The European Data Protection Board (EDPB) published the recommendations on measures that supplement transfer tools to ensure compliance with the EU level protection of personal data.
The European Data Protection Board (EDPB) published recommendations on measures that supplement transfer tools to ensure compliance with the EU-level protection of personal data. These recommendations were the EDPB’s response to the invalidation of the EU-US Privacy Shield due to the Schrems II decision. Read about this decision here.
The new EU-US Data Privacy Framework made the transfers between the EU and the US became free again. However, it applies only to the US companies that had been certified under the former EU-US Privacy Shield, which means that the transfers are free only to a limited number of US companies.
This was the EDPB’s action to clarify what you need to do in order to transfer data to a US company data processing tool lawfully, determine whether your data transfers are legal and safe and, if there are risks, what measures could help you reduce the risks. These don’t apply to all US companies now, but you can still use them for moving data to third countries.
Explore more privacy compliance insights and best practices
In this article you'll learn:
Up until July 2020, data transfers between EU and US companies were being conducted on the basis of the EU-US Privacy Shield. US companies that process personal data could certify themselves under the Privacy Shield. Data transfers between any EU company and more than 5000 certified US companies were free as if that was data transfer within the EU.
Maximillian Schrems, a data privacy activist, challenged the Privacy Shield in court. The CJEU made a decision in his favour because the surveillance programs of the US government and their easy access to personal data stored on servers of US companies meant that the US does not provide an equal level of protection of data as in the EU, even if the US company has been certified under the Privacy Shield.
In the same decision, the CJEU confirmed the validity of the Standard Contract Clauses (SCC), so they became the most widely used tool for data transfer. In addition, the US government published a white paper noting that the probability of the US agencies to access EU citizens’ data was not any different than the probability that any other country’s intelligence agency would access the same data.
Nevertheless, the question of whether SCCs are enough for legal transfers of data to Facebook, Google, and other US companies remained a bit unclear. These recommendations clarify it.
Now the EU-US Data Privacy Framework applies, but the recommendations are still relevant for data transfers to third countries.
The TL;DR: you need to know where you transfer the data you control and on what basis. In the process, you have to assess the national laws of the country where you transfer data and, if necessary, introduce supplementary measures to protect your data.
According to the EDPB recommendations, the following six-step process will ensure GDPR-compliant data transfers:
You, as a data controller, have to know how your data flows from server to server from the moment you collect it to the moment of destruction. Among other things, you have to know at what point, how and why you collect it, how and why you process it, who processes it for you, and for how long you retain it.
If you process data outside of the EU, that makes you a data exporter. The data exporter has to know who processes their data, where it is being processed, and for what purpose. Also, you have to ensure that the data processor takes the necessary technical, organizational, and safety measures to protect your data.
Aside from your data processors, do not forget to check out their sub-processors, since they get to access your data, too.
When EDPB says “tools for transferring of data”, they mean a legal basis for doing so. GDPR prescribes multiple such legal bases, including adequacy decisions, SCCs, binding corporate rules, user’s consent, user’s vital interest, public interest, and a few others. You can read more about it here. The key to conducting the second step well is to determine on what basis you transfer data to each of your data processors or sub-processors.
Processing data in the EU or in a third country for which the EU has an adequacy decision is free. It means that the EU has assessed and approved the level of data protection in such a third country.
If they haven’t done so for the country where you want to transfer your data, proceed with the next steps.
Assess whether the transfer tool you rely on is effective regarding the circumstances of the transfer. This is the time to figure out whether transferring data to the country where you want to transfer it provides sufficient data protection.
In Section 29 of the Recommendations, EDPB explains that the transfer tool is effective if the national legislation applicable to the data importer does not prevent them from complying with the GDPR requirements regarding the transfer tool.
This means that if there is a collision between the GDPR and the national legislation regarding data protection, relying solely on a transfer tool is not enough. If now you wonder if transferring data to the United States relying on SCCs is enough to comply with the GDPR, the answer is no. You’ll need supplementary measures. More on that later.
The circumstances that define the legal context in assessing the risks include:
If the third-country legislation does not allow sufficient data protection, then you have to do the work yourself and protect your data that you need to be transferred. You can do that by adopting and implementing appropriate supplementary measures.
These measures can be contractual, organizational, or technical. In most cases, you’ll need at least technical measures. We’ll go more into detail of the measures further down in this article, but just to give you an idea, you may need to encrypt your data before transferring.
