Out-Law / Your Daily Need-To-Know

EU data transfers compliance: businesses get fresh guidance

Out-Law News | 23 Jun 2021 | 10:39 am | 3 min. read

European data protection authorities have given businesses some scope to transfer personal data to countries with intrusive surveillance laws in cases where legal tools designed to facilitate data transfers do not, on their own, guarantee adequate protection for that data.

Data protection law expert Claire Edwards of Pinsent Masons, the law firm behind Out-Law, said that businesses would welcome the pragmatic approach taken by the European Data Protection Board (EDPB), but highlighted the extensive steps they need to take to satisfy themselves that their data transfers can still proceed in compliance with EU data protection law.

Edwards was commenting after the EDPB published finalised recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data in response to a ruling by the EU’s highest court last year in the so-called ‘Schrems II’ case.

The Court of Justice of the EU (CJEU) judgment highlighted shortcomings with the safeguards in place to counteract US legislation that gives US law enforcement and intelligence agencies powers to request and access data. It said that businesses proposing to transfer personal data from the EU to the US or other ‘third’ countries must conduct due diligence to understand the risks of foreign surveillance regimes and put in place any additional safeguards necessary to meet their obligations under EU data protection law if their assessment is that their data transfer mechanism of choice – be that EU standard contract clauses, binding corporate rules or other legal tools – does not ensure adequate data protection for the transferred data on its own.

Edwards said: “The EDPB’s new paper doesn’t differ too much in essentials from the draft provided at the back end of last year and the extensive assessment required to be undertaken by exporters, with support from importers, remains. However, the paper has been expanded to provide that where the assessment of the international transfers finds that such a transfer falls or may fall within the scope of the ‘problematic legislation’ – i.e. that the transfer tool on its own cannot guarantee essential equivalence with EU data protection standards – that whilst the transfer could be suspended or terminated, an exporter could also determine to proceed without implementing further supplementary measures where the exporter is able to demonstrate and document that in practice such problematic legislation won’t be applied in practice in relation to their specific transfer.”

“This may therefore offer a glimmer of hope to be able to apply some practical subjective assessment to permit transfers where there is no risk. However, to get to this point the paper sets out an extensive due diligence regime which requires assessment of the laws and practices relevant to the circumstances of the transfers. The exporter must show, based on information of the importer, evidence of legal practice, and evidence of other parties operating in the same sector or who have similar transfers, that the law is not applied in practice and therefore that the importer can met the obligations in the transfer tool,” Edwards said.

The EDPB said: “In light of uncertainties surrounding the potential application of problematic legislation to your transfer, you may decide to: suspend the transfer; implement supplementary measures to proceed with it; or alternatively, you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer.”

Whilst the subjective test certainly helps to give businesses a way forward for low risk transfers, the pragmatism in the EDPB paper is set against a widening of the scope and application of Schrems II in practice. In the recent case involving appointment-scheduling platform Doctolib considered by the French Council of State, the court expanded the area of consideration, not just to apply the measures where the data is proposed to be transferred to a third country but also to look at the laws which a receiving party, or its group or any member of its supply chain, may be subject to.

“There is a high risk that the international assessments contained in the EDPB’s supplementary measures paper may now expand to cover situations where not just the counterparty, but their global group and supply chain and their global group may now need to be considered when determining if the counterparty can offer up sufficient guarantees to protect the data to the equivalent standard,” Edwards said. “Clearly this more broader assessment will have significant implications not just in relation to transfers but the appointment of service providers and others with whom data may require to be shared even where there is no transfer to a third country.”