Having conducted the TIA – What’s next?: Finding effective supplementary measures
In the previous two blog posts, we explored the new obligations imposed by the CJEU in its Schrems II ruling on data exporters intending to export personal data outside the European Economic Area. In the absence of an EU Commission adequacy decision attesting the country of destination’s essentially equivalent level of data protection to EU standards, such transfers can, amongst others, still be conducted based on Standard Contractual Clauses (SSCs). Prior to the transfer, the data exporter must however conduct a Transfer Impact Assessment (TIA). Through this TIA, two outcomes can be reached:
- The Data exporter concludes that the country of destination offers an essentially equivalent protection allowing the data importer to comply with his obligations under the SCCs. The transfer can take place.
- Conversely, the TIA can reveal that the destination country’s legislation and/or practices hinder the data importer from complying with its obligations. This is particularly the case where public authorities can access the transferred data. Here, data can only be exported where effective supplementary measures are adopted to remedy the third country’s lack of protection.
Neither the CJEU in its Schrems II rulings nor the SCCs itself list suitable measures. Instead, the EDPB has provided useful guidance in its European Data Protection Board (EDPB) Recommendations on measures that supplement transfer tools. Thus, in this post, we will analyse the recommendations to explain how to find effective supplementary measures and provide some examples of such measures.
Identifying suitable supplementary measures on a case-by-case basis
It is important to note at the outset that while the EDPB demands the identification of suitable supplementary measures on a case-by-case basis, it acknowledges that such assessment does not need to be repeated every time a specific type of data is exported to the same country under the same circumstances. Instead, it suffices to once identify suitable measures and continuously adopt them for future transfers. Moreover, a TIA might indicate that only some of the data to be transferred requires the imposition of supplementary measures whereas other data may not. In such cases, supplementary measures may be adopted only in relation to the data that requires their adoption to render the transfer valid.
Suitable measures may be of contractual, technical or organisational nature. Depending on the specifics of the transfer, measures of one category can already suffice to render the transfer valid or combining different measures might be necessary. The EDPB cautions that, particularly where public authorities in the third country have access to the data due to legislation and/or practices to this end, technical measures are often the sole means to effectively impede or render ineffective such access. Contractual or organisational measures can then be adopted to complement technical measures and increase the level of data protection overall.
The EDPB further provides a non-exhaustive list of factors that should be considered when determining which supplementary measures are most suitable. Data exporters can consider: the format of the data (plain text, pseudonymised or encrypted?), the data’s nature (‘ordinary’ or sensitive data?), the data flow’s length and complexity and how many actors are involved, the practical application of the third country’s law and the possibility that the data could be subjected to onward transfers within the country of destination or a third country. Having considered these factors, data exports should then consider which technical, contractual and organisational measures best target the identified dangers for personal data protection.
Annex 2 of the recommendations provides examples of suitable technical, contractual and organisational measures and illustrates their practical effects via exemplary scenarios. In the following, we will highlight some of these scenarios to illustrate which measures are most effective in which situations.
Technical measures are especially suitable where a data importer is uncapable of complying with the guarantees enshrined in the SCCs due to public authorities’ access to the data. Where properly implemented, technical measures strive to prevent public authorities from identifying data subjects and inferring information about them. Encryption (clear text is converted into a hashed text and only becomes readable again when using the correct key) and pseudonymization (personal data cannot be attributed to a specific data subject anymore without the use of additional information) prove most effective in these situations. Depending on the circumstances of the data transfer, pseudonymization and encryption must fulfil different criteria.
Firstly, a data exporter could simply store data in a third country, e.g., for backup purposes without access to the data in the clear being necessary. To prevent public authorities access, the data should be subjected to strong encryption before being transferred and the importer’s identity being verified. The encryption algorithms as well as its parameterization must conform to the state-of-the-art, be robust against cryptanalysis by public authorities and the encryption algorithms must be properly implemented and maintained.
Where the data exporter reliably manages the keys under its or another trusted entity’s control, the data can be transferred.
Secondly, a data exporter can export data for further processing in the third country. In such scenario, the data must be pseudonymised prior to the transfer. Any additional information allowing the re-identification of data subjects must be held by the data exporter and kept separately within the EU or a third country by a trusted entity in a jurisdiction offering an essentially equivalent level of protection to the EEA.
To allow the transfer, the exporter must retain the sole control about the mechanisms enabling re-identification, disclosure of the additional information must be prevented by appropriate technical or organisational safeguards and no information at the disposal of public authorities can allow for the identification of natural persons.
It can equally be necessary to prevent public authorities from accessing data while it transits between exporter and importer. Here, the exporter must employ transport encryption via state-of-the-art encryption protocols and implement additional protective measures against attacks on the sending and receiving systems providing transport encryption. Where the transport encryption itself fails to provide appropriate security, the data should also be encrypted end-to-end on the application layer. The encryption algorithms and its parameterization should conform to the state-of-the art, be robust against cryptanalysis and its keys must be reliably managed.
Hence, technical measures such as the data’s encryption and pseudonymization are crucial to supplement the SCCs where a third country fails to provide an essentially equivalent protection of personal data to EU standards, especially because of public authority access. Data exporters should ensure to use state-of-the-art technologies that successfully prevent such access. Where data is transferred for other purposes than in the scenarios just described, consulting the recommendations and its additional scenarios can be helpful in identifying effective technical measures.
Additionally, contractual measures can be adopted. However, considering that public authorities are not party to the contract between the data exporter and importer, such measures can generally not prevent public authority access. However, upon combination with technical and organisational measures, they can provide further guarantees. For instance, a contractual clause can be inserted to oblige the data importer to implement specific technical measures specified by the data exporter.
Additionally, the importer can be required to disclose certain information on public authorities’ access or to guarantee that it has not undertaken any action facilitating such access. Other possible contractual measures obliging data importers to take specific actions or to empower data subjects to exercise their rights can be found in the EDPB recommendations.
In addition to effective technical and contractual measures, additional organisational measures can contribute to increased protection of the data to be transferred. Similar to contractual measures, they often fail to render a transfer valid on its own but can be effective in combination with technical and contractual measures. Possible organisational measures include internal policies for governance of transfers regulating a clear allocation of responsibilities and operating procedures when receiving public authorities access requests as well as training procedures for personnel, transparency and accountability measures demanding the proper documentation of public authorities’ access requests and their responses, additional data minimisation measures and the adoption of strict data security and data privacy policies.
Hence, transferring personal data to a third country lacking an essentially equivalent level of data protection to the EEA’s regime became more burdensome since the Schrems II ruling. While such transfers remain possible based on the SCCs, the simple adoption of the SCCs does not suffice. Instead, data exporters must thoroughly assess whether the law and practices in the third country potentially prevent the data importer from complying with its contractual guarantees under the SCCs. Even where this is the case, the transfer can still be conducted provided that effective supplementary measures are implemented. These can be of technical, organisational or contractual nature. Oftentimes, technical measures, especially effective encryption or pseudonymisation are necessary to effectively remedy the third country’s insufficient protection. In such cases, complementary contractual and/or organisational measures are advisable to increase the level of protection overall.