EDPB Schrems II Guidance: GDPR Data Transfers to Third Countries

The European Data Protection Board (EDPB) published recommendations on measures that supplement transfer tools to ensure compliance with the EU-level protection of personal data. These recommendations were the EDPB’s response to the invalidation of the EU-US Privacy Shield due to the Schrems II decision. Read about this decision here.

The new EU-US Data Privacy Framework made the transfers between the EU and the US became free again. However, it applies only to the US companies that had been certified under the former EU-US Privacy Shield, which means that the transfers are free only to a limited number of US companies. 

This was the EDPB’s action to clarify what you need to do in order to transfer data to a US company data processing tool lawfully, determine whether your data transfers are legal and safe and, if there are risks, what measures could help you reduce the risks. These don’t apply to all US companies now, but you can still use them for moving data to third countries.

In this article you'll learn:

• Why these recommendations have been published
• The six-step process toward compliance
• The measures you could implement for compliance
• Why data transfer to the US may not be lawful
• How to legally transfer data to the US and other third countries

Why These Recommendations?

Up until July 2020, data transfers between EU and US companies were being conducted on the basis of the EU-US Privacy Shield. US companies that process personal data could certify themselves under the Privacy Shield. Data transfers between any EU company and more than 5000 certified US companies were free as if that was data transfer within the EU.

Maximillian Schrems, a data privacy activist, challenged the Privacy Shield in court. The CJEU made a decision in his favour because the surveillance programs of the US government and their easy access to personal data stored on servers of US companies meant that the US does not provide an equal level of protection of data as in the EU, even if the US company has been certified under the Privacy Shield.

In the same decision, the CJEU confirmed the validity of the Standard Contract Clauses (SCC), so they became the most widely used tool for data transfer. In addition, the US government published a white paper noting that the probability of the US agencies to access EU citizens’ data was not any different than the probability that any other country’s intelligence agency would access the same data.

Nevertheless, the question of whether SCCs are enough for legal transfers of data to Facebook, Google, and other US companies remained a bit unclear. These recommendations clarify it.

Now the EU-US Data Privacy Framework applies, but the recommendations are still relevant for data transfers to third countries.

The Six-Step Process the EDPB Recommends

The TL;DR: you need to know where you transfer the data you control and on what basis. In the process, you have to assess the national laws of the country where you transfer data and, if necessary, introduce supplementary measures to protect your data.

According to the EDPB recommendations, the following six-step process will ensure GDPR-compliant data transfers:

Assess your transfers

You, as a data controller, have to know how your data flows from server to server from the moment you collect it to the moment of destruction. Among other things, you have to know at what point, how and why you collect it, how and why you process it, who processes it for you, and for how long you retain it.

If you process data outside of the EU, that makes you a data exporter. The data exporter has to know who processes their data, where it is being processed, and for what purpose. Also, you have to ensure that the data processor takes the necessary technical, organizational, and safety measures to protect your data.

Aside from your data processors, do not forget to check out their sub-processors, since they get to access your data, too.

Verify the transfer tools your transfer relies on

When EDPB says “tools for transferring of data”, they mean a legal basis for doing so. GDPR prescribes multiple such legal bases, including adequacy decisions, SCCs, binding corporate rules, user’s consent, user’s vital interest, public interest, and a few others. You can read more about it here. The key to conducting the second step well is to determine on what basis you transfer data to each of your data processors or sub-processors.

Processing data in the EU or in a third country for which the EU has an adequacy decision is free. It means that the EU has assessed and approved the level of data protection in such a third country.

If they haven’t done so for the country where you want to transfer your data, proceed with the next steps.

Assess the risks that the national law brings

Assess whether the transfer tool you rely on is effective regarding the circumstances of the transfer. This is the time to figure out whether transferring data to the country where you want to transfer it provides sufficient data protection.

In Section 29 of the Recommendations, EDPB explains that the transfer tool is effective if the national legislation applicable to the data importer does not prevent them from complying with the GDPR requirements regarding the transfer tool.

This means that if there is a collision between the GDPR and the national legislation regarding data protection, relying solely on a transfer tool is not enough. If now you wonder if transferring data to the United States relying on SCCs is enough to comply with the GDPR, the answer is no. You’ll need supplementary measures. More on that later.

The circumstances that define the legal context in assessing the risks include:

• The rule of law situation in the third country and the available mechanism to fight data protection violations
• Whether authorities have readily available access to personal data according to the national legislation
• Whether the national legislation of the third country provides data protection equal to the EU level
• The purpose of the data transfer (storage, HR, clinical trials, marketing, or others)
• Categories of personal data transferred
• Format of the data transferred (plain text, pseudonymized, encrypted)
• Types of entities involved in the processing
• Whether the data could be transferred to another third country to a sub-processor
  

Adopt and identify supplementary measures to protect your data

If the third-country legislation does not allow sufficient data protection, then you have to do the work yourself and protect your data that you need to be transferred. You can do that by adopting and implementing appropriate supplementary measures.

These measures can be contractual, organizational, or technical. In most cases, you’ll need at least technical measures. We’ll go more into detail of the measures further down in this article, but just to give you an idea, you may need to encrypt your data before transferring.

If your chosen supplementary measures in combination with the transfer tool ensure sufficient data protection equal to the GDPR standards, your transfer may go ahead.

If you cannot identify supplementary measures that are good enough to provide such protection, you must not start transferring data to third countries. If you transfer data already, you must stop with it immediately.

Take the necessary formal procedural steps

Your supplementary measures should supplement the SCCs, the BCRs, or any ad hoc clauses to the Data Processing Agreement. Make sure that the supplementary measures and the transfer tool (such as SCCs) do not contradict each other. If they do, it means that you do not rely on the transfer tool and you’ll need authorization by the national data protection authority.

This step is not hard to do but is highly technical in nature. Make sure you don’t slip here. Be careful with what you write down.

Re-evaluate the protection at appropriate intervals

You have to monitor and re-evaluate the legal developments in the third countries where you transfer data.

EDPB recommends that you at least put in place mechanisms to suspend or end transfers where:

• The data importer has breached the commitments related to the data transfers for which you are held accountable by the law, and
• The supplementary measures are no longer effective in the third country (such as making them ineffective due to legislation changes).

The re-evaluation purpose is to allow a quick reaction in the case of changes that are not under your control but could make you non-compliant with the GDPR (such as contract breaches by the data importer, changes of the national laws of the third country, or others).

What Supplementary Measures Are Recommended?

EDPB recommendations come with a non-exhaustive list of supplementary measures that you could have in mind when transferring data to third countries. They are divided into three groups: technical, organizational, and contractual measures.

Technical measures

The technical measures you employ are effective only if they provide data protection in a third country equal to that in the European Union. In other words, technical measures should ensure that no government or anyone else could access personal data.

The recommendations provide some use cases to give data exporters an idea of what could be an effective technical measure. They include:

• Encryption. As long as it meets the following standards:
  - The personal data is encrypted before the transmission to the data importer
  - The encryption is state-of-art
  - Only the data exporter controls the keys (or an entity from the EU or an adequate country)
  
• Encryption of data merely transiting through third countries. When you want to transfer data to an adequate country, but it passes through a third country, the following would apply:
  - State-of-art encryption is necessary
  - Decryption is only possible outside of the transit country
  - The data exporter controls the keys
  - The transport is secured with state-of-art measures
  
• Pseudonymization of data as long as it meets the following requirements:
  - It is done in a way that singling out a person based on such data is impossible without using additional information
  - The additional information must be stored in the EU or an adequate country
  - Only the data exporter controls the pseudonymization algorithm
  - The data exporter must ensure that a natural person cannot be singled out based on cross-referencing the pseudonymized data with data possessed by a government of the third country.
  
• Protected recipient of the personal data. Sometimes laws provide specific legal protections to some data recipients, such as medical or legal services providers. When the data exporter provides such services jointly with a data importer protected by the law of the third country, then the data transfer can be done based on a transfer tool along with the following supplementary measures:
  - The third-country national laws protect the data recipient
  - The privileges extend to all information, including password, encryption keys, etc.
  - The data importer is not employed in a way that allows the public authorities to access the data
  - The data is encrypted with state-of-art encryption means
  - Only the data importer possesses the decryption keys
  
• Split or multi-party processing. Some data controllers want to have their data processed by two or more data processors in third countries without disclosing to them the data the other processor has got. They split the data in a way that an individual processor cannot identify a natural person. In the end, they receive the results of processing independently and merge the pieces into personal or aggregated data.

If you want to process data this way in a third country, you can transfer it if, on top of all other requirements, you ensure that:

• No natural person can be identified with the split data
• The pieces are transferred to separate entities in a separate jurisdiction
• The processing algorithm is safe
• There is no evidence that the governments of jurisdictions where you transfer data cooperate in accessing such data
• No natural person can be identified based on cross-referencing the pseudonymized data with data possessed by a government of the third country.

When no technical measure is enough

On top of the recommendation for employing these technical measures, EDPB further clarifies the rules around data transfers by pointing out two situations in which no technical measure is sufficient for a lawful data transfer. These situations are:

1. Transfer to cloud data processors that require access to data in the clear in a third country where the public authorities are granted access to personal data that is disproportionate with what is normally expected in a democratic society, and
2. Remote access to data for business purposes, i.e. sharing data with business partners in the third country, in the case where the third country public authorities are granted access to personal data that is disproportionate with what is normally expected in a democratic society.

