transfers to the US, but nonetheless held that US national security powers and programs conflict with the fundamental rights of people in the EU (in part due to overly broad data collection) and do not provide adequate remedies for EU persons who suspect their fundamental rights have been violated. The Court suggested that unspecified additional protections might make such transfers acceptable. The EDPB’s new draft guidance provides a step-by-step framework for assessing the privacy risks of data transfers and describes additional protections that may be acceptable to EU regulators.
What is the end goal?
The objective of the assessment framework and additional protections proposed by the EDPB is to satisfy four “European Essential Guarantees” – principles that must be satisfied when personal data is processed in a way (such as for national security purposes) that conflicts with privacy rights:
- Processing should be based on clear, precise and accessible rules
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- An independent oversight mechanism should exist
- Effective remedies need to be available to the individual
The Schrems II decision effectively held that US national surveillance laws fail to satisfy the European Essential Guarantees. That means that US organizations need to adopt additional measures to make sure that the personal data they receive nonetheless will be treated in a way that is acceptable under European data protection standards.
How does the EDPB suggest organizations tackle a Schrems II analysis?
The EDPB guidance provides a list of steps organizations should take to assess whether proposed data transfers meet the European Essential Guarantees outlined above:
- Know your transfers. This is a fundamental GDPR requirement in any event. Organizations should know what personal data they are transferring and be able to show that the transfers meet all requirements of the GDPR, including data minimization.
- Verify your data transfer mechanism. Organizations must be able to identify which of the GDPR’s data transfer mechanisms is in use. Typically, this will be a Commission adequacy decision, the SCCs, or BCRs (binding corporate rules). Interestingly, the EDPB executive summary states that the Article 49 derogations (explicit consent, performance of a contract, important reasons of public interest, etc.) are available “[o]nly in some cases of occasional and non-repetitive transfers,” which is a blunter statement than previous EDPB guidance that acknowledged that the GDPR’s “occasional and non-repetitive” applied only to some of the derogations. This may be a further step by the EDPB to effectively eviscerate the Article 49 derogations.
- Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer mechanism, in the context of the specific transfer. This may be the heaviest lift for organizations. The EDPB advises that the “assessment should be primarily focused on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on and that may undermine its level of protection.” In other words, how does the legislation fare when assessed against the European Essential Guarantees? This will be the primary route of analysis for US organizations, since its national surveillance activities are governed by published legislation, including publicly available ancillary regulations and guidelines. Many US organizations will find that they are not directly subject to the FISA Section 702 administrative subpoenas (commonly referred to as “national security letters”) discussed extensively in Schrems II, but that their cloud service providers, e-mail hosts and potentially other service providers are. US organizations need to assess any resulting privacy risks throughout their data custody chain.
The EDPB goes on to acknowledge that some countries conduct surveillance activities without a legal framework or with limited transparency, and recommends some steps to take. US organizations are relatively fortunate in that they can easily access the US national security legislation that governs US surveillance programs, along with a substantial amount of publicly available information describing these programs and the internal controls designed to prevent their abuse.
- Identify and adopt supplementary measures as necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. The next section of this article discusses these measures.
- Take any formal procedural steps required by your data transfer mechanism to adopt your supplementary measures.
- Periodically re-evaluate and monitor the adequacy of your supplementary measures.
Recommendations for Additional Protections
The EDPB’s key recommendations for additional technical protections include:
- Robust encryption. However, encryption will only count as an additional protection if there is no legal obligation to provide the encryption key to a government authority. (This is a hot topic in many countries, not just the US.) Even though it is not a silver bullet, the EDPB guidelines, taken as a whole, are likely to make encryption a virtually mandatory standard tool for safeguarding EU personal data.
- Pseudonymization prior to transfer. Pseudonymization has the benefit of allowing multiple records to be associated with one individual, but without identifying the individual as such. It may be useful in certain cases – and worthless in others where it’s necessary to know who the person is in order to make proper use of the information. Furthermore, organizations need to consider carefully the risk that a specific person could be identified by looking at his or her pseudonymised data.
The EDPB’s key recommendations for additional procedural or contractual protections include:
- Due diligence and transparency commitments. The data importer would commit to doing a deep dive on its national surveillance laws and their potential impacts on the data transfer. The data importer would also commit to providing as much notice as legally permitted concerning any request from, or disclosures to, government authorities. Finally, the data importer would state the restrictions it may be under in making such disclosures. All of this could be packaged as a formal due diligence exercise that the data exporter and data importer would complete prior to initiating a data transfer.
- Contractual commitments as to the IT solutions in use. Specifically, the data importer would make representations with respect to the absence of back doors or other software features intentionally designed to allow a government authority to access data.
- Enhanced technical audit provisions. The data importer would agree to more specific technical audit provisions designed to allow the data exporter to satisfy itself that the data importer was not giving personal data to government authorities. (Presumably these audits would be done by qualified third parties, but it’s hard to imagine that many US companies would be willing to submit to a potentially unlimited number of audits by EU companies or to allow unfettered access to the companies’ IT security features.)
- Use of “warrant canaries”. A warrant canary is a digital sign that a company keeps visible only if it has not received a National Security Letter (or similar requirement outside of the US). This is rather obviously a potentially risky option for a company that is subject to a gag order or any other tipping-off restriction. It is not clear whether the EDPB’s guidance will renew interest in the use of warrant canaries.
- Contractual commitments to exercise legal avenues to resist disclosure requests and to give notice to the affected parties of the request. The data importer would agree to avail itself of any rights it has to resist the disclosure request and to notify the data exporter and data subjects.
The EDPB has additional recommendations, and it is well worth reading the draft guidance in full. The guidance comes in two documents: an analysis of the European Essential Guarantees and the recommended supplementary measures. Organizations are invited to submit comments on the draft guidance during the unusually short consultation period, which ends on November 30, 2020. Instructions for submitting comments can be found here.
Finally, it’s worth remembering that we are still awaiting the updated Standard Contractual Clauses promised by the EU authorities. The new SCCs are likely to incorporate at least some of the recommendations in the draft guidance for better protecting transferred personal data.
If you have any questions or concerns, please contact the Mintz Privacy & Cybersecurity team or your usual Mintz contact.