Data transfers: Final recommendations by the EU Data Protection Board

On 18 June, the European Data Protection Board ("EDPB") adopted final recommendations on the supplementary measures to be taken by organisations transferring personal data to third countries in light of last year's Schrems II decision of the Court of Justice of the European Union.

The final recommendations do not differ materially from those issued for consultation in November 2020, on which we commented. They continue to be structured around the same series of steps, from data mapping and assessment of third country laws and practices, to the implementation of appropriate "supplementary measures" and other actions. Businesses that have already acted on the call to arms in the draft recommendations will consider that time well spent.

The recommendations also follow closely behind the European Commission's publication of new forms of standard contractual clauses ("SCCs"), which underscore the need to carry out transfer risk assessment based on the EDPB's recommendations (see our article on the new clauses here). With both the SCCs and the recommendations now in final form, organisations which are yet to do so should now feel compelled to act.

The most significant difference in approach in the revised recommendations concerns the assessment of the legal environment in a third country. There is an increased focus on the assessment of the practices of the relevant country's public authorities in addition to publically-available legislation. According to the recommendations, this will be especially important where relevant legislation meets EU standards on its face but there is evidence to suggest the public authorities do not follow or enforce it, or if it is difficult to point to any relevant legislation at all.

However, businesses will be gratified to see the EDPB acknowledge that the focus on the practices of public authorities can cut both ways. If an organisation considers that transferred data may be impacted by third country legislation which does not enable compliance with the requirements of Schrems II (labelled "problematic legislation" by the EDPB), it may proceed with the transfer provided it has "no reason to believe that relevant and problematic legislation will be applied in practice" (and provided the assessment has been properly documented in the form of a "detail report"). The recommendations also provide that the "parameters of practical application" of problematic legislation can also be used to help identify appropriate supplementary measures.

A related, potentially helpful point for data exporting businesses is that they may, as part of the overall assessment of the laws and practices in a third country, rely on the "documented practical experience of the importer" in relation to its interactions with public authorities, provided such evidence is not treated as "a decisive factor". This type of evidence must be considered alongside information obtained from other sources and must not be contradicted by other, objective information on the practical application of relevant legislation. Service providers and other importers may look to pro-actively document their experiences as a marketing tool for their international customer base.

Some other notable differences are apparent in the final recommendations:

• In Annex 2 relating to potential supplementary measures for transferred data, the EDPB points to specific guidance to help organisations to assess the strength of encryption algorithms. Organisations must also give thought to whether encryption is an appropriate protective measure over the duration of the relevant processing, given the risk that it will be overridden will increase over in line with changes in technology. The application of this assessment will be a real challenge for non-technical teams responsible for compliance.

• Annex 3 to the final recommendations includes an expanded list of possible sources of information to assess a third country's laws and practices. These include reports on the practical experience of authority access requests "from entities active in the same sector as the importer" (further expanding the range of evidence based on practical experience which is potentially available to the exporter, as mentioned above); in certain circumstances, transparency reports of the sort published by cloud services providers; and reports from bodies such as the Global Privacy Assembly, professional and trade associations, and business intelligence providers. In this way, the EDPB acknowledges the role that different industry bodies can play in gathering and disseminating information on the legal environment in third countries and lessening the burden on data exporters to carry out their own research.

• The final recommendations appear to take a harder line against reliance on the derogations under Article 49 of the GDPR. It has long been understood that the derogations should be available in relation to occasional or one-off processing activities, as the draft recommendations provided. The EDPB's guidance no longer refers to occasional and non-repetitive processing activities and is now broader, to the effect that the derogations "must be interpreted in a way which does not contradict the very nature of the derogations as being exceptions" from the general rule, suggesting that they may not be available even in the case of certain one-off transfers.