In the wake of the Schrems II ruling, the EDPB has issued a recommendation on how to assess the legal framework of a third country if it fulfils the GDPR and EU law. In this article, we will summarise the European Essential Guarantees Recommendations.
Background
In the aftermath of the European Court of Justice’s judgement in the Schrems II case, EDPB has issued two new recommendations connected to how an organisation could assess if their transfer outside of EU/EES can be done lawfully.
In its Recommendation 02/2020 on the European Essential Guarantees for surveillance measures (adopted on 10 November 2020), the EDPB explain how companies should work when assessing if the legal framework of a third country (country outside of EU/EES) would allow a data transfer. This is important since one of the steps in the 6-step assessment is to determine if the third country law may hinder the protection of personal data.
The other recommendation sets out a 6-step assessment process and provides information on “supplementary measures” that you can use to complement your transfer tool.
The European Essential Guarantees
The European Essential Guarantees are based on the jurisprudence of the Court of Justice of the European Union. On 13 of April, the predecessor to EDPB, the Article 29 Working Party issues a working document on data transfers that looked into the impact of national legislation on surveillance measures (full version of the old WP 237). The new recommendations from EDPB build upon that work.
Schrems II – Expert Legal Advise
Act with confidence today. Our experts are here to help you manage the Schrems II requirements. Measured and practical solutions. Support through the entire process. Transfer impact assessment. Dealing with supervisory authority. Enforcement action. Defending legal claims. Track record with leading European startup, mid-size companies and listed global enterprises.
Get a quote today from the business law firm Sharp Cookie Advisors
For example, CLOUD Act and FISA 702 give American authorities the right in some cases to access data from American companies irrespectively of where such data is stored.
As mentioned above, one of the steps in EDPB:s guide is to assess a third-countries legal framework and this assessment can be split into 4 Guarantees:
- “Processing should be based on clear, precise and accessible rules;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- An independent oversight mechanism should exist; and
- Effective remedies need to be available to the individual.“
You shall assess these different parts to determine if a legal framework in a third country makes it is possible to give personal data the same protection level as within the EU/EES.
Processing should be based on clear, precise and accessible rules
As a first part of the European Essential Guarantees Recommendations, you shall assess if the third country law is clear, precise and accessible. Regarding the criteria clear and precise the evaluation is as it sounds that you should determine if the rules in the third country are clear and precise. This will also indicate that the rules will be uniformly applied and foreseeable which is essential for the assessment.
Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
The principles of necessity and proportionality are connected to each other and EDPB state that you shall balance the limitation of data protection against the importance of the public interest in the third country. Regarding how you can assess the proportionality, EDPB state in its European Essential Guarantees Recommendations that:
“Regarding the principle of proportionality, the Court held, in relation to Member State laws, that the question as to whether a limitation on the rights to privacy and to data protection may be justified must be assessed, on the one hand, by measuring the seriousness of the interference entailed by such a limitation and by verifying that the importance of the public interest objective pursued by that limitation is proportionate to that seriousness, on the other hand.” (Paragraph 33 of the Recommendation).
For example, EDPB also states that under certain conditions, the requirement to safeguard national security can justify serious interference with fundamental rights.
EDPB state regarding the principle of necessity that the law of the third country must respect this principle. The court also state that laws that permit generalised access to data without objective criteria will, in general not meet the requirements of the principle.
Independent Oversight Mechanism
EDPB state that any interference with the right to privacy and data protection should be subject to an effective, independent, and impartial oversight system. This should either be done by a judge or another independent party which, for example, could be an administrative authority or a parliamentary body.
EDPB recommends the assessment of a court/administrative body is independent and can meet the other requirements by reference to whether its members are political appointees, or whether its activities are open to the public.
Effective remedies need to be available to the individual
The last point of the European Essential Guarantees Recommendations is that the individual shall be able to have effective remedies and ways to challenge the legality of any surveillance which may interfere with the protection of their data and infringe their privacy.
Summary
You can summarise the European Essential Guarantees Recommendations to the following four guarantees that you shall make sure is fulfilled:
- Processing should be based on clear, precise and accessible rules;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- Independent oversight mechanism; and
- Effective remedies need to be available to the individual.
Based on the assessment of these four criteria, you can assess if the third country law may impinge the data protection.
You will need to make an interpretation of the four guarantees since the third country legislation does not have to be identical to the GDPR and EU legal framework.
The EDPB concludes that: “As the ECtHR stated in Kennedy, an “assessment depends on all the circumstances of the case, such as the nature, scope and duration of the possible measures, the grounds required for ordering them, the authorities competent to authorise, carry out and supervise them, and the kind of remedy provided by national law” (ECtHR, Kennedy v. the United Kingdom, 18 May 2010, paragraph 153)
Your analysis may lead to the conclusion that:
- either the third country legislation does not ensure the EEH requirements, and the country would not offer a level of protection essentially equivalent to that guaranteed within the EU,
- or the third country legislation satisfies the EEG requirements.
In the first case, when the data exporter relies on an alternative safeguard (SCCs, BCRs etc.) the exporter must ensure that the data is protected by adding appropriate safeguards and supplementary measures. If these are not applicable, then the transfer cannot continue.
Do you have any questions on how your organisation can transfer data outside of EU/EES, contact us at info[a]sharpcookie.se