If your chosen supplementary measures in combination with the transfer tool ensure sufficient data protection equal to the GDPR standards, your transfer may go ahead.
If you cannot identify supplementary measures that are good enough to provide such protection, you must not start transferring data to third countries. If you transfer data already, you must stop with it immediately.
Your supplementary measures should supplement the SCCs, the BCRs, or any ad hoc clauses to the Data Processing Agreement. Make sure that the supplementary measures and the transfer tool (such as SCCs) do not contradict each other. If they do, it means that you do not rely on the transfer tool and you’ll need authorization by the national data protection authority.
This step is not hard to do but is highly technical in nature. Make sure you don’t slip here. Be careful with what you write down.
You have to monitor and re-evaluate the legal developments in the third countries where you transfer data.
EDPB recommends that you at least put in place mechanisms to suspend or end transfers where:
The re-evaluation purpose is to allow a quick reaction in the case of changes that are not under your control but could make you non-compliant with the GDPR (such as contract breaches by the data importer, changes of the national laws of the third country, or others).
EDPB recommendations come with a non-exhaustive list of supplementary measures that you could have in mind when transferring data to third countries. They are divided into three groups: technical, organizational, and contractual measures.
The technical measures you employ are effective only if they provide data protection in a third country equal to that in the European Union. In other words, technical measures should ensure that no government or anyone else could access personal data.
The recommendations provide some use cases to give data exporters an idea of what could be an effective technical measure. They include:
If you want to process data this way in a third country, you can transfer it if, on top of all other requirements, you ensure that:
On top of the recommendation for employing these technical measures, EDPB further clarifies the rules around data transfers by pointing out two situations in which no technical measure is sufficient for a lawful data transfer. These situations are:
They include:
These measures are to be used in combination with technical and organizational measures. They are not enough for lawful data transfer by themselves.
The recommendations list many contractual clauses that you could add to the SCCs or BCRs in order to strengthen them when necessary. They include obligations for data importers to employ the necessary technical, organizational and other measures to protect the personal data transferred to them.
It depends on whether the business receiving the personal data for processing is certified under the former Privacy Shield.
Most popular data processors, such as Meta, Google, Amazon, popular email automation software, etc, are certified. You are free to use them and send them your data as if they were EU companies.
But you cannot send data freely to those that are not certified, unless you implement the six-step process described above.
There are two US laws you should know about - the FISA 1978 and the CLOUD Act 2018. They both complicate data transfers from Europe to the US.
The Foreign Intelligence Surveillance Act 1978 prescribes the procedures under which US authorities can collect surveillance and intelligence information on “foreign powers and their agents suspected of espionage and terrorism”. Basically, these are procedures under which US authorities can spy foreign nationals and governments.
In the Recommendations, EDPB explicitly says that FISA provisions do not respect the minimum required data protection safeguards required by the EU law (page 15), therefore data transfers to the US are not lawful without proper supplementary measures.
The CLOUD Act 2018 (Clarifying Lawful Overseas Use of Data Act) entitles US public authorities to request and get data stored on servers owned or operated by US companies no matter where the server is located, but only when requested by a warrant. The companies are obliged to provide such data, but can also refuse to share it if that violates the national privacy legislation of the countries involved (the country where the server is located, country of the data subject, etc.).
To put it simply, US authorities can warrant companies such as Amazon Web Services, Microsoft, or Facebook the data stored on their servers in Europe, Asia, or anywhere else, and they will have to comply to avoid penalties. Maybe they’ll be able to challenge the request, maybe not.
Governments often help each other in criminal cases, but those procedures are usually slow. The CLOUD Act aims to streamline the procedure and allows foreign governments to enter into reciprocal treaties with the US.
However, the EDPB and the EDPS find that the CLOUD Act is in conflict with the GDPR. A request by a US authority does not necessarily make a legal ground for the transfer, therefore data transfers to the US cannot be based solely on a warrant issued by US authorities. According to their opinion, the warrant or request issued by a US public authority is not a legal ground for a data transfer unless it has been recognized by an international agreement, such as a treaty between the US and another country.
Any other data transfer under the CLOUD Act 2018 would mean a violation of the GDPR.
If you transfer data to servers owned or operated by a company headquartered in a third country here are the steps you have to take to comply with the GDPR and ensure that your users’ data is safe:
Fortunately for many businesses in the EU and the US, the data flows between the Eu and the US are free again. However, those to other countries are not.
Your users entrust their data and you need to protect it properly.
The law requires you to take a few more steps toward compliance, but EDPB shows you the way. And it is doable.
