Following the landmark CJEU 'Schrems II' ruling in July, which invalidated the four-year-old EU-US Privacy Shield, European data protection regulators have today published 38-pages of guidance for businesses stuck trying to navigate the uncertainty around how to (legally) transfer personal data out of the European Union.
The European Data Protection Board's (EDPB) recommendations focus on measures data controllers might be able to put in place to supplement the use of another transfer mechanism: so-called Standard Contractual Clauses (SCCs) to ensure they are complying with the bloc's General Data Protection Regulation (GDPR) .
Unlike Privacy Shield, SCCs were not struck down by the court but their use remains clouded with legal uncertainty. The court made it clear SCCs can only be relied upon for international transfers if the safety of EU citizens' data can be guaranteed. It also said EU regulators have a duty to intervene when they suspect data is flowing to a location where it will not be safe -- meaning options for data transfers out of the EU have both reduced in number and increased in complexity.
One company that's said it's waiting for the EDPB guidance is Facebook. It's already faced a preliminary order to stop transferring EU users data to the US. It petitioned the Irish courts to obtain a stay as it seeks a judicial review of its data protection regulator's process. It has also brought out its lobbying big guns -- former UK deputy PM and ex-MEP Nick Clegg -- to try to pressure EU lawmakers over the issue.
Most likely the tech giant is hoping for a 'Privacy Shield 2.0' to be cobbled together and slapped into place to paper over the gap between EU fundamental rights and US surveillance law.
But the Commission has warned there won't be a quick fix this time.
Changes to US surveillance law are slated as necessary -- which means zero chance of anything happening before the Biden administration takes the reins next year. So the legal uncertainty around EU-US transfers is set to stretch well into next year at a minimum. (Politico suggests a new data deal isn't likely in the first half of 2021.)
In the meanwhile, legal challenges to ongoing EU-US transfers are stacking up -- at the same time as EU regulators know they have a legal duty to intervene when data is at risk.
"Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum," the EDPB warns in an executive summary. "The Court states that controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools.
"In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data."
The EDPB's recommendations set out a series of steps for data exporters to take as they go through the complex task of determining whether their particular transfer can play nice with EU data protection law.
Six steps but no one-size-fits-all fix
The basic overview of the process it's advising is: Step 1) map all intended international transfers; step 2) verify the transfer tools you want to use; step 3) assess whether there's anything in the law/practice of the destination third country which "may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer", as it puts it; step 4) identify and adopt supplementary measure/s to bring the level of protection up to 'essential equivalent' with EU law; step 5) take any formal procedural steps required to adopt the supplementary measure/s; step 6) periodically re-evaluate the level of data protection and monitor any relevant developments.
In short, this is going to involve both a lot of work -- and ongoing work. tl;dr: Your duty to watch over the safety of European users' data is never done.
Moreover, the EDPB makes it clear that there very well may not be any supplementary measures to cover a particular transfer in legal glory.
"You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer," it warns. "In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it."
In instances where supplementary measures could suffice the EDPB says they may have "a contractual, technical or organisational nature" -- or, indeed, a combination of some or all of those.
"Combining diverse measures in a way that they support and build on each other may enhance the level of protection and may therefore contribute to reaching EU standards," it suggests.
However it also goes on to state fairly plainly that technical measures are likely to be the most robust tool against the threat posed by foreign surveillance. But that in turn means there are necessarily limits on the business models that can tap in -- anyone wanting to decrypt and process data for themselves in the US, for instance, (hi Facebook!) isn't going to find much comfort here.
The guidance goes on to include some sample scenarios where it suggests supplementary measures might suffice to render an international transfer legal.
Such as data storage in a third country where there's no access to decrypted data at the destination and keys are held by the data exporter (or by a trusted entity in the EEA or in a third country that's considered to have an adequate level of protection for data); or the transfer of pseudonymised data -- so individuals can no longer be identified (which means ensuring data cannot be reidentified); or end-to-end encrypted data transiting third countries via encrypted transfer (again data must not be able to be decrypted in a jurisdiction that lacks adequate protection; the EDPB also specifies that the existence of any 'backdoors' in hardware or software must have been ruled out, although it's not clear how that could be done).
Another section of the document discusses scenarios in which no effective supplementary measures could be found -- such as transfers to cloud service providers (or similar) which require access to the data in the clear and where "the power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society".
Again, this is a bit of the document that looks very bad for Facebook.
"The EDPB is, considering the current state of the art, incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights," it writes on that, adding that it "does not rule out that further technological development may offer measures that achieve the intended business purposes, without requiring access in the clear".
"In the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys," the EDPB further notes.
It also makes it clear that supplementary contractual clauses aren't any kind of get-out on this front -- so, no, Facebook can't stick a clause in its SCCs that defuses FISA 702 -- with the EDPB writing: "Contractual measures will not be able to rule out the application of the legislation of a third country which does not meet the EDPB European Essential Guarantees standard in those cases in which the legislation obliges importers to comply with the orders to disclose data they receive from public authorities."
The EDPB does discuss examples of potential clauses data exporters could use to supplement SCCs, depending on the specifics of their data flow situation -- alongside specifying "conditions for effectiveness" (or ineffectiveness in many cases, really). And, again, there's cold comfort here for those wanting to process personal data in the US (or another third country) while it remains at risk from state surveillance.
"The exporter could add annexes to the contract with information that the importer would provide, based on its best efforts, on the access to data by public authorities, including in the field of intelligence provided the legislation complies with the EDPB European Essential Guarantees, in the destination country. This might help the data exporter to meet its obligation to document its assessment of the level of protection in the third country," the EDPB suggests in one example from a section of the guidance discussing transparency obligations.
However the point of such a clause would be for the data exporter to put up-front conditions on an importer to make it easier for them to avoid getting into a risky contract in the first place -- or help them with suspending/terminating a contract if a risk is determined -- rather than providing any kind of legal sticking plaster for mass surveillance. Aka: "This obligation can however neither justify the importer’s disclosure of personal data nor give rise to the expectation that there will be no further access requests," as the EDPB warns.
Another example discussed in the document is the viability of adding clauses to try to get the importer to certify there's no backdoors in their systems which could put the data at risk.
However the EDPB warns this may just be useless, writing: "The existence of legislation or government policies preventing importers from disclosing this information may render this clause ineffective." So the example could just be being included to try to kneecap dodgy legal advice that suggests contract clauses are a panacea for US surveillance overreach.
The EDPB's full guidance can be found here.
We've also reached out to Facebook to ask what next steps it'll be taking over its EU-US data transfers in light of the EDPB guidance and will update this report with any response. Update: Facebook has now sent this statement: "The CJEU ruled that Standard Contractual Clauses are a valid legal mechanism for the transfer of data from the EU, including to the US. We note that new guidelines on supplementary measures have been submitted for consultation and, like many other companies, will be reviewing them carefully.”