The European Data Protection Board (EDPB) Finalises Guidance on International Transfers of Personal Data Following Europe’s Top Court’s Schrems II Decision

International data transfers—where are we now?

In order to enable the continued flow of personal data between: (i) the EU and/or UK; and (ii) countries that have not been deemed to provide an "adequate" level of protection of personal data (including the U.S.), many organisations now rely on SCCs. However, while SCCs were not subject to the same fate as Privacy Shield, they did not escape the Schrems II case unscathed.

The CJEU did not invalidate the SCCs but did emphasise that they are not a silver bullet when it comes to international transfers of personal data; in particular, deciding that the underlying transfer that the SCCs apply to must also be assessed. The focus of this assessment is on any inconsistencies between the rights afforded to data subjects under the GDPR (pushed on to the data importer under the SCCs), and conflicting provisions of national laws in the receiving jurisdiction.

Following the Schrems II decision, in November 2020 the EDPB published its draft guidance on supplemental measures to ensure continued protection of personal data when subject to international transfers. Also in November 2020, the European Commission published its draft updated SCCs, which included provisions that were intended to combat the deficiencies identified in Schrems II.

After months of waiting, the finalised version of the new SCCs was published earlier this month, with the finalised EDPB guidance following a few days later.

How does it all fit together?

The new SCCs and the EDPB guidance must be read together. Pursuant to the CJEU's decision in Schrems II, SCCs continue to constitute a valid transfer protection mechanism, provided supplemental measures are also undertaken where required. Information on the form of these measures is then contained in the EDPB guidance.

The structure of the finalised guidance follows that of the original draft and the key recommendations are the same. The guidance sets out six stages that should be completed to assess the risks related to the transfer. The six stages are as follow:

1. Identify the transfer (including any onward transfers);
2. Identify the transfer tool that is relied on (which in most cases will be the SCCs, unless another tool applies (such as Binding Corporate Rules);
3. Assess whether the transfer tool is effective when considered alongside the national law and practices of the importer;
4. Adopt supplementary measures where necessary;
5. Consider whether any further procedural steps are required; and
6. Re-evaluate at appropriate intervals.

In addition to the guidance itself, Annex 2 includes examples of supplementary measures that can be relied upon in relation to step 4. These include technical measures (such as encryption and pseudonymisation), contractual measures (such as imposing obligations on the receiving party), and organisational measures (such as access controls and need-to-know only access to the data).

The guidance makes specific reference to section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) which will be a key consideration in relation to transfers to the U.S. We are still awaiting a guidance from the UK Information Commissioner's Office (ICO) on implications of the EDPB guidance in the post-Brexit landscape. The ICO is also due to publish information about updated SCCs for transfers of personal data subject to the UK GDPR.

What steps should I take?

The area of international data transfers has been a key area of regulatory focus so far in 2021. In addition to these latest Schrems II-inspired developments, the EU Commission has just confirmed the adequacy decision for the UK, which came after receiving a unanimous approval vote from EU Member States.

As a result, businesses should review their international data transfer arrangements to ensure they remain compliant in this fast-changing landscape. Undertaking the transfer assessments envisaged by the EDPB guidance should dovetail with the repapering exercise required for any transfers that rely on the old SCCs (the new SCCs in fact reference the need for a transfer assessment).

U.S.-based software service providers should also take note of this latest guidance and prepare responses for the raft of information requests from EU based customers looking to assess the effectiveness of transfer tools in place (especially for any businesses subject to section 702 of FISA).

Crucially, step 6 of the EDPB guidance includes an ongoing obligation on businesses to re-evaluate transfers at appropriate intervals. This re-evaluation should be done pursuant to a documented policy to ensure consistency and compliance with the accountability principle of the GDPR.