On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement.
This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog post for more information). Like the Recommendations, the New SCCs also aim to assist organisations with the complex Schrems II requirements.
The new SCCs and the Recommendations show that compromise between the Commission and the EDPB has been reached. Previously, the EDPB and the Commission have had diverging views on how to interpret the Schrems II judgement. The main issue of contention was around whether companies should be permitted to take a risk-based, likelihood of access, approach when making assessments on whether a third country’s access laws and practices provide adequate protection for personal data. This approach was disputed by the EDPB and the European Data Protection Supervisor in their joint opinion on the Commission’s draft standard contractual clauses back in November 2020 who considered that even theoretical access to personal data should be of concern.
The Recommendations now state that when making a transfer impact assessment (TIA), the data exporter may consider the likelihood of access by public authorities, i.e: “practical experience of the importer with relevant prior instances of requests for access received from public authorities in the third country”. However, this provision is not without its caveats. Footnote 54 states that the TIA report will need to “include comprehensive information on the legal assessment of the legislation and practices, and of their application to the specific transfers, the internal procedure to produce the assessment (including information on actors involved in the assessment-e.g. law firms, consultants, or internal departments) and dates of the checks”. It also adds that “Reports should be endorsed by the legal representative of the exporter”.
Footnote 42 of the Recommendations could also be read positively and provide some leeway for organisations where the data being transferred is minimal and unlikely to be of interest to public authorities, stating that: “the categories of data transferred and their sensitiveness will be relevant to the assessment of the risk and the appropriateness of the measures.”
The majority of the other Recommendations remain unchanged compared with the previous draft. However, it is apparent that if organisations wish to transfer personal data to a jurisdiction with “problematic legislation” without using sufficient additional safeguards because they have “no reason to believe that relevant and problematic legislation will be applied, in practice, to their transfer” the EDPB’s expectation as to the level of research and justification to substantiate that belief looks challenging. Therefore, conducting transfer impact assessments will remain an uncomfortable process. The next important phase in calibrating your approach to Schrems II is to track how DPAs enforce in the coming weeks and months (with the Irish DPA’s decision on Facebook’s exports imminent (EDPB consistency mechanism permitting)).