This month has seen a flurry of activity amongst European authorities and regulators in the data protection sphere.
The European Data Protection Board (EDPB), which includes representatives from the data protection regulators of each EU member state, has published a number of recommendations that businesses should take note of in order to comply with the General Data Protection Regulation (GDPR).
Firstly, in the wake of the much-publicised Schrems II case this summer, the EDPB has endeavoured to give some much-needed clarity on what organisations need to do if they want to transfer personal data outside of the European Economic Area (EEA). Assuming that other routes to achieving this in compliance with the GDPR (such as sending personal data to a country that has received an adequacy decision from the EU) are unavailable, where organisations wish to rely on the EU Commission’s standard contractual clauses (SCCs), the recommendations confirm that they must verify on a case-by-case basis whether the destination country affords equivalent levels of protection as within the EEA. In addition, they must supplement the SCCs with additional measures, ranging from technical and organisational to contractual. Whichever steps are taken must be documented to comply with the GDPR’s accountability duty.
The recommendations also stress the need to consider whether access to transferred personal data by government or surveillance authorities in the destination country is likely. If so, exporting organisations will need to consider whether this access may undermine the SCCs. A second set of recommendations sets out four criteria, known as ‘essential guarantees’, against which to determine whether the interference of the destination country’s surveillance laws with individuals’ data protection and privacy rights is acceptable by EU standards. These are as follows:
- Is the processing is based on clear, precise, and accessible rules?
- Is the processing is necessary and proportionate to the legitimate objectives pursued?
- Is there is an independent oversight mechanism?
- Are effective remedies available to individuals concerned?
In addition, the European Commission has at last published its draft set of revised standard contractual clauses, which are currently open for consultation and are expected to be formally adopted early next year. Happily, these include processor-to-controller standard contractual clauses, which, in the event the UK receives no adequacy decision from the EU before the end of the Brexit transition period, could be the lifeline businesses need to establish compliant personal data flows from the EEA to a UK that will soon be a ‘third country’.
Raj Shah and Howard Ricklow from Collyer Bristow’s data privacy team will be discussing all of the above and more in a live interactive webinar on Thursday 26 November 2020 at 11am GMT. To register your interest, please click here.
Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum. [...] [C]ontrollers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools.