EDPB recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data regarding restricted transfers was adopted on 18 June 2021.

Transfers of personal data to countries outside of the European Economic Area and those specifically approved as offering security for personal data rely on transfer tools set out in GDPR and UK GDPR.  The ECJ judgement in Schrems II highlighted that these tools should be supplemented by “supplemental measures” with checks to be carried out by the data exporter.

While it was accepted that an exporter should cease exporting data if any security issues about the personal data were brought to its attention, the shift from passive monitoring to active checks was a surprise.  The European Data Protection Board (updated Article 29 Working Party and advisor to the EU on data protection) published draft recommendations for exporters in December 2020.  The EDPB approach is a series of steps to follow, supported with potential sources of information and examples.  The guidance was approved in final form in late June 2021.  The text of the guidance can be found here: https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf

Summary of the steps involved

1 Know your transfers: identify what personal data is exported outside of the UK, the countries to which it is exported and other circumstances.  Article 30 records should indicate this.

2 Verify the transfer tool your transfer relies on: Again, Article 30 records should indicate this.  The transfer tools are: Standard Contractual Clauses between exporter and importer, Binding Corporate Rules inter group companies, necessary transfer to fulfil a contract with the data subject or specific, informed, consent.

3 Assess if there is anything in the law and or practices in force in the third country that might work against the safeguards of the transfer tools in use.  The EDPB advises focusing on the third country’s legislation and the transfer tool your organisation is relying on.  This should include assessing whether there is a data protection framework in place which meets EU standards; whether the framework is applied and complied with in practice; whether there are practices incompatible with the commitments of the transfer tool where the third country does not have a data protection framework; and whether the third country has legislation which potentially compromises EU data protection standards such as access to data by public authorities for purposes of surveillance.  (Note that there is information on this aspect in the EDPB European Essential Guarantees recommendations here: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-022020-european-essential-guarantees_en.)

Where the data protection framework either does not meet EU standards in its application or in practice, personal data transfers should be suspended or fortified with supplemental measures.

If there are uncertainties surrounding the potential application of third country legislation to personal data transferred the EDPB suggests two courses of action.  The transfer of personal data may be suspended pending the implementation of supplemental measures to fortify the data protection or alternatively to proceed with the transfer without implementing supplemental measures on the basis that it is possible to demonstrate and document that there is no reason to believe that relevant and problematic legislation will be interpreted or applied in practice so as to compromise the personal data transferred.

As ever, the process outlined should be documented for accountability.

4  Identify and adopt supplemental measures to bring data protection up to the level required.  Document why particular measures have been selected and what additional protection they provide.  If none of the supplementary measures can remedy the lack of an accountable data protection framework which meets EU standards, then transfers of personal data must be suspended indefinitely.

5 Take any formal procedural steps the adoption of your supplemental measures may require.

6 Re-evaulate the situation at appropriate intervals.

Summary of the supplemental measures

Supplemental measures could be contractual, organisational or technical but the EDPB advises that contractual and organisational measures are unlikely to be sufficient to overcome access to personal data by public authorities of third countries.

Technical measures would include encryption of the data, anonymisation of the data, the length and complexity of data processing workflow and the nature of the data (risk assessment).  Detailed examples are given in Annex 2 of the EDPB recommendations here: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

Our recommendation

Identify your data exports, look at data processors first such as Microsoft, Apple and webservers and remember to include apps.  Identify which ones are located outside of the EU (where all data transfers are deemed to offer adequate protection for personal data) and outside the other countries on the approved list.  Prioritise the ones where further checks are required and hit the most important ones first.  Visit their websites and find out if they have put supplemental measures in place already.  Keep a record of your enquiries, dates, websites visited, wordings relied upon.  Make a start on this activity as soon as you can, the final wording of the EDPB guidance is now in place and will be followed by the UK’s Information Commissioner as it came out of the ECJ ruling.  This is a service that we are already supplying to clients who outsource some of their data protection compliance to us.

Mandy P Webster, Data Protection Consultant