Organizational measures

They include:

• Internal policies, but they are effective only where the data access request made by the public authorities is compatible with the EU laws
• Transparency and accountability measures, where the third country legislation do not prevent data importer to make public data requests made by public authorities
• Organization methods and data minimization measures, where they are implemented in combination with the technical measures described above
• Adoption of standards and best practices, such as data security measures, ISO standards, and others.
  

Other contractual measures

These measures are to be used in combination with technical and organizational measures. They are not enough for lawful data transfer by themselves.

The recommendations list many contractual clauses that you could add to the SCCs or BCRs in order to strengthen them when necessary. They include obligations for data importers to employ the necessary technical, organizational and other measures to protect the personal data transferred to them.

Are Data Transfers to the United States Lawful and Free?

It depends on whether the business receiving the personal data for processing is certified under the former Privacy Shield.

Most popular data processors, such as Meta, Google, Amazon, popular email automation software, etc, are certified. You are free to use them and send them your data as if they were EU companies.

But you cannot send data freely to those that are not certified, unless you implement the six-step process described above.

There are two US laws you should know about - the FISA 1978 and the CLOUD Act 2018. They both complicate data transfers from Europe to the US.

The Foreign Intelligence Surveillance Act 1978 prescribes the procedures under which US authorities can collect surveillance and intelligence information on “foreign powers and their agents suspected of espionage and terrorism”. Basically, these are procedures under which US authorities can spy foreign nationals and governments.

In the Recommendations, EDPB explicitly says that FISA provisions do not respect the minimum required data protection safeguards required by the EU law (page 15), therefore data transfers to the US are not lawful without proper supplementary measures.

The CLOUD Act 2018 (Clarifying Lawful Overseas Use of Data Act) entitles US public authorities to request and get data stored on servers owned or operated by US companies no matter where the server is located, but only when requested by a warrant. The companies are obliged to provide such data, but can also refuse to share it if that violates the national privacy legislation of the countries involved (the country where the server is located, country of the data subject, etc.). 

To put it simply, US authorities can warrant companies such as Amazon Web Services, Microsoft, or Facebook the data stored on their servers in Europe, Asia, or anywhere else, and they will have to comply to avoid penalties. Maybe they’ll be able to challenge the request, maybe not.

Governments often help each other in criminal cases, but those procedures are usually slow. The CLOUD Act aims to streamline the procedure and allows foreign governments to enter into reciprocal treaties with the US.

However, the EDPB and the EDPS find that the CLOUD Act is in conflict with the GDPR. A request by a US authority does not necessarily make a legal ground for the transfer, therefore data transfers to the US cannot be based solely on a warrant issued by US authorities. According to their opinion, the warrant or request issued by a US public authority is not a legal ground for a data transfer unless it has been recognized by an international agreement, such as a treaty between the US and another country.

Any other data transfer under the CLOUD Act 2018 would mean a violation of the GDPR. 

So, How to Transfer Data to Third Countries Lawfully?

If you transfer data to servers owned or operated by a company headquartered in a third country here are the steps you have to take to comply with the GDPR and ensure that your users’ data is safe:

• Map out your data flows to see to which data processors and countries you transfer data. A Data Protection Impact Assessment is a good practice in such situations (Article 35 of GDPR).
• Ensure that you have a valid data processing agreement with your data processors.
• Ensure that you know who the subprocessors of your data processors are. They have access to your data, too.
• Determine the legal grounds for the transfers of data to third countries
• If you find that you transfer data to third countries for which the EU has no valid adequacy decision, proceed with assessing the national laws. Your data processor is obliged to help you comply with the GDPR, so contact them. You can also contact your national data protection authority. If the data processor is a US company, skip this step, because EDPB has made it clear that their law does not protect personal data well enough.
• If you cannot assess foreign laws yourself, talk to your data processors and your national data protection authority.
• Choose your supplementary measures based on your circumstances. If you are not sure what to do, data encryption is the safest way to go.
• Document your supplementary measures in the SCCs, BCRs, and the contracts with the data processor
• Re-evaluate the foreign laws and the effectiveness of your measures from time to time to make sure that you remain compliant.

Conclusion

Fortunately for many businesses in the EU and the US, the data flows between the Eu and the US are free again. However, those to other countries are not.

Your users entrust their data and you need to protect it properly.

The law requires you to take a few more steps toward compliance, but EDPB shows you the way. And it is doable.