On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.
The first set contains a roadmap of the steps data exporters should take when relying on EU-approved data transfer mechanisms to transfer data from the European Economic Area (EEA) to another country (Transfer Tool Recommendations). The second set of recommendations provides guidance on how to assess a third country's surveillance measures when exporting personal data outside of the EEA (European Essential Guarantees (EEG) Recommendations). The latter are relevant to businesses when assessing a third country's level of data protection, and to DPAs when assessing a third country's adequacy. The recommendations are applicable immediately, but the Transfer Tool Recommendations are open for public consultation until November 30. Organizations can provide comments here.
One day later, on November 12, 2020, the EU Commission issued a new set of standard contractual clauses (SCCs) which is now subject to public consultation. This is one of the most significant developments in EU data protection law since the entry into force of the General Data Protection Regulation (GDPR). We will provide further insight on this topic in a subsequent alert.
For a deeper dive on this topic, please register here for our EU privacy and cybersecurity team's webinar on Thursday, November 19, 2020 at 9 a.m. PT / 12 p.m. ET / 6 p.m. CET.
Background
On July 16, 2020, the European Court of Justice (ECJ) invalidated the EU-U.S. Privacy Shield framework and required organizations relying on the SCCs to assess whether the law of the third country to which EEA data is being transferred ensured a level of protection essentially equivalent to the level guaranteed in the EEA (for more background on Schrems II, see our post on The WSGR Data Advisor, ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses). If the safeguards contained in the SCCs are insufficient, organizations exporting data must add supplementary measures to ensure such a level of protection.
A Roadmap to Assess Data Transfers and Implement Appropriate Safeguards
The Transfer Tool Recommendations provide a six-step roadmap to assist organizations exporting data out of the EEA. The roadmap applies to organizations relying on a data transfer mechanism under Article 46 GDPR (in particular, EU-approved standard contractual clauses and Binding Corporate Rules (BCRs)) to i) determine whether they must supplement data transfer mechanisms with safeguards, and ii) help them identify and implement such safeguards.
Assessing a Third Country's Legal Framework for Surveillance
The EEG Recommendations complement the Transfer Tool Recommendations and provide organizations with guidance on how to assess whether a third-country's surveillance laws constitute a justifiable interference with the EU data protection rights. This is relevant when assessing the data protection laws and practices of third countries under the third element of the roadmap discussed above.
The EEG Recommendations set out four European Essential Guarantees which need to be addressed by the laws in countries to which data is transferred in order to ensure that government surveillance and access to personal data constitute a justifiable interference to the data protection rights of EU citizens:
Conclusions and Next Steps
These recommendations have a significant impact on any company importing or exporting EU personal data. While the recommendations are not binding, they represent the views of DPAs, which are responsible for enforcing the GDPR. The Transfer Tool Recommendations are subject to public consultation and any impacted party should consider submitting a comment.
In light of these recommendations, companies should carefully assess their data transfers by conducting data transfer impact assessments following the steps outlined by the EDPB. These new assessments represent an additional administrative burden imposed on companies in light of the accountability principle, but they will undoubtedly be requested by regulators pursuant to a complaint or investigation. It is likely that NGOs will file complaints with DPAs or initiate actions before courts against companies transferring personal data in violation of these recommendations.
Our EU privacy and cybersecurity team is closely monitoring this topic, including further guidance from the EDPB on BCRs and ad-hoc contractual clauses, and will provide updates when they are released.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and cybersecurity issues in Europe and beyond. For more information, please contact Cédric Burton, Jan Dhont, Laura De Boel, Lore Leitner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.
Christopher Foo, Alexandre Lépine, and Maximin Orsero contributed to the preparation of this alert.