The EDPB adopted on 18 June a final version of recommendations regarding transfer of personal data to countries outside the EEA (third countries) that do not provide sufficient protection for personal data and where “supplementary measures” may be required. The background for the recommendations is the CJEU’s ruling in Schrems II (see here), which since its publication has caused uncertainty regarding transfer to third countries and, in particular, the usage of public cloud services that include such transfer.
The CJEU found in Schrems II that when personal data is transferred to a third country, the protection for the personal data must be essentially equivalent to the level of protection guaranteed within the EEA.
The recommendations were adopted to help personal data exporters to assess what supplementary measures (technical, contractual or organisational) that may be required in order to compensate for the potentially insufficient protection of personal data in the receiving country. Such assessment may also lead to the conclusion that the transfer cannot be performed, and that certain public cloud services therefore cannot be used in the intended manner.
For this assessment, the EDPB presents a list consisting of six steps:
- Map all the third country transfers (“know your transfers”).
- Verify the transfer tool in chapter V in the GDPR that your transfer rely on, for example standard contractual clauses, binding corporate rules etc.
- Assess whether anything in the law and/or practices in force in the third country may impinge on the effectiveness of the transfer tool for the current transfer.
- Identify and adopt supplementary measures that may be required in order to ensure a level of protection for the personal data that is essentially equivalent to the level of protection guaranteed within the EEA.
- Take any formal procedural steps that the adoption of your supplementary measure may require, depending on what transfer tool in Article 46 in the GDPR that your transfer is relying on.
- Re-evaluate, at appropriate intervals, the level of protection for your personal data and ensure that nothing that can affect the level of protection has occurred or will occur.
In the final version of the recommendations, the EDPB emphasizes the assessment of the level of protection in the third country to which the personal data is transferred (step 3 above) and requires an extensive and accurate investigation and assessment of the data protection conditions in the third country. However, the EDPB states that if it is uncertain whether the data importer is covered by “a problematic legislation” or not, you are allowed to take into consideration if the data importer or other operators in the same business have been subject for requests for access received from public authorities in the third country. That is one among several other factors that can be taken into consideration when assessing whether there is a reason to assume that a problematic legislation will be applicable on the transferred personal data.
The purpose of the supplementary measures is to compensate for the insufficiency in the third country’s level of protection and to ensure an essentially equivalent level of protection for personal data as the one guaranteed within the EEA. The assessment regarding the need of supplementary measures must be made based on the circumstances in every individual situation and taking into account i.a. the format (encrypted, pseudonymised) and nature of the personal data.
One of the recommendation’s appendices describe seven use cases. Five of them are examples of situations where specific complementary technical measures, such as correctly implemented encryption or pseudonymisation, may constitute sufficient security measures. The two remaining use cases are examples of situations where the EDPB makes the assessment that there are no sufficient technical security measures that can be used to meet the EU level of protection.
The final version of the recommendations gives in some regards a better guidance than the draft, but it is still missing the clear support regarding risk assessment that many operators have been requesting.
Further, EDPB sets high requirements on extensive investigations and complex assessments, in particular regarding the level of protection in the receiving countries, and on how efficient supplementary measures shall be adopted. It appears to be difficult to make these assessments without assistance from experts that have knowledge regarding the third country’s legislation and practice and the authorities requests of access to personal data stored at the data importer.
According to the EDPB, the data importer, i.e the receiver of personal data in a third country, for example a cloud service provider, shall assist the data exporter and provide basis for the assessments. However, EDPB state that not all sources can be used for the assessment. The sourses must be relevant, objective, reliable, verifiable and generally accessible. The EDPB attached to the recommendations a list of sources that can be used for the assessment, i.a. a report from the European Council and other international organisations, academic institutions and non-profit organisations, so-called NGO:s. To our knowledge, there are no reports that assess the level of protection for personal data in different third countries in the manner that the EDPB and Schrems II require.
Out of experience, we know that it is generally complicated to receive sufficient basis from the suppliers in order to make the assessment. That may depend on the suppliers’ lack of competence, or that they are reluctant to inform that the third country’s public authorities may request for access to the data in their services.
Based on the use cases that EDPB mentions in the recommendations, you can draw the conclusion that regarding SaaS services and other cloud services where the personal data must be available in the clear (i.e. without strong encryption or pseudonymisation), there are no supplementary measures that can compensate for insufficiencies in a third country’s level of protection for personal data. This conclusion seems, however, hard to unite with the EBPB’s earlier statement that i.a. the nature of the personal data can be taken into account when assessing security measures.
Please feel free to contact Johan Kahn or Daniel Lundqvist if you have any questions regarding the EDPB’s recommendations or transfer of personal data to third countries.
 Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0, Adopted on 18 June 2021. The recommendations are an updated version of the draft that EDPB adopted in November 2020 (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Adopted on 10 November 2020 version for public consultations) which we commented here.